Last Week in Security (LWiS) - 2021-01-18

Containerd breakout PoC (@ChaosDatumz), the "glue" principle (@theluemmel), lockscreen bypass (@jonasLyk), VBox escape 0day (@Sauercl0ud), beacon shellcode generator (@ryanstvnson), browser backdoor (@_batsec_), nim obfuscation (@LittleJoeTables), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-11 to 2021-01-18.

News

Techniques

  • Finding 0day to hack Apple. A CMS 0day lead to shells on a few Apple systems. This is a detailed walk through of how the vulnerabilities were found and chained, as well as the web application firewall (WAF) issues and bypasses.
  • Making Clouds Rain :: Remote Code Execution in Microsoft Office 365. This exchange RCE bug doesn't want to die, as this is now the third patch bypass. As it stands it requires some administrative rights to an on-premise Exchange server (the post says DLP rights, but other sources say that is not required).
  • Sailing Past Security Measures In AD. This post covers my favorite technique in red teaming: "glue." There are so many good tools and techniques out there, if you can glue a few together or modify them slightly, you can create some effective "custom" tooling. Part of the reason I write this blog is to bring these building blocks to light for myself and others to "glue" together.
  • Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures. A 1x1 pixel image in the signature of a user's outlook client, which does not require elevated permissions or GUI access, can yield NTLM hashes from anyone who opens a message. Sigwhatever automates this whole process and cleanup too!
  • BitLocker Lockscreen bypass. This was patched on 2020-07-14, but is quite the trick none the less. By inserting a specially crafted USB stick and using a DLL hijack for the narrator, an attacker is able to get SYSTEM account code execution on a locked Windows 10 machine. This disclosure likely made many evil maids very upset.
  • Escaping VirtualBox 6.1: Part 1. If the 6 month old lockscreen bypass was too old news for you, secret club delivers a fresh 0day VirtualBox escape on Windows. A demo and PoC are available.
  • Local Privilege Escalation in VMware vRealize Automation (vRA) Guest Agent Service. This reads like a CTF challenge with the use of sloppy scripting and bad permissions. 3rd party services are the source of many local privilege escalation vulnerabilities on Windows.
  • Pushing back on userland hooks with Cobalt Strike. With all the direct syscall development recently, it was only a matter of time before Cobalt Strike got in on the fun. Mudge's unhook-bof adds a beacon command which will "refresh" the DLLs of the beacon process with unhooked variants.
  • Hijacking connections without injections: a ShadowMoving approach to the art of pivoting. Have you ever wanted to use a legitimate process to send out your command and control traffic? By reusing existing network connections via the ancillary function driver that can be duplicated the ShadowMove authors are able to send and receive messages over an existing socket without process injection or any special privileges.
  • Divide and Conquer - A technique to bypass NextGen AV. Behavioral "netgen" antivirus and endpoint detection software often gives a process a maliciousness score based on how many "bad" actions it takes. The idea behind divide and conquer (and the earlier malWASH) is to have different processes do each step of the malicious activity so no one process crosses the detection threshold of the AV/EDR product.
  • Breaking The Browser – A tale of IPC, credentials and backdoors. As everyone and everything moves to a single sign on web app, the browsers have become the gatekeepers to valuable information. By injecting into Chrome, all kinds of tricks can be pulled - from credential stealing to a full implant stager.

Tools and Exploits

  • StaticSyscallsDump is a Beacon Object File (BOF) for Cobalt Strike that unhooks the NtReadVirtualMemory function and uses it do create a minidump of a process (i.e. lsass). This should be able to bypass many AV/EDR solutions, and works on a wide range of Windows versions unlike other syscall memory dumpers (i.e. SharpMiniDump)
  • abstractshimmer, the PoC for CVE-2020-15257 (containerd host network breakout from LWiS 2020-12-14) is out now. This could be a great breakout if you land on a somewhat privileged container.
  • CSSG is an aggressor and python script used to more easily generate and format beacon shellcode. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc.
  • Denim makes compiling nim code for windows with obfuscator-llvm easy!
  • printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The persistence mechanism can be invoked via executing wmic printer list command with any user. The shellcode will be executed with SYSTEM privileges. More details here.
  • UnhookMe is a universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

This post is cross-posted on SIXGEN's blog.