Last Week in Security (LWiS) - 2021-05-17
Exim RCE (@lockedbyte), Windows kernel exploit writeup (@33y0re), plaintext RDP creds from memory (@jonasLyk, @n00py1), MS Defender ATP bypasses (@Tyl0us), hashcat 6.2.0 (@hashcat), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-05-10 to 2021-05-17.
News
- Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness. Cloudflare sets out to end CAPTCHAs and replace them with hardware tokens - which are increasingly built into modern computing devices.
- Exploiting custom protocol handlers for cross-browser tracking in Tor, Safari, Chrome and Firefox. "Scheme flooding" is a new technique that uses custom URL schemes to fingerprint your computer across browsers (even Tor browser). Check out the code and demo site.
- BloodHound Enterprise vs. BloodHound Open-Source. The upcoming Enterprise release of BloodHound shouldn't change anything for the open source version, and will provide lots of new features. What are the odds that a signed BloodHound Enterprise binary is allowed by major EDR vendors?
- Hashcat v6.2.0 Released. The latest hashcat adds 26 new hash modes, a new attack mode for single GPUs, new features and bug fixes.
Techniques
- Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic. In the age of remote work, your target is likely running Teams. This post shows how to leverage a DLL hijack for persistence when Teams runs as well as the creation of a C2 profile to mimic Teams traffic. Despite Microsoft saying domain fronting is dead, it hasn't been shut off on Azure quite yet, which allows your "Teams" traffic to front behind legitimate Microsoft domains.
- Exploit Development: CVE-2021-21551 - Dell ‘dbutil_2_3.sys’ Kernel Exploit Writeup. Posts like this are incredibly valuable for anyone looking to learn as they walk through the entire process from initial analysis to final PoC. Get the code here. Other PoCs are starting to pop up as well.
- Evil Logitech - erm I ment USB cable. Build your own hardware BadUSB cable with cheap parts and open source code.
- Dumping Plaintext RDP credentials from svchost.exe. In some (inconsistent) cases, the svchost.exe that has rdpcorets.dll loaded stores the user's RDP password in memory in plain text. This post shows you what to dump, and what to search for to possibly get credentials. It looks like this will soon be a feature in mimikatz.
- D-Link Router CVE-2021-27342 Timing Side-Channel Attack Vulnerability Writeup. By realizing that successful logins and incorrect logins varied wildly in the response time, credentials can be brute forced at high speed. Just because there is a delay for failure doesn't mean you can already try the next credential!
- Technical Analysis of Access Token Theft and Manipulation. This deck from McAfee's Advanced Threat Research group covers a lot of access token techniques.
- Hacking a company and accessing the back-end files leading to RCE and a 4-digit bounty. Note: original site down at the time of publishing. Inadvertent .git folders accessible lead to full compromise.
Tools and Exploits
- CVE-2020-28018 is one of the 21Nails Exim mail server vulnerabilities that combines a memory leak, arbitrary read primitive, and a write-what-where primitive to achieve arbitrary code execution. For details see From theory to practice: analysis and PoC development for CVE-2020-28018 (Use-After-Free in Exim).
- Solaris is a LKM rootkit loader/dropper that lists available security mechanisms.
- SharpNukeEventLog nukes the event log using some epic dinvoke fu to suspend the threads of the event log process.
- RedWarden is a Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation.
- Dent is a framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's Window's Defender Advanced Threat Protection (called Microsoft Defender for Endpoint this week) sensors. All the details are in Breaking the (WDAPT) Rules with COM.
- Russian is a registry file that changes two keys that are checked by some malware to determine if you are using a Russian language keyboard. This should be an absolute last resort defense against ransomware, but is very easy to deploy.
- exclave helps offload wrapping/unwrapping of offensive payloads with Intel SGX technology assist. This is an interesting project to protect C2 secrets using protected processor memory and Intel's secure enclave technology.
- dnMerge is a lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- delta aims to make time studying diffs both efficient and enjoyable: it allows you to make extensive changes to the layout and styling of diffs, as well as allowing you to stay arbitrarily close to the default git/diff output.
- jenkins-attack-framework is a project to help assess the popular CI/CD product Jenkins.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.