Last Week in Security (LWiS) - 2021-03-01
JSON interop vulns (@theBumbleSec), PHPWind RCE presentation (@orange_8361), infra automation (@cedowens), AMSI knowledge (@ShitSecure), actual magic (@JustineTunney), modular password spraying (@0xZDH), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-22 to 2021-03-01.
News
- Unauthorized RCE in VMware vCenter. If you haven't patched your vCenter and it's exposed to the internet (why!?), you may want to start incident response. To make it worse, this unauthenticated RCE gets you SYSTEM on windows based vCenters, and the PhotonOS based Linux appliance is vulnerable to the recent sudo heap overflow. PoCs have dropped.
- Kali Linux 2021.1 Release (Command-Not-Found). The go-to offensive security distro has its first release of 2021. There are a bunch of small updates and new tools, but the coolest new feature is the two new sponsorships (BC Security and ffuf author Joohoi). I like this model that supports open source tool authors!
- Is Your Browser Extension a Botnet Backdoor? Krebs breaks down the "Infatica" residential proxy model that relies on "participating" browser extensions. As more and more sensitive information moves to browsers, extensions will become bigger targets - believe me.
Techniques
- An Exploration of JSON Interoperability Vulnerabilities. Like any standard, there are many ways to parse JSON. When multiple services are used in a product and their parsers differ interesting vulnerabilities can pop up. This post is very thorough, and even has labs for you to follow along and try things out. Very cool.
- A Journey Combining Web Hacking and Binary Exploitation in Real World! The master of unauthenticated remote code execution exploits is back - this time with a full explanation of a PHPWind RCE. This combines web app techniques with classic binary exploitation for shells.
- Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750. A mix of hardware hacking and binary exploitation come together for an unauthenticated root RCE on the LAN side of the TP-Link AC1750 router.
- Infra Automation Primer (Red Team Edition). If you are tired of setting up infrastructure for your red team engagements by hand, this primer will get you started with bash and terraform.
- The difference between Powershell only & process specific AMSI bypasses. If you have ever bypassed Powershell AMSI only to have your loaded .NET blocked, this post explains why and offers a solution.
- Dell EMC OpenManage Server Administrator Authentication Bypass. This "simple" auth bypass cleverly uses the "Manage Remote Node" feature and points it to localhost to bypass auth checks and get a valid, logged-in session cookie.
- Unprotecting Malicious Documents For Inspection. Malicious documents often password protect their VBA code. However, in order for the document to be portable, the hashed password must be in the document as well. If you can find that hash and replace it with a known hash, you now know the password to the VBA!
- CVE-2020-28243 SaltStack Minion Local Privilege Escalation. SaltStack has had some pretty serious vulnerabilities over the years, so this LPE seems quant in comparison, but could give root access to an user on a machine managed by Salt.
Tools and Exploits
- spraygen is a password list generator for password spraying - prebaked with goodies like sports team names, seasons, years, etc.
- BadOutlook is a simple PoC which leverages the Outlook Application Interface (COM Interface) to execute shellcode on a system based on a specific trigger subject line. This can be used to build an Entire C2 Framework that relies on E-Mails as a mean of communication (Where the Implant never speaks to the internet directly).
- 1u.ms is a small set of zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities. It provides easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents. A hosted version is available at 1u.ms. You may want to protect the /last and /log endpoints if self-hosting.
- Alaris is not technically a new tool (LWiS 2020-10-19), but it has had a major update to use direct syscalls with SysWhispers2, a new builder, and new dynamic encryption primitives.
- redbean - single-file distributable web server. This is both a zip file that contains all content that is served and a truly cross platform (Windows, Linux, MacOS, and BSD) binary webserver. This may be actual magic.
- Callback_Shellcode_Injection contains POCs for shellcode injection via callbacks. These uncommon API calls are likely much less monitored than standard methods of shellcode injection (although they still use VirtualAlloc).
- goc2 is a new macOS post exploitation C2 framework. Pairs with goc2-agent.
- Omnispray aims to replace tools such as o365spray and provide a modular framework to expand enumeration and spraying beyond just a single target/application.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- pillager is designed to provide a simple means of leveraging Go's strong concurrency model to recursively search directories for sensitive information in files. Once pillager finds files that match the specified pattern, the file is scanned using a series of concurrent workers that each take a line of the file from the job queue and hunt for sensitive pattern matches. The available pattern filters can be defined in a rules.toml file or you can use the default ruleset.
- LsassSilentProcessExit is a new method of causing WerFault.exe to dump lsass.exe process memory to disk for credentials extraction via silent process exit mechanism without crashing lsass.exe.
This post is cross-posted on SIXGEN's blog.