Last Week in Security (LWiS) - 2021-04-12

0-click Linux BT RCE (@theflow0), deanonymizing LinkedIn users (@h3xstream), PPL demystified (@itm4n), HTML based remote macros (@micahvandeusen), Chrome 0day-ish (@r4j0x00), wordlist generator (@giteshnxtlvl), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-05 to 2021-04-12.

News

Techniques

  • BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution. Yes, it's as crazy as it sounds. Be sure to check out the demo. These kinds of exploits (zero-click network subsystem exploits) always amaze me.
  • Deanonymizing LinkedIn Users. This is a great OSINT article that shows how you can leverage LinkedIn to discover personal emails for individuals (useful in credential stuffing and phishing targeting). The API is limited to 1,000 requests every two days.
  • Do You Really Know About LSA Protection (RunAsPPL)?. This article dives into the details of Protect Process Light, how it works, how it can be bypassed, and what the different PPL levels mean.
  • HTML Maldoc Remote Macro Injection. Remote macros are useful to bypass mail scanning or other detection techniques that do not "detonate" the document. While it has been shown effective with .docx, this is an interesting use case with HTML documents.
  • Detecting Exposed Cobalt Strike DNS Redirectors. You are (hopefully) using HTTPS redirectors, but what about DNS redirectors to mask your C2 server's fingerprints? dnsfwd (LWiS 2021-03-22) would do nicely.
  • Attack Surface Reduction is a collection of research into Microsoft's Attack Surface Reduction rules. They are implemented in Lua, and the decompiled rules give lots of great information about easy things that instantly get marked "clean."
  • Handling “Open File – Security Warning”. The SEE_MASK_NOZONECHECKS environment variable is a new one to me, and it prevents the security pop up seen on downloaded files ("mark of the web"). While this won't help with your initial payload (that I can think of), it could be useful for follow on actions.
  • DInvoke to defeat EDRs. If aren't using Dinvoke with your C# you are missing out on all kinds of fun. This presentation walks through some of the existing research and packages it up nicely.

Tools and Exploits

  • CVE-2021-24086 is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patched by Microsoft in February 2021. It is triggerable remotely by sending malicious UDP packet over IPv6. If you can reach an unpatched Windows machine with UDP over IPv6, you can bluescreen it. Put this one in the "demonstrate impact" folder and ensure your lawyer has reviewed whatever memo you got signed to allow its use on a customer.
  • chrome "0day". It's really a 1day as the Chromium source has been patched but the patch hasn't been pushed to a release yet. It won't pop calc without the --no-sandbox flag, so bring your own sandbox escape!
  • kiterunner is a "contextual content discovery tool" that uses traditional content discovery (throw a wordlist and look for non-error code responses), as well as more tailored requests with specific methods, headers, and parameters curated from multiple sources. More information at the assetnote blog.
  • TiEtwAgent is a PoC memory injection detection agent based on ETW, for offensive and defensive research purposes. Use this in your lab to see if your fancy tools can defeat kernel-mode detection!
  • dll-exports is a collection of DLL function export forwards for DLL export function proxying. This is great for stealthy Windows persistence.
  • cook is a customizable wordlist and password generator. It allows you to define word parts and patterns and generates all combinations - and the readme has beautiful usage pictures!

This post is cross-posted on SIXGEN's blog.