Last Week in Security (LWiS) - 2021-01-04
SolarWinds news and dumping tool (@mubix), Android exploit from an iOS exploiter (@_bazad), C# runtime dependency resolution (@Jean_Maes_1994 + @_RastaMouse), direct syscalls in BOFs (@OutflankNL + @ajpc500), C# from Nim (@ShitSecure), Ubuntu LPE (@scannell_simon), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-12-14 to 2021-01-04.
News
- Solargate aka Solorigate aka the SolarWinds compromise fallout
- Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers. This post from Microsoft details the major parts of the attack. I am a bit surprised that after all the work to backdoor the software supply chain and remain undetected, the actors used PowerShell for post exploitation activities instead of in memory C#.
- The SolarWinds Orion SUNBURST supply-chain Attack. Using passive DNS records from Open Source Context, the team at truesec manage to shed some light on the victims by decoding the generated DNS lookups. Cloudflare has more details.
- SolarWinds Backdoor (Sunburst) Incident Response Playbook. This is a no nonsense playbook to follow if you are unfortunate enough to have a SolarWinds deployment.
- SUPERNOVA: A Novel .NET Webshell. One post exploitation technique implemented was a novel .NET webshell that showed advanced tradecraft with in-memory execution.
- CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova?). Once SolarWinds Orion hit the news, researches started to look into it and like most enterprise apps, CVEs fell out. Description here.
- SUNBURST Additional Technical Details is another great post from FireEye with more technical information about the attack. To crack the hashes of the AV strings the backdoor checks for yourself, a custom hashcat-SolarWindsHack was used. All hashes have been cracked and are available here.
- Microsoft Internal Solorigate Investigation Update. Just when I thought the Solorigate news was drying up, Microsoft reveals that actors related to the breach had "been used to view source code in a number of source code repositories." Microsoft claims that no source was modified and any source disclosure would not impact security.
- Apple loses copyright battle against security start-up Corellium. Apple once was in talks to buy the iOS emulation startup Corellium, but resorted to attempting to sue it out of existence instead. This was a major case for anyone doing security research, as a decision the other way would have major implications for anyone virtualizing or emulating software or hardware. This is a rare win for a great innovative startup against a mega-corp. Full decision here.
- The Great iPwn Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit. This is the first major "in the wild" iOS exploit chain since Trident (2016). It used an no-click iMessages 0day that worked on the latest iPhone and iOS version (iPhone 11 on 13.5.1 at the time of the discovery). Much like Trident, this malware was used to target journalists with connections to the Middle East.
- pongoOS. Speaking of iOS exploits, the checkra1n team has open sourced the entirety of their pongoOS, including kernel patchfinder and SEP exploit.
- Undocumented user account in Zyxel products (CVE-2020-29583). "Undocumented user account" is a polite way to say backdoor. In this case the account was used by other Zyxel products to install firmware updates via FTP. If your update mechanism solution is to hard code admin credentials in all your devices, maybe you shouldn't be making security hardware?
- Ticketmaster pays $10 million fine after hacking a startup rival. After being hired to Ticketmaster from rival Songkick, an employee shared Songkick credentials and URLs with Ticketmaster which the company used to access its rival. While the $10 million fine seems light for the blatant "hacking" (they even held a "summit" where they gathered to use the credentials), karma may have dealt the true fine, with Ticketmaster's revenue down 95% year over year.
- Reverse Engineering the source code of the BioNTech/Pfizer SARS-CoV-2 Vaccine. Not really security related but the way the vaccine is broken down in computer terms is really interesting.
Techniques
- Excel-Phish - Phish protected Excel-file passwords. Sometimes the easiest way to crack the password of Excel documents is to ask for them. The trusted location allowing macros without warnings was key to pulling this off. Code here.
- Warcodes II - The Desko Case. Barcode programming has been demonstrated before but any traveler likely has direct experience with these Desko scanners. Imagine what would happen if you reprogrammed a scanner to accept the next person in line regardless of ticket status.
