Last Week in Security (LWiS) - 2021-04-19

0 to RCE against a CMS (@ultrayoba), tcpip.sys patch diffing for N-days (@0vercl0k), detecting stagers (@DidierStevens), named pipe PTH (@ShitSecure), URI-based 1-click RCEs (@positive_sec), FDE bypass [Airstrike attack] (@breakfix), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-12 to 2021-04-19.

News

  • PoshC2 – Introducing Native macOS Implants. As more businesses adopt macOS, red teamers have started to build tooling to support engagements against them.
  • NSA says it found new critical vulnerabilities in Microsoft Exchange Server. Like many big bugs, once one is exposed lots of researches take aim. Exchange is the latest target, falling at the recent Pwn2Own and now multiple vulnerabilities being reported by the NSA. How many more remain unreported?
  • FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks. The warrant and its attachments authorize "the use of remote access techniques to search the electronic media" of the targeted Exchange servers. While it also states that it does not authorize any seizure or copying of content (besides the webshells themselves) and no alteration of functionality, the FBI still had access to your mail server. I suppose it's a good idea to patch to keep everyone out, not just the "bad guys."
  • research-threats is a collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong and is a continuation of work started by @attritionorg. Hopefully it will encourage companies to act better toward researchers trying to help them.
  • Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?. This is an interesting post that also brings up blue team OPSEC. While Virus Total and other similar services are great, what are you telling the world by uploading samples with accounts or information that tie back to your organization?
  • Policy and Disclosure: 2021 Edition. Google Project Zero is often used as an example of how to do responsible disclosure, and they have taken that role seriously. In 2021 they are implementing a "90+30" model that give a 30 day grace period after a bug is fixed within 90 days to allow better patch adoption before technical details are released. As N-day authors get faster and faster, this grace period becomes more important.
  • NAME:WRECK Breaking and fixing DNS implementations. Many IoT and industrial control OS's DNS implementations are bad. So bad, in fact, that you can get remote code execution with a specially crafted DNS response. This exploit requires an attacker to be able to respond to DNS requests - some form of man-in-the-middle.
  • Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack. The year of the supply chain attack is well underway. This one targets a tool developers use to generate code coverage often used in CI. Who is affected? Lots of projects.

Techniques

Tools and Exploits

  • Finding Metasploit & Cobalt Strike URLs. The great forensic tool creator DidierStevens has a new script to find likely metasploit or Cobalt Strike's 8bit checkums. Don't stage your payloads if you are worried about OPSEC. The tool is available here.
  • SSD Advisory – OverlayFS PE. Ubuntu 14.04-20.10 were vulnerable to an issue with file capabilities (think setuid-bit, but slightly different) where an OverlayFS could set arbitrary capabilities on files in an outer namespace/mount. A full exploit is included.
  • MineSweeper is a lightweight (17-18kb) binary for Windows user-land hook manipulation. This will be useful for EDR research.
  • macOS Post-Exploitation
    • JXA_Proc_Tree is a JXA script for enumerating running processes, printed out in a json, parent-child tree. For use with a macOS JXA agent (i.e. Mythic).
    • Add-To-TCC-DB is a JXA script that leverages sqlite3 API calls to add items to the user's TCC (Transparency, Consent, and Control) database.
    • PrintTCCdb is a JXA script for Mythic that prints the TCC.db.
    • Persistent-Swift is a Swift port of some of the original PersistentJXA projects by D00MFist. Original PersistentJXA repo.
  • Invoke-Stealth is a Simple & Powerful PowerShell Script Obfuscator. This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques. You can use any of them separately, together or all of them sequentially with ease, from Windows or Linux.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • pyMalleableC2 is a python interpreter for Cobalt Strike Malleable C2 Profiles. It allows you to parse, build and modify them programmatically. Unlike other simple parsers, this one actually uses an abstract syntax tree and should handle complex profiles much better.

This post is cross-posted on SIXGEN's blog.