Last Week in Security (LWiS) - 2021-01-11
Thread hijack BOF (@33y0re), anti-debugging tricks (@JustasMasiulis), leaking private YT videos (@xdavidhu), SysWhipers2 (@Jackson_T), Google Titan 🔑 side channel (@victorlomne), lsass handle reuse (@Jean_Maes_1994), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-04 to 2021-01-11.
News
- Nissan source code leaked online after Git repo misconfiguration. The "Git repo misconfiguration" was a Bitbucket server with admin:admin. This is still an issue in 2021. Amazing. For anyone designing self-hostable software, you have to assume people with both expose it to the internet and use the defaults. Don't be monogodb (it has changed since). Also, force users to create passwords upon install, and force some amount of strength.
- R.I.P ROP: CET Internals in Windows 20H1. Control-flow Enforcement Technology (CET) is an Intel specific (Tiger Lake and newer) shadow stack implementation. This could prove to be a very effective defense against ROP and other control flow hijacking techniques, but like every mitigation that has come before there will be bypasses, and I will be excited to read and report them here.
- Encrypted Client Hello: the future of ESNI in Firefox. Firefox 85 replaces Encrypted Server Name Indication (ESNI) with the newer Encrypted Client Hello (ECH) which fixes some issues with ESNI. I am excited for this to roll out for the privacy benefits and the red team uses.
- Singapore says police will be given access to Covid-19 contact tracing data. Is anyone surprised?
- Widely Used Software Company May Be Entry Point for Huge U.S. Hacking. Some very poor reporting here, as absolutely no evidence is given. This is a speculative opinion piece (at best) that feels like SolarWinds is attempting to shift blame by claiming that they were supply chain attacked. I feel bad for Jet Brains, and without additional evidence the three on the byline should take a hard look at what they accept as credible story.
Techniques
- Android_Security is the material for 3 different Android courses (Deep Dive Android, Xtreme Android Hacking, and Android Pentesting) that was recently made public by the author.
- Building a Custom Malware Analysis Lab Environment walks through the setup of a malware lab using Remnux, and a Windows 10 machine with SentinelLabs_RevCore_Tools.
- A Side Journey to Titan. Ninjalab manages to leak the ECDSA private key from a Google Titan Security Key with 6,000 ECDSA observations. Impressive side-channel hardware hacking!
- Cobalt Strike Staging and Extracting Configuration Information. Staging exposes your Cobalt Strike server's configuration to anyone who can craft a valid request (and get through your redirector, you are using a redirect aren't you?). Unless you do some crazy patching you may be better off disabling staging.
- New year, new anti-debug: Don't Thread On Me. Protect your code by ignoring any request to suspend it, the first step in attaching a debugger (usually). Interested to see what other tricks come out of this series.
- Stealing Your Private YouTube Videos, One Frame at a Time. Using a separate, but still in scope service, to leak video frames from a private YouTube video. This kind of cleaver thinking - and light "brute forcing" - is what bug bounties are made for!
- Microsoft Defender Attack Surface Reduction recommendations. Attack Surface Reduction (ASR) are a very under utilized feature of Microsoft Defender. Note: this can be enabled via PowerShell without paying for "Microsoft Defender for Endpoint." Find the GUIDs here.
Tools and Exploits
- SharpHandler. AV's really don't like when random programs open handles to lsass (i.e. mimikatz) so this project instead duplicate an already existing handle to lsass. It's in beta, and has to enumerate every userland process to find the lsass handle, so it will need some tuning before its production ready, but this is a great start!
- BurpCustomizer. Burp Suite 2020.12 replaced the old Look and Feel classes with FlatLaf, an open source Look and Feel class which also supports 3rd party themes developed for the IntelliJ Platform. This extension allows you to use these themes in Burp Suite, and includes a number of bundled themes to try.
- Getting root on a 4G LTE mobile hotspot. This was a fun journey from "I wonder how that works" to writing raw SCSI commands to the device to enable the root shell. Good use of Ghidra and debugging to figure things out.
- tamperchrome (really Tamper Dev) is a browser extension that acts a lot like Burp Proxy. It can intercept and modify HTTP/HTTPS requests and responses directly in the browser. This should be a big help for people getting started with web app testing as it simplifies the process (no certificate to install). It should also work with sites that use certificate pinning, although those are rare outside of mobile apps.
- s3viewer is a free tool for security researchers that lists the content of a publicly open s3 bucket and helps to identify leaking data. The tool allows you to view all the files on a given aws s3 bucket and download selected files and directories. The goal is to identify the owner of the bucket as quickly as possible in order to report that data is leaking from it.
- cThreadHijack is a Beacon Object File (BOF) for remote process injection, via thread hijacking, without spawning a remote thread. cThreadHijack works by injecting raw Beacon shellcode, generated via a user-supplied listener argument, into a remote process, defined by the user-supplied PID argument, via VirtualAllocEx and WriteProcessMemory. A very detailed write up is available here.
- FindObjects-BOF is a Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. Can be useful for finding processes with the CLR loaded for future spawnto when doing execute-assembly, or for finding a process that has process handle in use (i.e. to lsass.exe).
- OutlookParasite is a method that misuses Outlook Add-in functionality to obtain (unprivileged) persistence using Outlook (or other Office programs). This method also bypasses the "ClickOnce" install pop-up that you'd normally get when installing an unsigned Outlook Add-in and doesn't show up in AutoRuns.
- DefaultCreds-cheat-sheet is the one place for all the default credentials to assist the pentesters during an engagement. This document has a several products default credentials that are gathered from several sources. This looks to be quite a good list of default credentials.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- SysWhispers2 is a new release of the direct system call library, but this time it avoids static syscall numbers in favor of pulling them out of ntdll.dll.
- intrigue-core is an open framework for discovering and enumerating the attack surface of organizations. It can be used with a human-in-the-loop running individual tasks, or fully automated through the use of machine files. With a flexible entity model and deep enrichment system, it is the most full-featured open source framework for discovering attack surface. Backed by a commercial company, this is one to watch. Release blog post here.
- opencve is a platform that alerts you about new vulnerabilities related to the CVE list powered by the NIST JSON feed. More details at the hosted version.
This post is cross-posted on SIXGEN's blog.