- Hands in the Cookie Jar: Dumping Cookies with Chromium’s Remote Debugger Port. Cookie dumping is a very useful technique for modern red teams. As the use of multi-factor authentication increases, the ability to dump a cookie and browse to a site already authenticated is an attractive technique for adversaries. This new tool is based on some older research. I personally use SharpChromium, but this new cross platform solution is a welcome addition!
- CVE-2020-25695 Privilege Escalation in Postgresql. This is a great post as it shows the full process from looking at the source code to working exploit, and everything in between. The exploit is for PostgreSQL 11.9 to 13.0 and allows an unprivileged Postgres user to elevate to superuser within PostgreSQL.
- Automating Blind Sql Injection is a basic post on how to automate a basic blind SQLi in the popular Damn Vulnerable Web App (DVWA). Lots of testers will throw SQLMap without fully understanding how it works under the hood. This post is a good way to understand the basics before using more advanced tools.
- AIR-FI: Generating Covert Wi-Fi Signals fromAir-Gapped Computers. I can't see myself ever needing to use this technique but dang is it cool. An attacker can control RAM to emit 2.4 GHz signals that can be picked up by nearby WiFi enabled devices. Demo here.
- Fastly and Fronting. Domain fronting is not a new technique, and while it has suffered from dropped support by the big CDNs, it still works with Azure, Fastly, and others. This post shows you how to set it up from registering a service to testing the front. For a list of frontable domains, check out FindFrontableDomains or try this Censys query (credit to EX on the BloodHoundGang Slack for the query).
- Dumping LAPS Passwords from Linux. Using a little bit of python (and the ldap3 module) or ldapsearch a Linux machine that can communicate with a DC and a user that has credentials to see the "Local Admin Password Solution" (LAPS) attribute in the DC (by default just domain admins) can dump all local admin passwords. Issue arise when misconfigurations allow non-DAs to see this attribute (help desk, etc) and their account is compromised.
- An iOS hacker tries Android. Brandon Azad drops one last gem before moving from Google's Project Zero to Apple. In this low level post, he shows his work as he exploits an Android Neural Processing Unit bug. At the end he provides unique insight into the differences and similarities between Android and iOS kernel exploitation that he is uniquely qualified to present.
- A tale of .NET assemblies, cobalt strike size constraints, and reflection.. With Cobalt Strike's 1MB limit for execute-assembly, the ability to load dependancies at runtime and add them to the current AppDomain vs having to weave them into the binary allows you to remain under the 1MB limit. Rasta Mouse has a post on the same subject here
- Microsoft Exchange Remote Code Execution - CVE-2020-16875. September saw this Exchange RCE patched, and now it is once again patched in December 2020. Say it again for the people in the back, "a patch is not always the death of a bug!"
- Exploiting BGInfo to Infiltrate a Corporate Network. This is a really cool technique that exploits the program that generates the information overlays on Windows desktop backgrounds.
- Direct Syscalls in Beacon Object Files. The OGs of direct syscalls are back with direct syscalls in Cobalt Strike BOFs. They drop WdToggle and a helper tool InlineWhispers which can help add direct syscalls to your BOFs. Another new project SyscallsInject builds on this by reading the syscalls from on disk ntdll vs statically compiled into the BOF which I am calling "diet Hell's Gate" (true Hell's Gate would read the syscalls from memory).
- Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. This is a round up of most (all?) of the ways to bypass user-mode hooks and use direct syscalls on Windows. Lots of good info here, and a new method I was unfamiliar with as well - FreshyCalls.
- Bypassing Windows protection mechanisms & Playing with OffensiveNim. The offensive use of Nim is really heating up and this post walks through taking a template for C# loading in Nim and productizing it with Rubeus as well as using it to bypass Constrained Language mode for Powershell.
- The worst of the two worlds: Excel meets Outlook. Ever wanted to drop a VBA script from Excel that will be run by Outlook to keylog a target? Well now you can! The VBA tricks from @TheXC3LL have been very impressive, and this is no exception.
- Pentest - Everything SMTP demystifies the basics of SMTP and some simple commands you can use to try to spoof messages and enumerate users. Defenses against these techniques are also included.
- State of Pentesting 2020 gives a good overview of some common techniques and methods used on internal pentests and how to defend against them.
