Last Week in Security (LWiS) - 2021-06-21

AD pwnage (@harmj0y, @tifkin_, and @elad_shamir), ImageLoad bypass (@_batsec_), bofnet_executeassembly (@william_knows), reverse port knocking on Windows (@TheXC3LL), LNK generator (@Jean_Maes_1994), payload automation (@BinaryFaultline), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-06-14 to 2021-06-21.


  • Snowflake moving to stable in Tor Browser 10.5. This is an interesting solution for users in restrictive environments that uses volunteer browsers as WebRTC proxies for the initial bridge connection into the Tor network. The initial broker connection uses domain fronting on Azure, so this may not last very long (or will be forced to switch providers).
  • Testing In-Headset VR Ads. Facebook buys occulus. Facebook puts ads in occulus VR. No one is surprised.
  • Rocky Linux 8.4 Available Now. After Red Hat/CentOS was sold to IBM, predictably big blue cut support for the community supported CentOS and turned it into a rolling release (breaking lots of LTS promises in the process). The community responded and in just 7 months a stable replacement distro is available! The migrate2rocky makes moving from CentOS 8 to Rocky easy.


Tools and Exploits

  • bofnet_executeassembly. If you aren't using BOF.NET you are missing out. With this pull request, there is no excuse as you can drop in standard .NET assemblies and use them without any modification as a BOF. No more fork and run - opsec++. More details in this blog post.
  • Polkit-exploit is a proof of concept for an authentication bypass on polkit, which allows unprivileged user to call privileged methods using DBus (blog post in LWiS 2021-06-14).
  • image-upload-exploits is a nice collection of ways to potentially leverage image uploads on web applications for data leaks or even shells!
  • BloodCheck enables Red and Blue Teams to manage multiple Neo4j databases and run Cypher queries against a BloodHound dataset.
  • Syscalls-Extractor is a script for automatically extracting syscall numbers for an OS.
  • admin-login is a wordlist of potential admin panels for web app testing.
  • brick is a small tool designed to identify potentially vulnerable SMM modules in a UEFI firmware image. It is comprised out of a collection of modules (implemented as IDAPython scripts), each responsible for identifying a specific vulnerability/anti-pattern in SMM code.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • malwarescarecrow is a tool designed to make physical devices detectable by malware and make system look like virtual machine.
  • Real-Time-Voice-Cloning. This vishing (voice phishing) implications of this are scary. Imagine calling a supervisor to get audio samples, then using those to train the model and create a script to demand action on a phishing email from an employee. Demo here.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.