Last Week in Security (LWiS) - 2021-02-22
Ubuntu LPE (@Gr33nh4t), open source FIDO2 ๐ (@SoloKeysSec), new ways to copy shellcode in VBA (@TheXC3LL), unconventional exploitation (@itm4n), harvesting hashes (@domchell), M1 mac malware (@ForensicITGuy), BOFs outside of CS (@TrustedSec), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-15 to 2021-02-22.
News
- Solo V2 โ Safety Net Against Phishing. Everyone knows FIDO2 keys are the best defense against credential phishing, but until now all the solutions have been closed source and expensive. Solokey's Solo V2 looks to change all that with an affordable, NFC capable, open source FIDO2 key. I have no affiliation with Solokey - just a fan of what they are doing. Note: the open source firmware has been audited.
- Sandworm intrusion set campaign targeting centreon systems. In a three year long campaign, Sandworm used webshells and a Linux backdoor to access information technology providers, including web hosting providers. Based on Sandworm's history of targeting industrial control systems, ransomware, and highly public attacks (2018 winter olympics), perhaps this was just an effort to get free redirectors and payload hosting.
- Brave Browser leaks your Tor / Onion service requests through DNS. This isn't the first issue with Tor and Brave (CVE-2020-8276), and likely won't be the last. Mixing Tor and a standard browser is a recipe for disaster.
- Clipping Silver Sparrowโs wings: Outing macOS malware before it takes flight. MacOS specific malware, including an arm compiled variant, uses the old favorite malicious pkg installer to infect victims. MalwareBytes claims it has seen the malware on nearly 30,000 endpoints, while the Red Canary team says it has no evidence the malware has conducted any post-exploitation activities.
Techniques
- Exploiting crash handlers: LPE on Ubuntu. This was a great walkthrough of a complex bug chain that lead to a local privilege escalation. A few different tricks are used to fool the apport crash dump writer into writing a file to an arbitrary location, as root, with arbitrary data. This bug chain affects Ubuntu since the beginning of apport (12.04), so be sure to patch!
- Introducing MacHound: A Solution to MacOS Active Directory-Based Attacks. On an engagement with a large macOS user base and no good way to visualize them in BloodHound? Not anymore! Try MacHound, which uses a Python 3 script run on a macOS host to collect useful data that can be ingested into Bloodhound.
- One thousand and one ways to copy your shellcode to memory (VBA Macros). Most VBA macros reused the same few ways to copy shellcode into memory before executing. This post explores a few "new" ways that are not commonly seen.
- An Unconventional Exploit for the RpcEptMapper Registry Key Vulnerability. @itm4n takes you under the hood of Perfusion and the unconventional process to achieve an exploit exe without the need for compiling custom DLLs, etc.
- Smarty Template Engine Multiple Sandbox Escape PHP Code Injection Vulnerabilities. Template engines are often a source of vulnerabilities. This post explores the smarty template engine for PHP and has practical unauthenticated remote code execution PoCs for popular web apps like TikiWiki.
- COFFLoader: Building your own in memory loader or how to run BOFs. As more and more techniques are written as Cobalt Strike BOFs, you may be wishing your C2 of choice could leverage them? This post explores how to load these COFFs in memory and run them. I am looking forward to a BOF runner library that will work across C2 frameworks so all the hard work put into BOFs can be used everywhere! The PoC is available here
- Farming for Red Teams: Harvesting NetNTLM. While this technique isn't new, the slick productization of it is. The new tools released should help any Red Team struggling with implementing NetNTLM captures after initial compromise.
- Analysis of Cisco AnyConnect Posture (HostScan) Local Privilege Escalation: CVE-2021-1366. AnyConnect had an LPE early last year, but Core Security finds another with a nifty bug chain where the "host scan" feature of the VPN client is abused. A PoC is included - as an image of code for some reason.
Tools and Exploits
- CIMplant is a C# port of WMImplant which uses either CIM or WMI to query remote systems. It allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, WMI, or Common Interface Model, CIM. CIMplant requires local administrator permissions on the target system. More information in this post.
- endgame is an AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet. Compared to other AWS offensive tools, endgame have a much wider range of supported services (18 vs 11 for the official AWS Access Analyzer). Of note, the "original" repo (salesforce) and the author's repo (kmcquade) have both been taken down. Sadly, Salesforce has a reputation for this kind of thing.
- pcp is a command line peer-to-peer data transfer tool based on libp2p. It differs from others (like croc) because it uses IPFS instead of a centralized sever.
- AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. Any incoming requests that do not share the profiles user-agent, URI paths, headers, and query parameters, will be redirected to a configurable decoy website. More information in the blog post.
- OffensivePipeline allows you to download, compile (without Visual Studio), and obfuscate C# tools for Red Team exercises.
- Swift-Attack is the macOS equivalent of atomic red team. It contains unit tests for blue teams to aid with building detections for some common macOS post exploitation methods.
- SharpLAPS is a C# executable that will retrieve the LAPS password from the Active Directory. It must be executed from either a Domain Administrator or an account with ExtendedRight or Generic All Rights.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. More information here.
- horusec s an open source tool that performs static code analysis to identify security flaws during the development process. Currently, the languages for analysis are: C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, and Dart. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history.
This post is cross-posted on SIXGEN's blog.