Last Week in Security (LWiS) - 2021-01-04

SolarWinds news and dumping tool (@mubix), Android exploit from an iOS exploiter (@_bazad), C# runtime dependency resolution (@Jean_Maes_1994 + @_RastaMouse), direct syscalls in BOFs (@OutflankNL + @ajpc500), C# from Nim (@ShitSecure), Ubuntu LPE (@scannell_simon), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-12-14 to 2021-01-04.

News

Techniques

  • Excel-Phish - Phish protected Excel-file passwords. Sometimes the easiest way to crack the password of Excel documents is to ask for them. The trusted location allowing macros without warnings was key to pulling this off. Code here.
  • Warcodes II - The Desko Case. Barcode programming has been demonstrated before but any traveler likely has direct experience with these Desko scanners. Imagine what would happen if you reprogrammed a scanner to accept the next person in line regardless of ticket status.
  • Hands in the Cookie Jar: Dumping Cookies with Chromium’s Remote Debugger Port. Cookie dumping is a very useful technique for modern red teams. As the use of multi-factor authentication increases, the ability to dump a cookie and browse to a site already authenticated is an attractive technique for adversaries. This new tool is based on some older research. I personally use SharpChromium, but this new cross platform solution is a welcome addition!
  • CVE-2020-25695 Privilege Escalation in Postgresql. This is a great post as it shows the full process from looking at the source code to working exploit, and everything in between. The exploit is for PostgreSQL 11.9 to 13.0 and allows an unprivileged Postgres user to elevate to superuser within PostgreSQL.
  • Automating Blind Sql Injection is a basic post on how to automate a basic blind SQLi in the popular Damn Vulnerable Web App (DVWA). Lots of testers will throw SQLMap without fully understanding how it works under the hood. This post is a good way to understand the basics before using more advanced tools.
  • AIR-FI: Generating Covert Wi-Fi Signals fromAir-Gapped Computers. I can't see myself ever needing to use this technique but dang is it cool. An attacker can control RAM to emit 2.4 GHz signals that can be picked up by nearby WiFi enabled devices. Demo here.
  • Fastly and Fronting. Domain fronting is not a new technique, and while it has suffered from dropped support by the big CDNs, it still works with Azure, Fastly, and others. This post shows you how to set it up from registering a service to testing the front. For a list of frontable domains, check out FindFrontableDomains or try this Censys query (credit to EX on the BloodHoundGang Slack for the query).
  • Dumping LAPS Passwords from Linux. Using a little bit of python (and the ldap3 module) or ldapsearch a Linux machine that can communicate with a DC and a user that has credentials to see the "Local Admin Password Solution" (LAPS) attribute in the DC (by default just domain admins) can dump all local admin passwords. Issue arise when misconfigurations allow non-DAs to see this attribute (help desk, etc) and their account is compromised.
  • An iOS hacker tries Android. Brandon Azad drops one last gem before moving from Google's Project Zero to Apple. In this low level post, he shows his work as he exploits an Android Neural Processing Unit bug. At the end he provides unique insight into the differences and similarities between Android and iOS kernel exploitation that he is uniquely qualified to present.
  • A tale of .NET assemblies, cobalt strike size constraints, and reflection.. With Cobalt Strike's 1MB limit for execute-assembly, the ability to load dependancies at runtime and add them to the current AppDomain vs having to weave them into the binary allows you to remain under the 1MB limit. Rasta Mouse has a post on the same subject here
  • Microsoft Exchange Remote Code Execution - CVE-2020-16875. September saw this Exchange RCE patched, and now it is once again patched in December 2020. Say it again for the people in the back, "a patch is not always the death of a bug!"
  • Exploiting BGInfo to Infiltrate a Corporate Network. This is a really cool technique that exploits the program that generates the information overlays on Windows desktop backgrounds.
  • Direct Syscalls in Beacon Object Files. The OGs of direct syscalls are back with direct syscalls in Cobalt Strike BOFs. They drop WdToggle and a helper tool InlineWhispers which can help add direct syscalls to your BOFs. Another new project SyscallsInject builds on this by reading the syscalls from on disk ntdll vs statically compiled into the BOF which I am calling "diet Hell's Gate" (true Hell's Gate would read the syscalls from memory).
  • Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. This is a round up of most (all?) of the ways to bypass user-mode hooks and use direct syscalls on Windows. Lots of good info here, and a new method I was unfamiliar with as well - FreshyCalls.
  • Bypassing Windows protection mechanisms & Playing with OffensiveNim. The offensive use of Nim is really heating up and this post walks through taking a template for C# loading in Nim and productizing it with Rubeus as well as using it to bypass Constrained Language mode for Powershell.
  • The worst of the two worlds: Excel meets Outlook. Ever wanted to drop a VBA script from Excel that will be run by Outlook to keylog a target? Well now you can! The VBA tricks from @TheXC3LL have been very impressive, and this is no exception.
  • Pentest - Everything SMTP demystifies the basics of SMTP and some simple commands you can use to try to spoof messages and enumerate users. Defenses against these techniques are also included.
  • State of Pentesting 2020 gives a good overview of some common techniques and methods used on internal pentests and how to defend against them.
  • Forging malicious DOC, undetected by all VirusTotal static engines. Breaking CRCs or inserting false headers cause all kinds of issues with parsers, and parsing is the first step most AV take with modern Office doucments.

