Last Week in Security (LWiS) - 2021-02-15
Dependency Confusion (@alxbrsn), hooking MiniDump (@Mari0Bartolome, @spotheplanet), SharePoint hacking (@acap4z), stealthy Windows IPC (@LloydLabs), direct syscall detection (@winternl_t), on-the-fly hooking from .NET (@FuzzySec), Windows LPE forever-day (@itm4n), defeat AV in safe mode (@_markmo_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-08 to 2021-02-15.
News
- Remote Hacker Caught Poisoning Florida City Water Supply. This has happened before, but the quote that got me was, "The Sheriff said the remote access itself wasn't unusual." Why is remote access to a water treatment plant normal? Even if for some reason it is justified, TeamViewer is the solution they settled on!?
- Multiple Security Updates Affecting TCP/IP: CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086. IPv4 source routing and IPv6 packet reassembly on Windows can be exploited to gain remote code execution. It's too early to tell how these vulnerabilities will play out (i.e. are they actually exploitable/reliable?) but Microsoft went out of their way to highlight them in a blog post. Expect to see these CVE numbers pop up throughout 2021 as researchers dig into the patch diffs.
- TrickBot's BazarBackdoor malware is now coded in Nim to evade antivirus. If you are a regular reader of LWiS you saw this coming. Does this make LWiS "threat intelligence" now?!
- Cyberpunk 2077 developers held to ransom after cyber-attack, source code theft. In a bonus twist, the source code has reportedly been sold.
- The Long Hack: How China Exploited a U.S. Tech Supplier. Remember the 2018 story that made some very big claims with very little evidence? It's back, this time with more sources including one on the record. Despite the article doubling down on its claims that "thousands" of servers were compromised and 10's of private companies targeted, we have yet to see any physical evidence. You would think that in the last 3 years at least one such chip would have been found and shown to the public?
Techniques
- Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. "From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds." It was only a matter of time before this was exploited on a wide scale. 2021 is shaping up to be the "year of the software supply chain." You can use Confused to find free namespaces for private package names in your own projects, on assessments, or in bug bounty eligible projects.
- Swarm of Palo Alto PAN-OS vulnerabilities. The authenticated RCEs show some creative ways to inject commands via user forms and XML as well as analysis of how/why they work.
- CVE-2021-24092: 12 Years in Hiding – A Privilege Escalation Vulnerability in Windows Defender. Hard link based local privilege escalation vulnerabilities are still showing up in Windows after quite some time of hard scrutiny. How many more are left to find?
- Windows Installer File Read 0day. Using a symlink and legitimate MSI installer, the Windows install process can be abused to allow arbitrary file reads. PoC here.
- Hooks-On Hoot-Off: Vitaminizing MiniDump. When a minidump of lsass was successful but the resulting file was deleted, @Mari0Bartolome uses a function hook to exfiltrate the file to a waiting server instead of writing it to disk. For a more in-spec implementation of this, see the second section of: Dumping Lsass without Mimikatz with MiniDumpWriteDump. Want it in C#? I've got you covered.
- The Lone Sharepoint. You may think a Sharepoint server that requires authentication and does not allow outbound traffic (besides related/established HTTPS) would be fairly secure. @acap4z shows how some CVEs, a little knowhow, and a lot of persistence debugging and re-writing webshell proxies can allow such a machine to a gateway into a network. Some proper hacking in this post.
- Stealthy Process Communication Between Threads on Windows 10. While pipes are the standard method of interprocess communication (IPC) on Windows, @LloydLabs has developed a PoC using ThreadName to communicate between processes without pipes. Add this to your advanced red team implant to keep pipe-aware EDR/AV off your tail. Mudge has a timely article about pipes in Cobalt Strike if you are curious to learn more: Learn Pipe Fitting for all of your Offense Projects.
- Detecting Manual Syscalls from User Mode. As direct syscalls become more popular, defenders will slowly adapt methods to detect them. One method is to check if the instruction pointer of a kernel to user mode return is in ntdll.dll or wind32u.dll (the legitimate sources of syscalls into the kernel) and alerting if not. This can be done from user mode with a built in framework to instrument all kernel to user mode callbacks called Nirvana. There are good ideas for future work and bypasses at the end of the post and the code is available here. Top notch research.
- Bypass AV/EDR with Safe Mode?. If you can afford to reboot a machine, you may be able to defeat AV/EDR by booting into safe mode!
Tools and Exploits
- Dendrobate is a framework that facilitates the development of payloads that hook unmanaged code through managed .NET code. To do this Dendrobate uses EasyHook and packs the injected component, Dendron, using Fody & Costura. This is all done automatically so all you need to do when you compile Dendron is select the appropriate .NET version (only v3.5 and v4.5 are supported!). Don't sleep on the full MFA bypass walkthrough in the second half of the readme, it could be a whole blog post on its own.
- Perfusion is a "forever-day" (won't be patched) local privilege escalation for Windows 7, 8, Server 2008R2, and 2012. The registry key of the RpcEptMapper and DnsCache (7/2008R2 only) services is configured with weak permissions. Any local user can create a Performance subkey and then leverage the Windows Performance Counters to load an arbitrary DLL in the context of the WMI service as NT AUTHORITYSYSTEM (hence the tool's name). More information in a blog post from last November.
- hilda is a debugger which combines both the power of LLDB and iPython for easier debugging on a jailbroken iPhone.
- cicuta_virosa is an iOSiPadOS 14.3 kernel LPE for all devices by @ModernPwner that exploits CVE-2021-1782: A race condition in user_data_get_value() leading to ivac entry uaf. This issue has been actively exploited in the wild with a WebKit exploit. The RCE chain may be released in the future.
- StaticSyscallsAPCSpawn Executes shellcode on Windows using: NtCreateSection -> NtMapViewOfSection -> NtQueueApcThread -> NtResumeThead. It also uses BeaconSpawnTemporaryProcess to create the target process. You may want to edit the NtCreateSection calls for better opsec (RW local, RX remote).
- MiniDumpWriteDump is a custom implementation of DbgHelp's MiniDumpWriteDump function. It uses static syscalls to replace low-level functions like NtReadVirtualMemory. Since this is a full custom dumper plus static syscalls, it likely has a long shelf life.
- github1s - Just add 1s after GitHub in a URL and press Enter in the browser address bar for any repository you want to read in a web version of VSCode. GitHub1s implements a VS Code Extension (includes FileSystemProvider) that uses GitHub's REST API as a filesystem, then serves this as a static site. Very clever!
- WSAAcceptBackdoor is a POC implementation for a DLL implant that acts as a backdoor for accept Winsock API calls. Once the DLL is injected into the target process, every accept call is intercepted using the Microsoft's detour library and redirected into the BackdooredAccept function. When a socket connection with a pre-defined special source port is established, BackdooredAccept function launches a cmd.exe process and binds the accepted socket to the process STD(OUT/IN) using a named pipe.
- gopherheaven is a Go implementation of the classic Heaven's Gate technique originally published by roy g biv on VX Heaven in 2009. gopherheaven can be used as an evasion technique to directly call 64-bit code from a 32-bit process. Looking for Hell's Gate instead? That has been around for a little while as BananaPhone.
This post is cross-posted on SIXGEN's blog.