- Forging malicious DOC, undetected by all VirusTotal static engines. Breaking CRCs or inserting false headers cause all kinds of issues with parsers, and parsing is the first step most AV take with modern Office doucments.
Tools and Exploits
- ExecuteAssembly is one of the best tool drops in recent memory. ExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm. This has all the building blocks to incorporate into your own tools or use directly in Cobalt Strike. The only thing missing from making this perfect is Hell's Gate for dynamically resolving the syscalls vs statically embedding them.
- winaflpet is a web user interface dedicated to WinAFL remote management via an agent running as a system service on fuzzing machines. The purpose of this project is to allow easy monitoring of fuzzing jobs running on several remote machines. This is a great project for anyone running a fuzzing farm against Windows software.
- pexphide is a PoC for hiding PE exports so that dumpbin /exports shows no exports for the DLL. No blog post or further information that I could find, so dig into the code for the details.
- solarflare is a credential dumping tool for SolarWinds Orion. With the recent news, now you can see what the attackers may have had access to in your environment. Lots more details an a full conference talk here
- DetectCobaltStomp when module stomping is enabled with module_x86/x64 in a malleable C2 profile, this tool can detect the remnants left in memory. Also works against Module Stomping in C#.
- SharpZipRunner executes position independent shellcode from an encrypted zip on disk. Modify this to ether pull the zip file via HTTPS or embed it and keep it all in memory for extra stealth.
- KeyDecoder is a mobile app (Android only currently) created for pentesters and security enthusiasts. From the picture of a key, one can measure its bitting easily. The picture must be of the target key on an ISO/CEI 7810 ID-1 sized card like a credit card for the computer vision magic to work properly. Available on Google Play.
- Vulnerable-Kext is a work-in progress "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation.
- PcapMonkey is a project that will provide an easy way to analyze pcap using the latest version of Suricata and Zeek. It can also save Suricata and Zeek logs in Elasticsearch using the new Elasticsearch Common Schema or the original field names. More details here.
- Oh, so you have an antivirus... name every bug. Some :fire: Windows local privilege escalation exploits in this post. Proof of concepts available on GitHub.
- NoMSBuild uses the Microsoft.Build.Evaluation C# namespace to load and build a project without executing MSbuild.exe. Comes with a sample project that uses D/Invoke to inject shellcode.
- Azure Reporting Tools
- CRT is the CrowdStrike Reporting Tool for Azure. This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments.
- Sparrow was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors.
- Issue 2096: Windows: splWOW64 Elevation of Privilege. This is an 0day (might be patched 2021-01-12?) that is a new way to exploit the same bug as CVE-2020-0986. Only a basic PoC exists thus far (a proof of write-what-where), but if you are in need of such a primitive for Windows, today is your lucky day!
- ADFS-Info is a small project to get the private key and token-signing certificate from an AD FS server to create forged tokens that won't be detected by Microsoft Defender for Identity.
- CVE-2020-27194. The proof of concept exploit for CVE-2020-27194 (Ubuntu 20.10 eBPF local privilege escalation) has been released. Write up here.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- log is a simple command line log book for offensive operations. It makes it easy to timestamp important events and screenshots and organize them by target.
- ghidra-dark provides a simple to use installer to install the FlatLaf dark theme, custom colors for disassembly/decompilation in Ghidra, and some other helpful settings. The installer supports all public builds through version 9.2 on Windows, Linux, and macOS.
- αcτµαlly pδrταblε εxεcµταblε is truly some black magic that allows gcc to take in pure C to output a binary that can run on every Linux distro in addition to macOS, Windows, FreeBSD, and OpenBSD too. The implications for a platform independent stager are obvious. More information here.
- aegis is a library that allows you detect if your software is being debugged or not on Linux, FreeBSD, NetBSD, OpenBSD and Windows. You can use it natively from C or use the Go bind.
- arsenal is just a quick inventory, reminder and launcher for pentest commands. This project written by pentesters for pentesters simplify the use of all the hard-to-remember commands. Reminds me of tealdeer for pentesters.
This post is cross-posted on SIXGEN's blog.