Tools and Exploits

  • ExecuteAssembly is one of the best tool drops in recent memory. ExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm. This has all the building blocks to incorporate into your own tools or use directly in Cobalt Strike. The only thing missing from making this perfect is Hell's Gate for dynamically resolving the syscalls vs statically embedding them.
  • winaflpet is a web user interface dedicated to WinAFL remote management via an agent running as a system service on fuzzing machines. The purpose of this project is to allow easy monitoring of fuzzing jobs running on several remote machines. This is a great project for anyone running a fuzzing farm against Windows software.
  • pexphide is a PoC for hiding PE exports so that dumpbin /exports shows no exports for the DLL. No blog post or further information that I could find, so dig into the code for the details.
  • solarflare is a credential dumping tool for SolarWinds Orion. With the recent news, now you can see what the attackers may have had access to in your environment. Lots more details an a full conference talk here
  • DetectCobaltStomp when module stomping is enabled with module_x86/x64 in a malleable C2 profile, this tool can detect the remnants left in memory. Also works against Module Stomping in C#.
  • SharpZipRunner executes position independent shellcode from an encrypted zip on disk. Modify this to ether pull the zip file via HTTPS or embed it and keep it all in memory for extra stealth.
  • KeyDecoder is a mobile app (Android only currently) created for pentesters and security enthusiasts. From the picture of a key, one can measure its bitting easily. The picture must be of the target key on an ISO/CEI 7810 ID-1 sized card like a credit card for the computer vision magic to work properly. Available on Google Play.
  • Vulnerable-Kext is a work-in progress "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation.
  • PcapMonkey is a project that will provide an easy way to analyze pcap using the latest version of Suricata and Zeek. It can also save Suricata and Zeek logs in Elasticsearch using the new Elasticsearch Common Schema or the original field names. More details here.
  • Oh, so you have an antivirus... name every bug. Some :fire: Windows local privilege escalation exploits in this post. Proof of concepts available on GitHub.
  • NoMSBuild uses the Microsoft.Build.Evaluation C# namespace to load and build a project without executing MSbuild.exe. Comes with a sample project that uses D/Invoke to inject shellcode.
  • Azure Reporting Tools
    • CRT is the CrowdStrike Reporting Tool for Azure. This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments.
    • Sparrow was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors.
  • Issue 2096: Windows: splWOW64 Elevation of Privilege. This is an 0day (might be patched 2021-01-12?) that is a new way to exploit the same bug as CVE-2020-0986. Only a basic PoC exists thus far (a proof of write-what-where), but if you are in need of such a primitive for Windows, today is your lucky day!
  • ADFS-Info is a small project to get the private key and token-signing certificate from an AD FS server to create forged tokens that won't be detected by Microsoft Defender for Identity.
  • CVE-2020-27194. The proof of concept exploit for CVE-2020-27194 (Ubuntu 20.10 eBPF local privilege escalation) has been released. Write up here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • log is a simple command line log book for offensive operations. It makes it easy to timestamp important events and screenshots and organize them by target.
  • ghidra-dark provides a simple to use installer to install the FlatLaf dark theme, custom colors for disassembly/decompilation in Ghidra, and some other helpful settings. The installer supports all public builds through version 9.2 on Windows, Linux, and macOS.
  • αcτµαlly pδrταblε εxεcµταblε is truly some black magic that allows gcc to take in pure C to output a binary that can run on every Linux distro in addition to macOS, Windows, FreeBSD, and OpenBSD too. The implications for a platform independent stager are obvious. More information here.
  • aegis is a library that allows you detect if your software is being debugged or not on Linux, FreeBSD, NetBSD, OpenBSD and Windows. You can use it natively from C or use the Go bind.
  • arsenal is just a quick inventory, reminder and launcher for pentest commands. This project written by pentesters for pentesters simplify the use of all the hard-to-remember commands. Reminds me of tealdeer for pentesters.

This post is cross-posted on SIXGEN's blog.