Last Week in Security (LWiS) - 2020-10-19

Ryzen Driver LPE by @h0mbre_, Discord desktop RCE by @kinugawamasato, Azure Pipeline abuse by @Flangvik, macOS TCC tricks by @_xpn_, AWS enumeration bug by @Frichette_n, new loader from @Cribdragg3r, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-12 to 2020-10-19.


  • Microsoft Uses Trademark Law to Disrupt Trickbot Botnet. Just days after Trickbot was disrupted by USCYBERCOM (allegedly), Microsoft uses a unique legal trick to shut down additional C2 infrastructure by forcing hosting providers and telecom companies to block access to the C2 infrastructure.
  • German police raid tech firm FinFisher over spyware allegations. FinFisher is accused of selling surveillance software, to oppressive regimes around the world (Turkey, Ethiopia, Bahrain, the UAE, and Egypt). FinFisher was spectacularly breached back in 2014 when it was owned by UK based Gamma Group (writeup).
  • Java deserialization vulnerability in QRadar RemoteJavaScript Servlet. Nothing quite as face-palm-able as having RCE in your security product. The RCE is authenticated, but still not a good look.
  • CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability. Patch Tuesday reveals a critical unauthenticated potential RCE in the Windows TCP/IP stack when it handles ICMPv6 Router Advertisement packets. While this is bad, the protections in tcpip.sys will make a RCE PoC difficult. Patch or apply the workaround regardless. More details here.
  • International Statement: End-To-End Encryption and Public Safety. Five Eyes (FVEY) intel alliance countries of Australia, Canada, New Zealand, the UK, and US were joined by India and Japan in calling for tech firms to “enable law enforcement access to content” upon production of a warrant, in the name of public safety. This same strategy was attempted in the 90s. However, end-to-end encryption is easy to implement now, and mathematics/cryptography cannot be banned. If implemented, bad actors will continue to use end-to-end encryption while citizen's privacy is destroyed.
  • SonicWall VPN Portal Critical Flaw (CVE-2020-5135). Nearly 800,000 SonicWall VPNs are vulnerable to new remote code execution bug. The bug is in the SSLVPN, which is exposed to the internet as part of its functionality. Tripwire VERT says that a "code execution exploit is likely feasible."
  • Plug'nPwn - Connect to Jailbreak. The recent T2 security chip jailbreak has been productized and is now as easy as connecting a special cable/device to an Apple laptop. I expect this to be productize further into a full tool with additional features like a keylogger. Demo here.


Tools and Exploits

  • stegbrute is a fast steganography bruteforce tool written in Rust (useful for CTFs).
  • CVE-2020-16938 Windows Kernel Information Disclosure Vulnerability. Normally I wouldn't put a link to a Microsoft Advisory, but this one is so trivial to exploit, that 7zip can read any file on a Windows disk (if Bitlocker is not in use) by directly opening the physical device.
  • Alaris is a protective and Low Level Shellcode Loader the defeats modern EDR systems with direct syscalls, DLL blocking, PPID spoofing, and shellcode encryption. Well written blog describing the tool here.
  • CobaltStrike-BOF are DCOM and WMI lateral movement BOFs for Cobalt Strike.
  • MacC2 is a python-based macOS C2 that uses internal API calls instead of command line utilities.
  • InSync is a macOS Finder persistence technique. Code is 3 months old but only made public 2020-10-19.
  • CalendarPersist is a JXA script to allow programmatic persistence via macOS alerts. Blog post here. It's a big week for macOS tools!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • PrismX is a Cloud Security Dashboard, providing a single source of truth for cloud security issues based on AWS CIS Security Benchmarks. The dashboard provides a high-level overview for executives as well as actionable data for individual contributors with built-in JIRA integration.
  • RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
  • HackBrowserData is a cross platform Go tool to decrypt passwords for most browser.
  • SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
  • SharpCrashEventLog crashes the Windows event log 3 times which keeps it down for 24 hours. Blog post here.

This post is cross-posted on SIXGEN's blog.