Last Week in Security (LWiS) - 2020-11-16

AV bypasses for common C2s (@ShitSecure), Big Sur firewall bypass (@patrickwardle), 10 vulns in Bitdefender (@0xlandave), Win7 LPE (@itm4n), COM mapping tool (@hotnops), hooks for Windows password dumping (@last0x00), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-09 to 2020-11-16.

News

  • SO-CON 2020 is a conference by SpecterOps and has great talks lined up for 2020-11-20!
  • What's new in macOS 11, Big Sur!. Apple's latest OS was released last Thursday, and one of the best sources for what's new is the hackintosh subreddit.
  • Apple Silicon M1 Emulating x86 is Still Faster Than Every Other Mac in Single Core Benchmark. Apple released their in house ARM-based chips last week for the 13" MacBook Pro, MacBook Air, and Mac mini. They said it was fast, but this benchmark really shows it. Even emulating x86, a Macbook Air scored higher on single-core performance than a 2020 iMac with an Intel i9-10910 (10 cores at 3.6 GHz). Seriously impressive. In multicore benchmarks, the Mac mini with M1 is surprisingly high on the all time benchmarks list.
  • Can't open apps on macOS: an OCSP disaster waiting to happen. While Apple was making amazing strides with its new silicon, it was also being dragged through the mud for its Gatekeeper implementation. This post is the most honest (spoiler: Apple isn't collecting executable hashes every time you launch them), and discusses the missteps of the implementation. There is a place for this type of security mechanism, but it should be designed with privacy first - especially from a company that plays the privacy card as hard as Apple does. Apple has issued a statement (bottom) with vague promises. At this point, Linux distros are the last OSs left without telemetry baked in (and some distros have it).
  • Big Sur allows apps to bypass firewalls. Apple news again, and this is impressively poor showing. How this got past all the meetings and approvals it must have taken is beyond me. Apple has exempted many Apple applications from being routed through new frameworks on Big Sur that Apple requires 3rd party firewalls to use (no more kexts). I guess Apple was convinced it would help with their mission to have things "just work," but if a user is installing a 3rd party firewall, they probably know what they are doing...
  • Windows 20H2 changes is a comparison of Windows 10 2004 and Windows 10 20H2 installations. Could be a menu of new things to look into for vulnerabilities, or just new legitimate service names to hide your persistence.

Techniques

Tools and Exploits

  • Apollo and Mythic: A Myth Worth Retelling. Apollo was in last weeks edition of this blog, but this post digs into some of the features it has. Apollo + Mythic is a powerful combination.
  • Windows RpcEptMapper Service Insecure Registry Permissions EoP. While only effective against Windows 7, this local privilege escalation vulnerability is a classic case of seeing something strange and digging into it, reading the docs, and coming away with an interesting result.
  • HppDLL enables local password dumping using MsvpPasswordValidate hooks. Explanation here.
  • openedr is free and open source platform allows you to analyze what’s happening across your entire environment at base-security-event level. The repo is a little light on details for now, but this is one to watch.
  • Issue 2075: Windows: Local Spooler CVE-2020-1337 Bypass. Microsoft finally actually patched the local spooler local privilege escalation vulnerability in Windows 10. This issue has a PoC if you come across any machines that don't have the November 2020 patch.
  • COM_Mapper is a tool to create COM class/interface relationships in neo4j. Like BloodHound for COM!
  • aix53l-libc.c. If you are unfortunate enough to gain access to an AIX machine, you can root it easily now with this 0day that exploits a buffer overflow in the handling of locale environment variables.
  • ghinja is a plugin to embed Ghidra Decompiler into Binary Ninja.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • 22120 is a tool to self-host the Internet with an offline archive. Similar to ArchiveBox, SingleFile and WebMemex.

This post is cross-posted on SIXGEN's blog.