Last Week in Security (LWiS) - 2021-03-08
Exchange RCE [ProxyLogon] (@orange_8361), Windows DNS RCE [SIGRed] (@chompie1337), C# AV Bypass (@ShitSecure), Google Chrome LPE (@KLINIX5), SaltStack API vulns (@dozernz), SACL honeypots (@jmoosdijk), Universal loader in Go (@symbolcrash1), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-01 to 2021-03-08.
News
- ProxyLogon. The big news of last week was the unauthenticated remote command execution as SYSTEM on Microsoft Exchange servers that only had port 443 open. This bug chain is impressive, and it was originally found by Orange Tsai of DEVCORE, but exploited by an alleged Chinese APT like crazy in the past few weeks. Two things stand out: 1. Orange Tsai and team went from "Let's look at Exchange" to unauth RCE in 3 months, and 2. Somewhere along the discovery and reporting chain, the bug was likely stolen or leaked. While possible, it is unlikely the APT using this 0day discovered it in parallel with Orange Tsai and then started using it only after it was reported to Microsoft. Further speculation is up to the reader - Krebs has a a basic timeline of the exchange mass-hack.
- Cobalt Strike 4.3 – Command and CONTROL. Industry's favorite commercial command and control framework got an update with a big focus on DNS beacons. While direct support for DNS over HTTPS wasn't included, it is possible to shim it in using lookups to localhost and cloudflared. Full changes in the release notes.
- Raphael’s Transition. In other Cobalt Strike news, Raphael Mudge is stepping down after nearly a decade of work on Armitage and Cobalt Strike. It's inspiring to see someone take a good idea dreamt up during a CTF and turn it into a successful business. Enjoy your next adventure Mudge, you've earned it!
- Fast Factoring Integers by SVP Algorithms. I almost didn't include this as the findings have not been demonstrated let alone proven, but "this destroys the RSA cryptosystem" is one hell of a way to end your paper's abstract. I'll be keeping an eye on this one, but don't bump replacing RSA up on your priority list quite yet. Another researcher has implemented the algorithm, and it isn't the RSA destroyer claimed.
- Xerox lawyers prevent con talk. Sadly this is still a thing in 2021. The researcher found bugs in Xerox multifunction printers and responsibly disclosed them, only to have Xerox sic their lawyer hounds on him. The bug descriptions (no PoCs) are available at Airbus security lab publications.
Techniques
- Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed. The SIGRed exploit is an unauthenticated RCE against domain controllers running DNS (on by default) using a malformed DNS SIG response. This is a complete walkthrough of the exploit, plus the first (I believe) public PoC..
- Google Update Service being a scum. Windows 10 2009 and later allows for authenticated users to write to the root of C:\. Google Chrome's update service checks for a configuration file at C:\GoogleUpdate.ini. Options in this file can be used to take over arbitrary files on the system. Pair this with UsoDllLoader and get SYSTEM! This bug was reported and closed as "WontFix" since it "requires physical access to a user's machine" (???) and thus will live on.
- How to execute an object file: Part 1. Like COFFLoader (LWiS 2021-02-22), this post explores how to load a compiled but not linked object file. This post focuses on Linux, so if you need Cobalt Strike BOF loading in your post exploitation tool, check out COFFLoader.
- Emails Disclosure on WordPress. Gravatar avatars are MD5 hashes of emails, which in many cases are trivial to brute force, exposing email addresses of site users and admins.
- Deception Engineering: exploring the use of Windows Service Canaries against ransomware. Ransomware commonly will force services related to AV and backups to stop before encrypting files, so the idea behind KilledProcessCanary is to alert when any machine in your network has two or more of these fake services stopped. Want to go deeper into this kind of detection? Outflank published catching red teams with honeypots part 1: local recon this week as well.
- Tap tap… is this thing on? Creating a notification-service for Cobalt-Strike. There is nothing worse than coming back to a teamserver only to see a new beacon that has been calling back for hours with no actions taken. Jean-Francois also handles the sessions problem by providing a headless version that will outlive a disconnected Cobalt Strike GUI.
Tools and Exploits
- universal - This loader provides a unified Go interface for loading shared libraries from memory on Windows, OSX, and Linux. Also included is a cross-platform Call() implementation that lets you call into exported symbols from those libraries without stress. This is a work of art, a universal loader without any C code, or calls to memfd, that even works on the M1 macs. Bravo.
- Syscall_PE_Loader.cs is a C# PE cradle with DInvoke Syscalls to avoid hooking and sleeps for the DLL imports. Both trigger a scan, so doing only one won't help. Only needs an amsi.dll patch bypass before using to complete the EDR/AV bypass trifecta. However, apparently simply compiling your own unchanged Cobalt Strike artifact kit is enough to bypass defender.
- SaltStack API vulnerabilities. Just last week we discussed the local SaltStack Minion Local Privilege Escalation, but this is reprise of the RCE from last year. "It took a few hours total to find these after looking at patches for the last set of vulnerabilities." Patches can be goldmines for finding similar, unpatched bugs!
- Wubes is like Qubes but for Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. It currently supports spawning a Windows Sandbox for Firefox.
- ipv6-df-3.c is a FreeBSD 9 PoC of the SOCK_RAW vulnerability. Why would this matter? The PS4 runs a modified FreeBSD 9 kernel. More information here.
- CVE-2021-23132 is a Joomla core (<= 3.9.24) vulnerability in com_media allowed paths that are not intended for image uploads which leads to RCE. This is an authenticated RCE that requires an admin account.
- EDRs contains information about EDRs and the functions they hook in ntdll.dll that can be useful during red team exercise.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- DT_RPATH. On Linux machines, LD_PRELOAD has been the go-to for userland "rootkits" that hook every process. However, the lesser known DT_RPATH can achieve similar results.
- packetStrider for SSH is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark. Point it at a pcap and it can tell you things like if host keys were ignored, command line flag usage, and if a session was automated or interactive. Very cool.
This post is cross-posted on SIXGEN's blog.