Last Week in Security (LWiS) - 2020-09-14

The biggest bug since 2017 - Unauth DC RCE by @djrevmoon and team, OpenSSL hooks in Rust by @alessandrod, libinjection bypasses by @Menin_TheMiddle, DevOps for red team tools by @domchell, updates to Evilginx by @mrgretzky, sneaky persistence by @slaeryan, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-07 to 2020-09-14.

News

Techniques

Tools and Exploits

  • Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472). A holdover feature from Windows NT that allows computer accounts to authenticate to a Domain Controller via NetLogon and uses AES-CFB8 with a zero'd IV means that 1/256 attempts with a zero'd client challenge (attacker controlled) will result in a session key of all zeros. Since computer accounts don't get locked out, an attacker can authenticate to your Domain Controller as the Domain Controller computer account in under 256 tries. From there, a password reset can be issued and all hashes dumped. With these hashes, a pass-the-hash (or golden ticket) can be used to log back into the DC and reset its computer password back to whatever it was before the attack. This is the worst bug since MS17-010 aka ETERNALBLUE and I predict it will be used in all types of attacks but ransomware just got an "easy button" for complete domain compromise. This is a drop-everything-and-patch scenario. Multiple PoCs exist (this one is the best). A Sigma rule is also available (requires registration with SOCPrime but the rule is free).
  • WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day. The ability to intercept WSUS locally, and add a certificate to the current user's local store means that arbitrary Microsoft signed (psexec) binaries can be run as SYSTEM by any user. Tool release coming in less than 30 days.
  • Evilginx 2.4 - Gone Phishing. Evilginx is an amazing tool for phishing assessments, and it just got better. Kuba added a bunch of neat new features like pre-load pages and IP blacklisting. Be sure to update and try them out!
  • snuffy is a simple command line tool to dump the data sent and received by programs that use OpenSSL. Here is an example of dumping data from Zoom.
  • SRC-2020-0019 : Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability. This is an authenticated RCE against Exchange servers that allows any authenticated user to execute code as SYSTEM! Both HTTPS and Ps-Remoting PoCs are available - patch now!
  • Windows: CloudExperienceHostBroker Unsafe COM Object EoP. COM objects with bad access control lists (ACLs) lead to the ability to add a user as an Administrator from any account. C# PoC here.
  • twistrs is a domain name permutation and enumeration library powered by Rust. It most cases it has better coverage and is much faster than dnstwist. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses).

This post is cross-posted on SIXGEN's blog.