Last Week in Security (LWiS) - 2021-05-31

ESXi heap overflow RCE (@straight_blast), abusing .NET dev features (@bohops), new book (@1njection), LNK for initial access and persistence (@V3ded), Outlook post-ex fun (@checkymander), new C# obfuscation tool (@h4wkst3r), WOW64 injector (@aaaddress1), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-05-24 to 2021-05-31.

News

  • VMSA-2021-0010: What You Need to Know. "There is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not." No PoC yet, but considering vCenter/ESXi usually host most critical IT assets, this should be an emergency patch. Get the NSE checker here, and more analysis here.
  • QUIC Version 1 is live on Cloudflare. QUIC is a new transport protocol built on top of UDP. Unfortunately, to access HTTP resources with HTTP/3, QUIC still includes an unencrypted Client Hello which includes the server name. Can you combine Encrypted Client Hello and QUIC (add ECH support to the test client and let me know)? QUIC also has some interesting things in the pipeline (masque).
  • Introducing Half-Double: New hammering technique for DRAM Rowhammer bug. Attackers can now use a second controlled row, which has a "non-liner gating effect" to "transport" the Rowhammer effect from the first to the row, through the second, to a victim row and is an intrinsic property of the underlying silicon substrate. No practical implications yet, but now you know when the CISO asks if you need to remediate for the new row hammer variant. JEDEC has published two documents about DRAM and system-level mitigation techniques (JEP300-1 and JEP301-1).
  • Amazon devices will soon automatically share your Internet with neighbors. Many Amazon devices will start allowing other amazon devices owned by different customers to use their internet connection to connect back to Amazon. If you don't want to be part of the world's largest botnet, opt-out now or don't buy IoT devices that are thinly veiled tools of surveillance.
  • Book Release: "Adversarial Tradecraft in Cybersecurity". Dan's book drops June 9th, and looks to be a great collection of techniques and tricks for both red and blue teams. This will be a must read for any CCDC or ProsVJoes competitors!
  • M1ssing Register Access Controls Leak EL0 State. A register on the M1 chip can be read and written to by any process, enabling two pieces of malware on the same machine to communicate. Big deal? Probably not (there are much easier ways for malware to communicate on the same system), but it could allow malware in separate virtual machines to communicate.
  • The Full Story of the Stunning RSA Hack Can Finally Be Told. Before "supply chain attack" was a buzzword, the Chinese were harvesting RSA seeds straight from the source. Despite the dramatic language, the operation wasn't all that novel. Phish a user, expand access, harvest data.

Techniques

  • Zero-Day TCC bypass discovered in XCSSET malware. Dropping a malicious .app inside the folder of an app that was given screen recording permissions was enough to bypass Apple's protections and allow a malicious actor to take screenshots without the user approving the malware to do so. This was patched in macOS 11.4. PoC that captures 15 seconds of camera without asking if placed inside an app directory that has approved camera access (facetime, photobooth, etc): CaptureCam.
  • Abusing and Detecting LOLBIN Usage of .NET Development Mode Features. With the right privileges, it is possible to modify the configuration for .Net binaries in system32 and (along with setting an environment variable) leverage them for application control bypass with managed assembly modification (depending on the solution), general DLL hijack/sideloading, and persistence.
  • Step-by-step how to deanonymize emails on LinkedIn. With the Outlook integration (thanks to the Microsoft purchase of LinkedIn), anyone with an Outlook account and an intercepting proxy can leak the emails of users on LinkedIn (pro tip: check your privacy settings!).
  • Detecting Rclone – An Effective Tool for Exfiltration. Ransomware gangs often pull large amounts of target data before encrypting a network, and this post looks into ways to detect this exfiltration hopefully in time to stop the encryption.
  • TeamViewer Local Privilege Escalation Vulnerability. This is a writeup of a macOS privilege escalation in TeamViewer from 2020-11, but the technique may be applicable to other apps that run privileged helpers.
  • Baking Mojolicious cookies. Much like JWT, the Perl web framework Mojolicious cookies can be cracked if predictable weak keys are used.
  • The Attack Path Management Manifesto. The team at SpecterOps are masters of the Attack Path and this manifesto lays out their thinking.
  • Abusing LNK "Features" for Initial Access and Persistence. LNK files can be set to run on a key shortcut and can be hidden. Writing an LNK file to the desktop from a macro and having the shortcut run a payload that injects a C2 tool and removes the LNK (restoring the shortcut) could gain stealthy initial access and the target would only notice one broken copy function. This has the added benefit of spawning your C2 loader as a child of explorer.exe naturally.

Tools and Exploits

  • My RCE PoC walkthrough for (CVE-2021–21974) VMware ESXi OpenSLP heap-overflow vulnerability. This is a detailed walk through of the development process of a heap-overflow for ESXi and the first public PoC for it (that I am aware of).
  • 2.2.0 20210525 MSTSC Passwords is a new Mimikatz release that can dump plaintext RDP credentials without injection or a hooking. This technique was discussed in LWiS 2021-05-17.
  • scanflow boasts a feature set similar to the likes of CheatEngine, with a simple command line interface. Utilizing memflow, scanflow works in a wide range of situations - from virtual machines, to dedicated DMA hardware.
  • Microsoft-JSON-Web-Token-Extractor is a C# project to extract JSON Web Tokens from memory without dumping anything on disk to avoid detection by Endpoint Detection and Response. Check out the blog post for more information.
  • Carbuncle is a tool for interacting with outlook interop during red team engagements. Not a new release, but 0.2 adds a lot of nice features. Be warned, depending on the setup this could cause a popup to be created for the user!
  • InvisibilityCloak is a proof-of-concept obfuscation toolkit for C# post-exploitation tools. For more information check out the blog post.
  • SharpUnhooker is a C# universal API unhooker - automatically unhook functions from ntdll.dll, kernel32.dll, user32.dll, and kernelbase.dll.
  • wowInjector is a PoC to exploit the 32-bit thread snapshot of WOW64 to take over $RIP, inject & bypass AV.
  • boobsnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.
  • loginItemManipulator is an Objective-C tool to list, add, and remove login items for user's session and global loginitem lists for macOS.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.