Last Week in Security (LWiS) - 2021-04-19
0 to RCE against a CMS (@ultrayoba), tcpip.sys patch diffing for N-days (@0vercl0k), detecting stagers (@DidierStevens), named pipe PTH (@ShitSecure), URI-based 1-click RCEs (@positive_sec), FDE bypass [Airstrike attack] (@breakfix), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-12 to 2021-04-19.
News
- PoshC2 – Introducing Native macOS Implants. As more businesses adopt macOS, red teamers have started to build tooling to support engagements against them.
- NSA says it found new critical vulnerabilities in Microsoft Exchange Server. Like many big bugs, once one is exposed lots of researches take aim. Exchange is the latest target, falling at the recent Pwn2Own and now multiple vulnerabilities being reported by the NSA. How many more remain unreported?
- FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks. The warrant and its attachments authorize "the use of remote access techniques to search the electronic media" of the targeted Exchange servers. While it also states that it does not authorize any seizure or copying of content (besides the webshells themselves) and no alteration of functionality, the FBI still had access to your mail server. I suppose it's a good idea to patch to keep everyone out, not just the "bad guys."
- research-threats is a collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong and is a continuation of work started by @attritionorg. Hopefully it will encourage companies to act better toward researchers trying to help them.
- Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?. This is an interesting post that also brings up blue team OPSEC. While Virus Total and other similar services are great, what are you telling the world by uploading samples with accounts or information that tie back to your organization?
- Policy and Disclosure: 2021 Edition. Google Project Zero is often used as an example of how to do responsible disclosure, and they have taken that role seriously. In 2021 they are implementing a "90+30" model that give a 30 day grace period after a bug is fixed within 90 days to allow better patch adoption before technical details are released. As N-day authors get faster and faster, this grace period becomes more important.
- NAME:WRECK Breaking and fixing DNS implementations. Many IoT and industrial control OS's DNS implementations are bad. So bad, in fact, that you can get remote code execution with a specially crafted DNS response. This exploit requires an attacker to be able to respond to DNS requests - some form of man-in-the-middle.
- Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack. The year of the supply chain attack is well underway. This one targets a tool developers use to generate code coverage often used in CI. Who is affected? Lots of projects.
Techniques
- From 0 to RCE: Cockpit CMS. This post shows a few ways to exploit blind NoSQL injection, authenticated account takeover, and even remote code execution in the MongoLite library.
- Duo Two-factor Authentication Bypass. An issue where 2FA authentication state wasn't tied to a session allowed an attacker one the same Duo deployment to redirect 2FA prompts to their own device. This is a narrow use case, and Duo even did incident response and determined it had never been exploited - except by the researchers. A reminder that 2FA isn't always a dead end!
- Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086). The PoC has been out for two weeks (it was in LWiS) but this post shows how it was discovered and created. If you have an interest in patch diffing or N-day exploitation, read this post. Another post that leverages patch diffing was also released last week: CVE-2021-1647: Windows Defender mpengine remote code execution
- Basic operational security when dropping to disk. Despite all the in memory voodoo, if you want to persist in a network, you'll have to write something to disk at some point. This post includes some tips to blend in better. Pro tip: the limelighter.go from ScareCrow has the versioninfo and signing all in one (vs the official Limelighter).
- Named Pipe Pass-the-Hash. Ever have access to a Windows box, and want to run a command as a different low privileged user (whose NTLM hash you have) on the same machine, but that target user is not logged in or running any processes? This post describes the process of creating a tool to do just that. The tool: NamedPipePTH.
- Allow arbitrary URLs, expect arbitrary code execution. Lots of desktop apps are vulnerable to 1-click exploitation via URL handlers. These issues affect Windows and Linux, across lots of app types. Be careful what you click, and perhaps leverage these on your next phishing engagement.
- Airstrike Attack - FDE bypass and EoP on domain joined Windows workstations (CVE-2021-28316). Domain joined Windows machines would leak a MSCHAPv2 challenge response hash to a rogue access point which can be used to recover an NTLM hash and forge a Kerberos Silver ticket and gain full access to the locked computer's hard drive. This vulnerability was patched in the April 2021 security update for Windows.
Tools and Exploits
- Finding Metasploit & Cobalt Strike URLs. The great forensic tool creator DidierStevens has a new script to find likely metasploit or Cobalt Strike's 8bit checkums. Don't stage your payloads if you are worried about OPSEC. The tool is available here.
- SSD Advisory – OverlayFS PE. Ubuntu 14.04-20.10 were vulnerable to an issue with file capabilities (think setuid-bit, but slightly different) where an OverlayFS could set arbitrary capabilities on files in an outer namespace/mount. A full exploit is included.
- MineSweeper is a lightweight (17-18kb) binary for Windows user-land hook manipulation. This will be useful for EDR research.
- macOS Post-Exploitation
- JXA_Proc_Tree is a JXA script for enumerating running processes, printed out in a json, parent-child tree. For use with a macOS JXA agent (i.e. Mythic).
- Add-To-TCC-DB is a JXA script that leverages sqlite3 API calls to add items to the user's TCC (Transparency, Consent, and Control) database.
- PrintTCCdb is a JXA script for Mythic that prints the TCC.db.
- Persistent-Swift is a Swift port of some of the original PersistentJXA projects by D00MFist. Original PersistentJXA repo.
- Invoke-Stealth is a Simple & Powerful PowerShell Script Obfuscator. This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques. You can use any of them separately, together or all of them sequentially with ease, from Windows or Linux.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- pyMalleableC2 is a python interpreter for Cobalt Strike Malleable C2 Profiles. It allows you to parse, build and modify them programmatically. Unlike other simple parsers, this one actually uses an abstract syntax tree and should handle complex profiles much better.
This post is cross-posted on SIXGEN's blog.