Last Week in Security (LWiS) - 2020-11-02
NAT Slipstreaming by @samykamkar, a new AV evasion method by @jxy__s, Kerberoasting in pure VBA by @TheXC3LL, Linux LPE by @scannell_simon, browser extension vulnerabilities from @WPalant, new Maldoc techniques from @Matt_Grandy_, a new autonomous red team tool from @privateducky and team, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-26 to 2020-11-02.
News
- PEN-300 Evasion Techniques and Breaching Defenses is a new course from Offesnive Security, the company behind the famous OSCP.
- Windows Kernel cng.sys pool-based buffer overflow in IOCTL 0x390400. Google's Project Zero discloses a Windows local privilege escalation/sandbox escape vulnerability that is being actively exploited, likely in connection with their previously disclosed heap buffer overflow in Chrome/Freetype. Chained together this could be a very effective "watering hole" attack where browsing to a page causes a target to be implanted.
- Abusing Teams client protocol to bypass Teams security policies. Microsoft Teams only enforces protocols (i.e. Guests cannot delete messages) on the client side. Intercepting the client request and server response for settings allows complete bypass of any restrictions.
- Prelude is a new "autonomous red team tool packaged as a simple, beautiful desktop application." There is a preview available and it looks very slick. From the minds behind caldera, I have high hopes and will be keeping a close eye on the development of Prelude.
- Alleged REvil member spills details on group’s ransomware operations. I guess even ransomware crews have leaks. Some notable details include the revenue ($100 Million USD per year), and the fact they run an affiliate program where they pay (up to $8 million) per target.
- Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine. Fireeye keeps the VMs coming with ThreatPursuit. This follows their successful flare-vm and commando-vm. The commitment to automated Windows setup is admirable.
Techniques
- Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This can be used to bypass some (most?) AVs and some file integrity monitoring solutions depending on when and how the perform their checks of files on disk. It can fool Windows Defender into thinking mimikatz is "signed" as well.
- Hacking in an epistolary way: implementing kerberoast in pure VBA. What if you did every stage of your attack via phishing payloads? VBA is technically Turing complete, so it is technically possible. This post explores how to Kerberoast in pure VBA. Half amazing, half insane.
- Fuzzing for eBPF JIT bugs in the Linux kernel. This post shows how a a writeup lead a researcher to conduct his own research and in doing so found a new vulnerability in the patch! This local privilege escalation vulnerability affects Linux kernels with the "patched" eBPF verifier before 5.8.15 (starting at 5.6.1, 5.5.14, and 5.4.29). No public PoC yet.
- What would you risk for free Honey?. Browser extensions don't often get the attention they deserve from security professionals. This post exposes some serious issues with the popular "Honey" extension, in this case four different ways the Honey server could run arbitrary code on any website you visit while it is installed.
- MalDoc Fu - Some Ideas for Malicious Document Delivery. Maldocs (macro enable malicious documents) are a favorite of phishing engagements, but as people and technologies slowly get better, they are becoming less successful. This post explores some new advanced forms of Maldocs to hide your malicious payloads and bypass current AV. Well done!
- Remote Desktop Services Shadowing – Beyond the Shadowed Session. RDP Shadowing is the process of connecting to an already open RDP session. This is useful for legitimate purposes, and could be very useful for red team purposes as well. With some registry changes, it can be made silent and red teamers can effectively spy on legitimate RDP sessions.
- UAC bypasses from COMAutoApprovalList details the two newest additions to UACME that use the Windows COM object model classes with enabled elevation.
- Using and detecting C2 printer pivoting explores a very interesting "esoteric C2 channel" of using print jobs to communicate on a Windows network.
- NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. The fastest-spreading virus author is back with more great research. This abuses SIP Application Layer Gateway (maybe enabled by default) and bad packet fragmentation handling to allow browsers to generate what (bad) routers think are arbitrary packets. This allows all kinds of things like opening ports to other internal devices by just having a user run some javascript by browsing a website. Very cool, but possibly limited to sketchy defaults and poor packet fragmentation handling.
Tools and Exploits
- MaliciousClickOnceMSBuild is a C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce. Be aware that without a valid certificate it will trigger a smartscreen warning.
- BOF.NET is a small native BOF object combined with the BOF.NET managed runtime that enables the development of Cobalt Strike BOFs directly in .NET. BOF.NET removes the complexity of native compilation along with the headaches of manually importing native API. Now you can write your BOFs in .NET instead of C!
- HoneyCreds is a network credential injection tool to detect responder and other network poisoners. Set this up with a legitimate looking username and easy to crack password and trigger on any use of the account in your environment.
- CVE-2020-14882. Oh boy, a single GET gets unauthenticated remote code execution against Oracle Web Logic. The patch is amazingly poor as well.
- MalwareMultiScan is a self-hosted VirusTotal / MetaDefender wannabe with API, demo UI and Scanners running in Docker. Like other self-hosted AV scanners, it only runs Linux based AVs (and Windows Defender). This joins malice, saferwall, and MultiAV-Extended for self hosted AV scanning solutions.
- UltimateWDACBypassList is a centralized resource for previously documented WDAC/Device Guard/UMCI bypass techniques.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- dendron is a local-first, markdown based, hierarchical note-taking application built on top of VSCode and friends. Similar to Obsidian or Roam, but open source and free.
This post is cross-posted on SIXGEN's blog.