Last Week in Security (LWiS) - 2020-09-28

Malicious MSI transforms from @_EthicalChaos_, Group Policy caching LPE by @decoder_it, another Cisco AnyConnect LPE by @AntoineGoichot, Phishing your password manager by @CurtBraz, a different ZeroLogon use case by @_dirkjan, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-21 to 2020-09-28.



  • The Return of Raining SYSTEM Shells with Citrix Workspace app. The MSI transform feature is not widely known, but probably can be used malicious as shown here in many more cases. This is another great example of not giving up on a bug just because it was "patched." CCob also released PwnyForm, a tool that can take an MSI input and generate an MSI transform that can be used for arbitrary command execution via custom actions.
  • Unquoted paths. They’re not just for services anymore. Unqouted service paths are an all too common issues on Windows machines, especially with third party software. This post discusses how the same issue can affect Scheduled Tasks, and how a standard Microsoft task was vulnerable. Add this to your list of things to check for potential privilege escalation on a Windows machine.
  • Local Privilege Escalation in FortinetSSL VPN client for Linux. Local Privilege Escalation (LPE) comes for Linux via the FortinetSSL VPN client which is SUID and blindly trusts argv[0] to be the path to its install location. This advisory contains a PoC which affects (at least) FortinetSSL Linux VPN client versions 4.0-2281 and 4.4-2336.
  • ZeroLogon(CVE-2020-1472) - Attacking & Defending. As the dust settles from the ZeroLogon announcement, this post goes into the technical details of both the exploit (but no work on repairing the DC after exploit) and various detection strategies.
  • A different way of abusing Zerologon (CVE-2020-1472). Dirk-jan is one of the researchers on the forefront of Windows/AD knowledge (along with Will Schroeder [@harmj0y] and Benjamin Delpy [@gentilkiwi]) and this post proves it. Dirk-jan manages to modify impacket to use Zerologon to relay a machine authentication solicited with SpoolSample from one DC to another, preventing the machine account password reset in the normal Zerologon attack flow that causes major issues.
  • Samba Unauthenticated domain takeover via netlogon ("ZeroLogon"). If you are running Samba <= 4.7 as a domain controller, you are vulnerable to ZeroLogon. This bug isn't just for Windows!
  • Abusing Group Policy Caching. A standard domain user can perform, via the “gpsvc” service, arbitrary file overwrite with SYSTEM privileges by altering behavior of “Group Policy Caching”. This can be used to elevate from a standard user to SYSTEM, however it has since been patched (CVE-2020-1317) by making the group policy folders readonly for standard users.
  • Phishing Your Password Manager. Feeling smug about credential harvesting because your password manager recognizes when sites don't match? Curtis Brazzell shows that some auth providers allow custom login pages which can be implanted with form capture so the domain does match, and your password manager likely will fill in creds. Manually verify those domains, every time!
  • Hacking Punkbuster. Punkbuster is an anti-cheat system for PC video games that has some very malware like properties (ability to take screenshots). This post shows how the Punkbuster server is vulnerable to a path traversal in the screenshot name. Unfortunately, "for security reasons we will only give a high level description of the vulnerability and won’t dive deep into the actual reverse engineering process." I'm guessing they used Firda?
  • Bypassing Android MDM using Electromagnetic Fault Injection by a Gas Lighter for $1.5. We've talked about hardware glitching before (LWiS 2020-08-31), but this is a low cost, low complexity attack to glitch an Android phone into sysdump which allows for the System on a Chip (SoC) recovery port to be used to flash new firmware, bypassing the very locked down system. Physical access is always root access, sometimes it just takes a bit more work.
  • Azure Account Hijacking using mimikatz’s lsadump::setntlm. Have Domain Admin but need to access data as a user with a password hash that won't crack? Wait for them to go home, then use lsadump::changentlm and lsadump::setntlm to change their password to something you do know, and put it back to their NTLM hash before they return in the morning.
  • Exploiting Tiny Tiny RSS. This is a deep dive into webapp source code review and hacking. The authors pull together a very impressive single click exploit that backdoor's a user's TT-RSS server. There are some great advanced techniques in this post - and the classic gopher:// trick as well.
  • Kernel exploitation: weaponizing CVE-2020-17382 MSI Ambient Link driver. If you have any interest in kernel or driver exploitation, this blog is a must read.
  • Smaller C Payloads on Window shows how to get an 8-12x reduction in binary size by removing the Visual C++ runtime from Windows binaries, and only including the functionality your program actually needs. Note that this limits some of the comfort features of C/C++.

Tools and Exploits

  • mitra is a python tool to generate binary polygots (one file that can be parsed as two different formats like a PNG and a DICOM). This could be useful to bypass file upload restrictions or generally mess with file parsers.
  • Gopher is a C# tool to search for credentials from all types of applications on Windows.
  • SharpDirLister is a .NET 4.0 tool for super fast directory listings.
  • RegSave is a .NET 3.5 tool for dumping the SAM, SYSTEM, and SECURITY registry keys.
  • CVE-2020-3433 is a collection of 3 vulnerabilities in the Cisco AnyConnect client for Windows, one of which is a local privilege escalation (sound familiar? CVE-2020-3153 was exploited by the same researcher - @AntoineGoichot after being found by @yorickkoster).
  • Offensive Terraform Modules provide automated multi-step offensive attack modules using Infrastructure as Code (IAC).
  • duf is a clean disk usage utility for Linux, FreeBSD, and macOS. It even outputs in JSON!
  • mikrot8over a rework of the Mikrotik RouterOS (<= 6.38.4) exploit with multithreaded scan capability.
  • UrbanBishopLocal is a port of FuzzySecurity's UrbanBishop project for inline shellcode execution.
  • Introducing “YAYA”, a New Threat Hunting Tool From EFF Threat Lab. YAYA is a new open source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • IBM QRadar Wincollect Escalation of Privilege (CVE-2020-4485 & CVE-2020-4486). I missed this one last week, but arbitrary file delete leads to elevation of privilege using the IBM QRadar Wincollect installer.
  • crowdsec is a lightweight Go agent to detect and respond to bad behaviors. It also automatically benefits from our global community-wide IP reputation database (can be disabled with apimode: false). If fail2ban is too simple, this may be what you are looking for.
  • Macrome is an Excel macro document reader and writer for red teamers and analysts. It uses Excel 4.0 macros and the BIFF8 (Excel 97-2003 Binary) XLS format which will likely bypass many detections. Details here.

This post is cross-posted on SIXGEN's blog.