Last Week in Security (LWiS) - 2020-10-12
DLL Hijacking persistence by @duff22b, Unauth RCE against HP Device Manager from @nickstadb, Linux package manager persistence by @pwnshift, malware unpacking techniques from @Marco_Ramilli, criticals in Apple infra by @samwcyo, DLL hijacking for lateral movement by @domchell, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-05 to 2020-10-12.
News
- Python 3.9 is out which brings new features like dictionary merging (dict1 | dict2), dictionary updates (dict1 |= dict2) , type hinting, and a new parser.
- ESXi on Arm Fling is LIVE!. Teased at VMworld Europe 2018, the ARM variant of ESXi is finally here. It can run on a Raspberry Pi 4 (8GB highly recommended) and can act as a vSAN witness in a two node cluster (not officially supported).
- Enter the Vault: Authentication Issues in HashiCorp Vault. Two vulnerabilities in HashiCorp Vault could allow an attacker to bypass authentication checks in Amazon Web Services (AWS) and Google Cloud Platform (GCP) configurations.
- Report: U.S. Cyber Command Behind Trickbot Tricks. Some entity was sending Trickbot configs with a new C2 address of 127.0.0.1 as well as spamming the bot registration endpoints to flood Trickbot operators with bad data. This article claims it was USCYBERCOM.
- We Hacked Apple for 3 Months: Here’s What We Found. @samwcyo and friends spent a few months tearing through everything Apple dropping criticals along the way. This write up is very well done, and is worth the read. They will likely cross $500,000 in bounties once all are paid.
Techniques
- Persistence Via Linux Package Managers. This post explores using python to wait and execute commands when a package manager has finished its update. This way, you can re-backdoor programs after they are updated to maintain your persistence.
- Following Donut Crumbs. Donut is an incredibly useful tool, but like every tool it has its signatures. This post shows a few to give defenders ideas on how to detect it as well as operators ideas on what to modify.
- edgegdi.dll for persistence. Windows 10 2004 is missing a DLL that nearly every process attempts to call. Writing a well crafted stand in can be used for persistence (requires Administrator access). Note that the code presented in this post will BSOD on reboot, and fixes are an exercise left for the reader (I would grab a copy from older windows and use siofra). If this technique sounds familiar, the basic discovery of edgegdi.dll was discussed in Faxing Your Way to SYSTEM — Part Two.
- HP Device Manager – CVE-2020-6925, CVE-2020-6926, CVE-2020-6927. This is a great post on how persistence pays off as @nickstadb manages to get SYSTEM on any Windows machine that is running the HP Device Manager. Excellent work!
- How To Unpack Malware: Personal Notes. This post explores some different techniques to get started with unknown packed malware samples.
- WarezTheRemote: Turning Remotes into Listening Devices. In the smart world even remotes have firmware and microphones. This post complete with demo video and great graphics shows how an attacker on the same network as one of these remotes could "update" it and use it as a persistent listening device. This specific remote has been patched with firmware validity checks.
- Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?. Directory permissions issues are widespread and even affect anti-virus products.
- CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel. This CVE affects a lot of default installs (i.e. Ubuntu) and is an up to 10 byte heap overflow in packet processing. At this time, only a crash PoC is available.
- Inside the Mimikatz Pass-the-Hash Command (Part 1). This is a very detailed look into the complex systems involved in Windows authentication.
- I Like to Move It: Windows Lateral Movement Part 3: DLL Hijacking. While DLL hijacking is a common technique used for persistence and privilege escalation, in certain circumstances it can be used for lateral movement as well (planting a DLL via SMB and executing the program that loads it via WMI or DCOM).
- In Process Execute Assembly and Mail Slots. When executing .Net assemblies in your own process, the CLR must be loaded and unless you modify the executables they will print to standard out. This post shows how to use mail slots to run unmodified .Net binaries and get the output back over mailslots which your implant can ship back to you via your C2. PoC here.
Tools and Exploits
- TinyAFL is a fuzzer designed for macOS usermode applications even if source code is not available.
- UAC-SilentClean implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process. The SilentCleanup technique has been known for quite some time, and Microsoft has made no attempt to fix it, so this will likely continue to work until the scheduled task is changed for some other reason unrelated to security.
- BOF-RegSave will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
- jwt-secrets is a collection of many public-available JWT secrets from code samples that may be used in production. It is the list used in the new Burp app jwt-heartbreaker (more details here).
- gitjacker downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.
- CSRFER is a tool to generate csrf payloads based on vulnerable requests.
- screego server allows you to share your screen with good quality and low latency. Screego is an addition to existing software and only helps to share your screen. This is useful for code reviews where the quality of Teams/Meet/Zoom doesn't cut it.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- FavFreak matches favicon hashes to their services using a large fingerprint dictionary. This can be a quick win when identifying web technologies on a large attack surface.
- pwndoc is similar to Ghostwriter allowing multiple users to collaborate on assessment or vulnerability reports and generate a customized Docx report.
This post is cross-posted on SIXGEN's blog.