Oct 19 2020 Last Week in Security (LWiS) - 2020-10-19

Ryzen Driver LPE by @h0mbre_, Discord desktop RCE by @kinugawamasato, Azure Pipeline abuse by @Flangvik, macOS TCC tricks by @_xpn_, AWS enumeration bug by @Frichette_n, new loader from @Cribdragg3r, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-12 to 2020-10-19.

News

Microsoft Uses Trademark Law to Disrupt Trickbot Botnet. Just days after Trickbot was disrupted by USCYBERCOM (allegedly), Microsoft uses a unique legal trick to shut down additional C2 infrastructure by forcing hosting providers and telecom companies to block access to the C2 infrastructure.
German police raid tech firm FinFisher over spyware allegations. FinFisher is accused of selling surveillance software, to oppressive regimes around the world (Turkey, Ethiopia, Bahrain, the UAE, and Egypt). FinFisher was spectacularly breached back in 2014 when it was owned by UK based Gamma Group (writeup).
Java deserialization vulnerability in QRadar RemoteJavaScript Servlet. Nothing quite as face-palm-able as having RCE in your security product. The RCE is authenticated, but still not a good look.
CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability. Patch Tuesday reveals a critical unauthenticated potential RCE in the Windows TCP/IP stack when it handles ICMPv6 Router Advertisement packets. While this is bad, the protections in tcpip.sys will make a RCE PoC difficult. Patch or apply the workaround regardless. More details here.
International Statement: End-To-End Encryption and Public Safety. Five Eyes (FVEY) intel alliance countries of Australia, Canada, New Zealand, the UK, and US were joined by India and Japan in calling for tech firms to “enable law enforcement access to content” upon production of a warrant, in the name of public safety. This same strategy was attempted in the 90s. However, end-to-end encryption is easy to implement now, and mathematics/cryptography cannot be banned. If implemented, bad actors will continue to use end-to-end encryption while citizen's privacy is destroyed.
SonicWall VPN Portal Critical Flaw (CVE-2020-5135). Nearly 800,000 SonicWall VPNs are vulnerable to new remote code execution bug. The bug is in the SSLVPN, which is exposed to the internet as part of its functionality. Tripwire VERT says that a "code execution exploit is likely feasible."
Plug'nPwn - Connect to Jailbreak. The recent T2 security chip jailbreak has been productized and is now as easy as connecting a special cable/device to an Apple laptop. I expect this to be productize further into a full tool with additional features like a keylogger. Demo here.

Techniques

Code execution via the Windows Update client (wuauclt). The UpdateDeploymentProvider option to wuaclt.exe allows for code execution via a DLL. This is likely a AppLocker bypass, and has been seen in the wild (Startup).
CVE-2020-12928 Exploit Proof-of-Concept, Privilege Escalation in AMD Ryzen Master AMDRyzenMasterDriver.sys. Another vulnerable driver, another LPE. This post does a great job of walking through the discovery process and supplies a PoC.
There’s A Hole In Your SoC: Glitching The MediaTek BootROM. Glitching physical devices is an area of research that is gaining more traction (covered in LWiS 2020-08-31 and LWiS 2020-09-28). As software protections become more effective, look for hardware based attacks to become more popular.
Running JXA Payloads from macOS Office Macros. While nothing groundbreaking, the move away from python for macOS macro attacks will likely bypass some specific detections. Note that this technique still lands you in the sandbox.
Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique. While most red teamers know about LD_PRELOAD to run code in the context of processes or intercept functions on Linux, LD_AUDIT will actually run before LD_PRELOAD which gives defenders a change to disable preloading, and red teamers the ability to use a lesser known technique with the same functionality. libpreloadvaccine is a projects for defenders that uses this technique.
Recipe for a successful phishing campaign. This post and its part 2 companion are great starting points for anyone new to phishing engagements.
Discord Desktop app RCE. Another Electron app, another RCE. Consider this a must read if you are shipping or assessing an Electron based application. Demo here.
Abusing pipelines to hijack production. This is an example of successful red teaming showing the impact of a compromised developer account by seeing how much access Azure Pipelines could give a malicious user.
We Need To Talk About MACL. This post is a low level look at how user consent dialogs are handled on macOS, and sometimes how they are automatically dismissed. Of course by digging into the details, a CVE was waiting where arbitrary directories or files could be accessed without the user actually consenting. This is patched in 10.15.6.
Enumerate AWS API Permissions Without Logging to CloudTrail. 645 different API actions across 40 different AWS services are affected by a bug (feature?) that allows you to query services with a malformed X-Amz-Target header and based on the 404 or 403 response, you can determine the level of access to the service without logging the request in CloudTrail. Sneaky! aws_stealth_perm_enum has the code.
Red Team Tactics: Hiding Windows Services. Hide your persistence from sc query, Get-Services, and the GUI!

Tools and Exploits

stegbrute is a fast steganography bruteforce tool written in Rust (useful for CTFs).
CVE-2020-16938 Windows Kernel Information Disclosure Vulnerability. Normally I wouldn't put a link to a Microsoft Advisory, but this one is so trivial to exploit, that 7zip can read any file on a Windows disk (if Bitlocker is not in use) by directly opening the physical device.
Alaris is a protective and Low Level Shellcode Loader the defeats modern EDR systems with direct syscalls, DLL blocking, PPID spoofing, and shellcode encryption. Well written blog describing the tool here.
CobaltStrike-BOF are DCOM and WMI lateral movement BOFs for Cobalt Strike.
MacC2 is a python-based macOS C2 that uses internal API calls instead of command line utilities.
InSync is a macOS Finder persistence technique. Code is 3 months old but only made public 2020-10-19.
CalendarPersist is a JXA script to allow programmatic persistence via macOS Calendar.app alerts. Blog post here. It's a big week for macOS tools!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

PrismX is a Cloud Security Dashboard, providing a single source of truth for cloud security issues based on AWS CIS Security Benchmarks. The dashboard provides a high-level overview for executives as well as actionable data for individual contributors with built-in JIRA integration.
RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
HackBrowserData is a cross platform Go tool to decrypt passwords for most browser.
SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
SharpCrashEventLog crashes the Windows event log 3 times which keeps it down for 24 hours. Blog post here.

This post is cross-posted on SIXGEN's blog.