Sep 14 2020 Last Week in Security (LWiS) - 2020-09-14

The biggest bug since 2017 - Unauth DC RCE by @djrevmoon and team, OpenSSL hooks in Rust by @alessandrod, libinjection bypasses by @Menin_TheMiddle, DevOps for red team tools by @domchell, updates to Evilginx by @mrgretzky, sneaky persistence by @slaeryan, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-07 to 2020-09-14.

News

Nvidia is acquiring Arm for $40 billion. This is an interesting move that may be spurred by SoftBank's recent financial strategy and the need to pocket a quick $8B profit. What this means for Apple, who recently announced they are producing CPUs in house based on ARM architecture or low cost devices like Raspberry Pis remains to be seen. The Arm headquarters will remain in England, which is a sign that at least for the time being they will remain somewhat independent from Nvidia.
Oracle Chosen as TikTok’s Tech Partner, as Microsoft’s Bid Is Rejected. Given Oracle's history of treating acquisitions poorly this will likely mean trouble for US based TikTok users.
Leaked database indicates Chinese intelligence has probed senior Australian politicians. Unsurprising that foreign intelligence has interest in not only government leaders but also their family members. This database also includes 2.4 million people and 650,000 organizations, which represents a massive "big data" collection of open source intelligence.
Introducing GitHub Container Registry. With Docker's announcement last week of limited registry pulls for free users, GitHub (aka Microsoft) has stepped in. GitHub is becoming the single place to host code, CI/CD, and related artifacts...

Techniques

BlindSide allows attackers to “hack blind” in the Spectre era. That is, given a simple buffer overflow in the kernel and no additional info leak vulnerability, BlindSide can mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation. Go from BoF to root in ~200 seconds. Demo here.
Collaborative Reverse Engineering with Ghidra Server. Ghidra has built in git for collaboration, but it can be hard to setup and use. This post introduces docker-ghidra-server and shows how it can be used to work on reverse engineering projects as part of a team.
Advanced boolean-based SQLi filter bypass techniques. This article discusses bypasses for libinjection, a popular library used in web application firewalls (WAFs) to detect and prevent SQL injection attacks.
Run as SYSTEM using Evil-WinRM. With PSExec being heavily monitored, this short post shows how to use Evil-WinRM to execute as SYSTEM remotely with powershell remoteing instead.
Bypass AMSI by manual modification part II - Invoke-Mimikatz. This post goes into detail into how Invoke-Mimikatz works, then makes a bunch of modifications to defeat static AMSI triggers. Defender runtime analysis defeat is left as an exercise for the reader.
Offensive Development - Post-Exploitation Tradecraft in an EDR World. This presentation by Dominic Chell shows how DevOps principles can be used to help red teams operate in EDR-laden environments and avoid detection. Excellent work here.
StreamDivert: Relaying (specific) network connections Written for a case where a server could issue commands to clients, but the service was fragile and couldn't be shut down, StreamDivert uses a driver on Windows to selectively re-route packets based on a filter statement. Escape the DMZ with this. Tool here.
Introducing MIDNIGHTTRAIN - A Covert Stage-3 Persistence Framework weaponizing UEFI variables. Slaeryan shows the power of being well read in cybersecurity and having the ability to combine research into novel and powerful tools - in this case some really cool Windows persistence. This post is long, but worth it.
How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM. Orange Tsai is a legend, and it has been almost a year since he pwned many major VPNs. This time he goes after the MobileIron MDM and combines 3 CVEs to get a shell on Facebook infrastructure. Impressive as always - PoC here.

Tools and Exploits

Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472). A holdover feature from Windows NT that allows computer accounts to authenticate to a Domain Controller via NetLogon and uses AES-CFB8 with a zero'd IV means that 1/256 attempts with a zero'd client challenge (attacker controlled) will result in a session key of all zeros. Since computer accounts don't get locked out, an attacker can authenticate to your Domain Controller as the Domain Controller computer account in under 256 tries. From there, a password reset can be issued and all hashes dumped. With these hashes, a pass-the-hash (or golden ticket) can be used to log back into the DC and reset its computer password back to whatever it was before the attack. This is the worst bug since MS17-010 aka ETERNALBLUE and I predict it will be used in all types of attacks but ransomware just got an "easy button" for complete domain compromise. This is a drop-everything-and-patch scenario. Multiple PoCs exist (this one is the best). A Sigma rule is also available (requires registration with SOCPrime but the rule is free).
WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day. The ability to intercept WSUS locally, and add a certificate to the current user's local store means that arbitrary Microsoft signed (psexec) binaries can be run as SYSTEM by any user. Tool release coming in less than 30 days.
Evilginx 2.4 - Gone Phishing. Evilginx is an amazing tool for phishing assessments, and it just got better. Kuba added a bunch of neat new features like pre-load pages and IP blacklisting. Be sure to update and try them out!
snuffy is a simple command line tool to dump the data sent and received by programs that use OpenSSL. Here is an example of dumping data from Zoom.
SRC-2020-0019 : Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability. This is an authenticated RCE against Exchange servers that allows any authenticated user to execute code as SYSTEM! Both HTTPS and Ps-Remoting PoCs are available - patch now!
Windows: CloudExperienceHostBroker Unsafe COM Object EoP. COM objects with bad access control lists (ACLs) lead to the ability to add a user as an Administrator from any account. C# PoC here.
twistrs is a domain name permutation and enumeration library powered by Rust. It most cases it has better coverage and is much faster than dnstwist. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses).

This post is cross-posted on SIXGEN's blog.