Last Week in Security (LWiS) - 2021-01-11

Thread hijack BOF (@33y0re), anti-debugging tricks (@JustasMasiulis), leaking private YT videos (@xdavidhu), SysWhipers2 (@Jackson_T), Google Titan 🔑 side channel (@victorlomne), lsass handle reuse (@Jean_Maes_1994), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-04 to 2021-01-11.



Tools and Exploits

  • SharpHandler. AV's really don't like when random programs open handles to lsass (i.e. mimikatz) so this project instead duplicate an already existing handle to lsass. It's in beta, and has to enumerate every userland process to find the lsass handle, so it will need some tuning before its production ready, but this is a great start!
  • BurpCustomizer. Burp Suite 2020.12 replaced the old Look and Feel classes with FlatLaf, an open source Look and Feel class which also supports 3rd party themes developed for the IntelliJ Platform. This extension allows you to use these themes in Burp Suite, and includes a number of bundled themes to try.
  • Getting root on a 4G LTE mobile hotspot. This was a fun journey from "I wonder how that works" to writing raw SCSI commands to the device to enable the root shell. Good use of Ghidra and debugging to figure things out.
  • tamperchrome (really Tamper Dev) is a browser extension that acts a lot like Burp Proxy. It can intercept and modify HTTP/HTTPS requests and responses directly in the browser. This should be a big help for people getting started with web app testing as it simplifies the process (no certificate to install). It should also work with sites that use certificate pinning, although those are rare outside of mobile apps.
  • s3viewer is a free tool for security researchers that lists the content of a publicly open s3 bucket and helps to identify leaking data. The tool allows you to view all the files on a given aws s3 bucket and download selected files and directories. The goal is to identify the owner of the bucket as quickly as possible in order to report that data is leaking from it.
  • cThreadHijack is a Beacon Object File (BOF) for remote process injection, via thread hijacking, without spawning a remote thread. cThreadHijack works by injecting raw Beacon shellcode, generated via a user-supplied listener argument, into a remote process, defined by the user-supplied PID argument, via VirtualAllocEx and WriteProcessMemory. A very detailed write up is available here.
  • FindObjects-BOF is a Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. Can be useful for finding processes with the CLR loaded for future spawnto when doing execute-assembly, or for finding a process that has process handle in use (i.e. to lsass.exe).
  • OutlookParasite is a method that misuses Outlook Add-in functionality to obtain (unprivileged) persistence using Outlook (or other Office programs). This method also bypasses the "ClickOnce" install pop-up that you'd normally get when installing an unsigned Outlook Add-in and doesn't show up in AutoRuns.
  • DefaultCreds-cheat-sheet is the one place for all the default credentials to assist the pentesters during an engagement. This document has a several products default credentials that are gathered from several sources. This looks to be quite a good list of default credentials.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • SysWhispers2 is a new release of the direct system call library, but this time it avoids static syscall numbers in favor of pulling them out of ntdll.dll.
  • intrigue-core is an open framework for discovering and enumerating the attack surface of organizations. It can be used with a human-in-the-loop running individual tasks, or fully automated through the use of machine files. With a flexible entity model and deep enrichment system, it is the most full-featured open source framework for discovering attack surface. Backed by a commercial company, this is one to watch. Release blog post here.
  • opencve is a platform that alerts you about new vulnerabilities related to the CVE list powered by the NIST JSON feed. More details at the hosted version.

This post is cross-posted on SIXGEN's blog.