Last Week in Security (LWiS) - 2021-03-08

Exchange RCE [ProxyLogon] (@orange_8361), Windows DNS RCE [SIGRed] (@chompie1337), C# AV Bypass (@ShitSecure), Google Chrome LPE (@KLINIX5), SaltStack API vulns (@dozernz), SACL honeypots (@jmoosdijk), Universal loader in Go (@symbolcrash1), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-01 to 2021-03-08.


  • ProxyLogon. The big news of last week was the unauthenticated remote command execution as SYSTEM on Microsoft Exchange servers that only had port 443 open. This bug chain is impressive, and it was originally found by Orange Tsai of DEVCORE, but exploited by an alleged Chinese APT like crazy in the past few weeks. Two things stand out: 1. Orange Tsai and team went from "Let's look at Exchange" to unauth RCE in 3 months, and 2. Somewhere along the discovery and reporting chain, the bug was likely stolen or leaked. While possible, it is unlikely the APT using this 0day discovered it in parallel with Orange Tsai and then started using it only after it was reported to Microsoft. Further speculation is up to the reader - Krebs has a a basic timeline of the exchange mass-hack.
  • Cobalt Strike 4.3 – Command and CONTROL. Industry's favorite commercial command and control framework got an update with a big focus on DNS beacons. While direct support for DNS over HTTPS wasn't included, it is possible to shim it in using lookups to localhost and cloudflared. Full changes in the release notes.
  • Raphael’s Transition. In other Cobalt Strike news, Raphael Mudge is stepping down after nearly a decade of work on Armitage and Cobalt Strike. It's inspiring to see someone take a good idea dreamt up during a CTF and turn it into a successful business. Enjoy your next adventure Mudge, you've earned it!
  • Fast Factoring Integers by SVP Algorithms. I almost didn't include this as the findings have not been demonstrated let alone proven, but "this destroys the RSA cryptosystem" is one hell of a way to end your paper's abstract. I'll be keeping an eye on this one, but don't bump replacing RSA up on your priority list quite yet. Another researcher has implemented the algorithm, and it isn't the RSA destroyer claimed.
  • Xerox lawyers prevent con talk. Sadly this is still a thing in 2021. The researcher found bugs in Xerox multifunction printers and responsibly disclosed them, only to have Xerox sic their lawyer hounds on him. The bug descriptions (no PoCs) are available at Airbus security lab publications.


Tools and Exploits

  • universal - This loader provides a unified Go interface for loading shared libraries from memory on Windows, OSX, and Linux. Also included is a cross-platform Call() implementation that lets you call into exported symbols from those libraries without stress. This is a work of art, a universal loader without any C code, or calls to memfd, that even works on the M1 macs. Bravo.
  • Syscall_PE_Loader.cs is a C# PE cradle with DInvoke Syscalls to avoid hooking and sleeps for the DLL imports. Both trigger a scan, so doing only one won't help. Only needs an amsi.dll patch bypass before using to complete the EDR/AV bypass trifecta. However, apparently simply compiling your own unchanged Cobalt Strike artifact kit is enough to bypass defender.
  • SaltStack API vulnerabilities. Just last week we discussed the local SaltStack Minion Local Privilege Escalation, but this is reprise of the RCE from last year. "It took a few hours total to find these after looking at patches for the last set of vulnerabilities." Patches can be goldmines for finding similar, unpatched bugs!
  • Wubes is like Qubes but for Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. It currently supports spawning a Windows Sandbox for Firefox.
  • ipv6-df-3.c is a FreeBSD 9 PoC of the SOCK_RAW vulnerability. Why would this matter? The PS4 runs a modified FreeBSD 9 kernel. More information here.
  • CVE-2021-23132 is a Joomla core (<= 3.9.24) vulnerability in com_media allowed paths that are not intended for image uploads which leads to RCE. This is an authenticated RCE that requires an admin account.
  • EDRs contains information about EDRs and the functions they hook in ntdll.dll that can be useful during red team exercise.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • DT_RPATH. On Linux machines, LD_PRELOAD has been the go-to for userland "rootkits" that hook every process. However, the lesser known DT_RPATH can achieve similar results.
  • packetStrider for SSH is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark. Point it at a pcap and it can tell you things like if host keys were ignored, command line flag usage, and if a session was automated or interactive. Very cool.

This post is cross-posted on SIXGEN's blog.