Last Week in Security (LWiS) - 2020-11-16
AV bypasses for common C2s (@ShitSecure), Big Sur firewall bypass (@patrickwardle), 10 vulns in Bitdefender (@0xlandave), Win7 LPE (@itm4n), COM mapping tool (@hotnops), hooks for Windows password dumping (@last0x00), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-09 to 2020-11-16.
News
- SO-CON 2020 is a conference by SpecterOps and has great talks lined up for 2020-11-20!
- What's new in macOS 11, Big Sur!. Apple's latest OS was released last Thursday, and one of the best sources for what's new is the hackintosh subreddit.
- Apple Silicon M1 Emulating x86 is Still Faster Than Every Other Mac in Single Core Benchmark. Apple released their in house ARM-based chips last week for the 13" MacBook Pro, MacBook Air, and Mac mini. They said it was fast, but this benchmark really shows it. Even emulating x86, a Macbook Air scored higher on single-core performance than a 2020 iMac with an Intel i9-10910 (10 cores at 3.6 GHz). Seriously impressive. In multicore benchmarks, the Mac mini with M1 is surprisingly high on the all time benchmarks list.
- Can't open apps on macOS: an OCSP disaster waiting to happen. While Apple was making amazing strides with its new silicon, it was also being dragged through the mud for its Gatekeeper implementation. This post is the most honest (spoiler: Apple isn't collecting executable hashes every time you launch them), and discusses the missteps of the implementation. There is a place for this type of security mechanism, but it should be designed with privacy first - especially from a company that plays the privacy card as hard as Apple does. Apple has issued a statement (bottom) with vague promises. At this point, Linux distros are the last OSs left without telemetry baked in (and some distros have it).
- Big Sur allows apps to bypass firewalls. Apple news again, and this is impressively poor showing. How this got past all the meetings and approvals it must have taken is beyond me. Apple has exempted many Apple applications from being routed through new frameworks on Big Sur that Apple requires 3rd party firewalls to use (no more kexts). I guess Apple was convinced it would help with their mission to have things "just work," but if a user is installing a 3rd party firewall, they probably know what they are doing...
- Windows 20H2 changes is a comparison of Windows 10 2004 and Windows 10 20H2 installations. Could be a menu of new things to look into for vulnerabilities, or just new legitimate service names to hide your persistence.
Techniques
- Bitdefender: UPX Unpacking Featuring Ten Memory Corruptions. Antivirus products have been the target or researchers in the past, but finding 10 memory corruptions in a single feature of one is impressive. The timeline of disclosure also contains more than a few 🤦.
- How to get root on Ubuntu 20.04 by pretending nobody’s /home. This is a super strange bug that requires physical access to a Ubuntu machine with a GUI. By tricking the accounts-daemon to thinking you a new user, you get root! Demo here.
- Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World’s 3rd Largest TV Manufacturer.. TCL's heavily modified Android TV implementation is full of holes. Or maybe a better description is that is is a hole with some non-hole parts, possibly on accident. You have all your IoT on a separate network right?
- Duping AV with handles. Calling OpenProcess on lsass is a big red flag for most AV. However, some things do "legitimately" open handles (like AV itself). Using debug privileges, a process can find these legitimate handles and clone them, fooling some AV. Code here.
- Firefox: How a website could steal all your cookies. The older Firefox Fennec (v68.9.0) on Android was vulnerable to a complex attack chain that allowed for an attacker to download the cookies.sql file from users after a single click. This feels like a nation-state style vulnerability that would be used against targeted individuals.
- Customizing C2-Frameworks for AV-Evasion walks through some AV evasion techniques for Powershell Empire, Pupy, and Covenant.
- adversarial.js is a really well done demo of how machine learning classifier models can be tricked with images that remain easily discernible to humans. Next time a vendor leans on ML, know that it isn't a silver bullet. Maybe if you had 320GB of GPU memory things would be different.
- Decrypting OpenSSH sessions for fun and profit. If you have a memory image of a server with an active SSH connection, and a pcap of that SSH session, you can decrypt it! Code here.
- Forget Your Perimeter Part 2: Four Vulnerabilities in Pulse Connect Secure. As VPNs become vital for business, they also become bigger targets for adversaries. This is an nice vulnerability chain that goes from XSS to RCE. GoSecure included details on a neat trick to get access to the unencrypted filesystem of the Pulse Secure appliance as well, which could apply to other appliances you may be hacking.
- Advanced MSSQL Injection Tricks. MSSQL is often see in enterprise environments. Now you can pwn it in new and fun ways!
Tools and Exploits
- Apollo and Mythic: A Myth Worth Retelling. Apollo was in last weeks edition of this blog, but this post digs into some of the features it has. Apollo + Mythic is a powerful combination.
- Windows RpcEptMapper Service Insecure Registry Permissions EoP. While only effective against Windows 7, this local privilege escalation vulnerability is a classic case of seeing something strange and digging into it, reading the docs, and coming away with an interesting result.
- HppDLL enables local password dumping using MsvpPasswordValidate hooks. Explanation here.
- openedr is free and open source platform allows you to analyze what’s happening across your entire environment at base-security-event level. The repo is a little light on details for now, but this is one to watch.
- Issue 2075: Windows: Local Spooler CVE-2020-1337 Bypass. Microsoft finally actually patched the local spooler local privilege escalation vulnerability in Windows 10. This issue has a PoC if you come across any machines that don't have the November 2020 patch.
- COM_Mapper is a tool to create COM class/interface relationships in neo4j. Like BloodHound for COM!
- aix53l-libc.c. If you are unfortunate enough to gain access to an AIX machine, you can root it easily now with this 0day that exploits a buffer overflow in the handling of locale environment variables.
- ghinja is a plugin to embed Ghidra Decompiler into Binary Ninja.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- 22120 is a tool to self-host the Internet with an offline archive. Similar to ArchiveBox, SingleFile and WebMemex.
This post is cross-posted on SIXGEN's blog.