Last Week in Security (LWiS) - 2020-10-12

DLL Hijacking persistence by @duff22b, Unauth RCE against HP Device Manager from @nickstadb, Linux package manager persistence by @pwnshift, malware unpacking techniques from @Marco_Ramilli, criticals in Apple infra by @samwcyo, DLL hijacking for lateral movement by @domchell, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-05 to 2020-10-12.

News

  • Python 3.9 is out which brings new features like dictionary merging (dict1 | dict2), dictionary updates (dict1 |= dict2) , type hinting, and a new parser.
  • ESXi on Arm Fling is LIVE!. Teased at VMworld Europe 2018, the ARM variant of ESXi is finally here. It can run on a Raspberry Pi 4 (8GB highly recommended) and can act as a vSAN witness in a two node cluster (not officially supported).
  • Enter the Vault: Authentication Issues in HashiCorp Vault. Two vulnerabilities in HashiCorp Vault could allow an attacker to bypass authentication checks in Amazon Web Services (AWS) and Google Cloud Platform (GCP) configurations.
  • Report: U.S. Cyber Command Behind Trickbot Tricks. Some entity was sending Trickbot configs with a new C2 address of 127.0.0.1 as well as spamming the bot registration endpoints to flood Trickbot operators with bad data. This article claims it was USCYBERCOM.
  • We Hacked Apple for 3 Months: Here’s What We Found. @samwcyo and friends spent a few months tearing through everything Apple dropping criticals along the way. This write up is very well done, and is worth the read. They will likely cross $500,000 in bounties once all are paid.

Techniques

Tools and Exploits

  • TinyAFL is a fuzzer designed for macOS usermode applications even if source code is not available.
  • UAC-SilentClean implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process. The SilentCleanup technique has been known for quite some time, and Microsoft has made no attempt to fix it, so this will likely continue to work until the scheduled task is changed for some other reason unrelated to security.
  • BOF-RegSave will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
  • jwt-secrets is a collection of many public-available JWT secrets from code samples that may be used in production. It is the list used in the new Burp app jwt-heartbreaker (more details here).
  • gitjacker downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.
  • CSRFER is a tool to generate csrf payloads based on vulnerable requests.
  • screego server allows you to share your screen with good quality and low latency. Screego is an addition to existing software and only helps to share your screen. This is useful for code reviews where the quality of Teams/Meet/Zoom doesn't cut it.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • FavFreak matches favicon hashes to their services using a large fingerprint dictionary. This can be a quick win when identifying web technologies on a large attack surface.
  • pwndoc is similar to Ghostwriter allowing multiple users to collaborate on assessment or vulnerability reports and generate a customized Docx report.

This post is cross-posted on SIXGEN's blog.