Last Week in Security (LWiS) - 2021-03-15
Bloodhound Enterprise (@_wald0), reproducing ProxyLogon (@amlweems), Wireshark 1-click RCE (@positive_sec), free IOC API (@abuse_ch), VM detection trick (@gsuberland), IoT šs via PCI (@_p0ly_), opensource AirTags (@Sn0wfreeze), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-08 to 2021-03-15.
News
- Proxylogin fallout
- Reproducing the Microsoft Exchange Proxylogon Exploit Chain. If you're wondering how hard it would be to generate an in-house version of Proxylogon using just the patches and public information, look no further. This post is full of technical details and the steps the Praetorian team took to recreate the exploit chain. This is an excellent resource for aspiring n-day writers. A PoC based on this article is available on Github.
- metasploit_gather_exchange is a metasploit framework module for gathering information from an Exchange Server via powershell to list and export mailboxes as pst files. Details in this blog post.
- One-Click Microsoft Exchange On-Premises Mitigation Tool ā March 2021. This official tool from Microsoft shows the severity of the issue. Unfortunately it is very likely too late for any vulnerable instances. I suppose if there was suspicion that Microsoft somehow leaked the exploit I would be trying to make it easy to mitigate the vulnerabilities too...
- Bloodhound Enterprise. From the creators of BloodHound, a SaaS technology that continuously identifies and quantifies the most critical Active Directory choke points. Measurable, practical remediation guidance enables the elimination of millions of attack paths within your existing Active Directory architecture. The product is scheduled for release this summer (2021) and I am excited to see it help organizations lock down their AD environment.
- OVH data centre destroyed by fire in Strasbourg ā all services unavailable. This is your weekly reminder that the cloud is just someone else's computer. Backups still matter!
- Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity. Let's Encrypt but for code signing. Most importantly: "sigstore will be free to use for all developers and software providers, with sigstoreās code and operation tooling being 100% open source." This is a good step that I hope lots of developers use. Imagine being able to subscribe to a monitor service for all the dependancies in your project. The transparency may also provides an OSINT opportunity for red teams. You can monitor the progress of the tools on GitHub.
- A Hacker Got All My Texts for $16. A layered network of providers eventually allows the complete re-routing of SMS messages, with no verification or notification to the end user (since fixed by the one provider tested). The fact that 3 separate companies were involved means that there are APIs that allow this with no verification. What would it take for an attacker to either find a new provider that does not do verification or create their own to gain access to the APIs? If a services offers app based (or better, hardware key based) multifactor authentication, choose it over SMS every time.
- Who Can Find My Devices? Security and Privacy of Appleās Crowd-Sourced Bluetooth Location Tracking System. This report on the closed source tracking system (and upcoming AirTags) that will help locate lost devices by using every Apple device with Bluetooth as a global sensor has some flaws. However, it's clear that care was taken in the design to preserve privacy more so than other similar systems (e.g. Tile). Don't want to wait for AirTags? Build your own now using openhaystack. Due to the private design of the Apple system, it will be hard (impossible?) to prevent this kind of third party use.
- Introducing ThreatFox. ThreatFox is a community driven project from the creator of abuse.ch and MalwareBazaar where security researchers and threat analysts can share indicators of compromise (IOCs) with the infosec community for free, and without the need of a registration.
- Whitelist Me, Maybe? āNetbounceā Threat Actor Tries A Bold Approach To Evade Detection. Imagine being so confident in your malware, you email it directly to one of the 2 vendors that have marked you malicious in VirusTotal and ask to be whitelisted. No such luck this time, but how many times has it worked?
- A Spectre proof-of-concept for a Spectre-proof web. It's pretty wild that the Google team managed to get Spectre working via Javascript in a sandboxed browser, but perhaps the most interesting bit of this post is, "in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes."
Techniques
- Reproducing n-day vulnerabilities and writing N-day based fuzzer with Qiling. The techniques in this post can be used to start your own fuzzing, and the existence of one bug means more could be hiding in adjacent functions.
- Code execution in Wireshark via non-http(s) schemes in URL fields. Ever wanted to phish a defender or incident responder? Some protocol handlers in Wireshark can be used to get 1-click remote code execution.
- Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518). DLL hijacking will likely never die on Windows, and this post shows how it can be exploited for local privilege escalation. This specific vulnerability only affects systems with Dell SupportAssit 3.7 or greater distributed in a 3 month window in the fall of 2020.
- VM Detection Tricks, Part 2: Driver Thread Fingerprinting. Grahm Sutherland is back with another VM detection trick, this time a way to use tread information to detect if HyperV's vmbus driver is loaded. This technique could be used generally to detect any driver that spawns multiple threads without any suspicious queries. The PoC is on github.
- Dumping the Sonos One smart speaker. Getting root shells on IoT hardware via UART and JTAG: tired. Getting shells via PCI direct memory access attacks: wired. Using the wifi card's mini-PCI connection David Berard is able to not only dump the running kernel, but modify it to get a shell.
- Abstracting Scheduled Tasks. How many ways are there to schedule tasks on Windows? Lots.
Tools and Exploits
- git: malicious repositories can execute remote code while cloning. As someone who clones a lot of git repos, this one is personal. From the advisory: On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. Update your git clients! Windows has LFS enabled by default and is vulnerable (other OSs have to enable LFS). This is also not the first git LFS vulnerability (see CVE-2020-27955).
- Three distinct vulnerabilities discovered by GRIMM while researching the Linux kernel combine as LPE. A kernel pointer leak plus a heap buffer overflow allows for local privilege escalation on modern Linux (RHEL 8.1-8.3).
- RunDLL.Net is a project to execute .Net assemblies using Rundll32.exe.
- FOLIAGE. This is an interesting project that implements a DNS-over-HTTPS persistence stager with memory obfuscation a la gargoyle. This project uses NtContinue as the "gadget" which gets around argument limits to manipulate the return address to NtTestAlert() which allows the code to run the next time it is called.
- DisablePPLDriverPoc is a custom driver to disable protected process light and dump lsass. The driver is not signed, so it must be loaded via a driver signing bypass to work.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- cosmonim is a simple example to show how can you use cosmopolitan with Nim. Could this be used to write the ultimate cross platform dropper for those cases where an exploit could land you on a Windows or Linux machine?
- ebpfsnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by opensnitch and Douane but utilizing modern kernel abstractions - without a kernel module.
- http_bridge is a client that allows for socks5 proxying over standard HTTP verbs (no CONNECT) through a Linux server running PHP. Similar to Cloak.
- Go-RouterSocks managing multiple chisel sessions can be a pain. This tool exposes a single socks5 proxy port, and allows dynamic routing of networks to specific chisel sessions.
This post is cross-posted on SIXGEN's blog.