Last Week in Security (LWiS) - 2021-06-21
AD pwnage (@harmj0y, @tifkin_, and @elad_shamir), ImageLoad bypass (@_batsec_), bofnet_executeassembly (@william_knows), reverse port knocking on Windows (@TheXC3LL), LNK generator (@Jean_Maes_1994), payload automation (@BinaryFaultline), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-06-14 to 2021-06-21.
News
- Snowflake moving to stable in Tor Browser 10.5. This is an interesting solution for users in restrictive environments that uses volunteer browsers as WebRTC proxies for the initial bridge connection into the Tor network. The initial broker connection uses domain fronting on Azure, so this may not last very long (or will be forced to switch providers).
- Testing In-Headset VR Ads. Facebook buys occulus. Facebook puts ads in occulus VR. No one is surprised.
- Rocky Linux 8.4 Available Now. After Red Hat/CentOS was sold to IBM, predictably big blue cut support for the community supported CentOS and turned it into a rolling release (breaking lots of LTS promises in the process). The community responded and in just 7 months a stable replacement distro is available! The migrate2rocky makes moving from CentOS 8 to Rocky easy.
Techniques
- Certified Pre-Owned. This is a long post, and a longer whitepaper, but if you attack or defend Active Directory it's a must read. The number of ways you can misconfigure AD certificate services is pretty incredible, and despite being documented as dangerous, they are common (like unconstrained delegation). Lots of tooling is linked in the post, but there is also Invoke-Leghorn and Microsoft ADCS – Abusing PKI in Active Directory Environment.
- Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover. Just when you had enough AD for the week, Whisker drops to make DACL-based attacks against User and Computer objects in Active Directory much easier. There are some caveats, like Windows Server 2016 Functional Level in Active Directory and at least one Windows Server 2016 Domain Controller with a digital certificate for server authentication installed, but with those fulfilled, account access becomes much easier than before thanks to Windows Hello for Business. Hello to new access.
- How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It. Bug bounties can be great, but when the researcher and company can't agree on exploitability or severity, there can be bad blood. This research showed how an attacker could use a large number (28,000) of IP address to bypass rate limits and guess a 6 digit reset code for iCloud accounts.
- What you need to know about Process Ghosting, a new executable image tampering attack. By creating an executable as "DELETE PENDING," defender (and possibly other EDRs) will be unable to scan it and thus block execution. PoC here.
- Attackers Take Advantage of New Google Docs Exploit. This boils down to a fancy way to have your phishing pages hosted on docs.google.com, but it is likely effective none the less.
- Bypassing Image Load Kernel Callbacks. As EDRs move to kernel drivers, image load callbacks are what is being used to detect DLL loads. This library reimplements the Windows loader from scratch in userspace to prevent these callbacks from being sent to the kernel. Impressive stuff, and it can even load DLLs directly from memory - something the Windows loader cannot do. This library will likely be seen in any new loader or RAT going forward. Be sure to check out this llvm-obfuscator enabled fork as well.
- monday-cnc. Like any service with an API that can store and retieve data, planning site Monday.com can be used as a command and control channel. This write up includes a simple python PoC that could be adapted for use with C3 or Cobalt Strike's external C2.
- The Oddest Place You Will Ever Find PAC - Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary. This is a walk through of bypassing pointer authentication (ARM 8.3 feature seen in iOS). The interactive features of the post are pretty amazing.
- Knock! Knock! The postman is here! (abusing Mailslots and PortKnocking for connectionless shells). The use of "reverse port knocking" by varying the source port is an interesting tactic, but like the post says, be wary of NATing or other network hops that will interfere with this.
- Click your shortcut and… you got pwned.. Up your adversary emulation game with this LNK generator and you too can be NOBELIUM.
- Introducing Striker and the Payload Automation Libraries. If you have multiple team servers and multiple payloads, the payload generation process can be painful unless automated. The python libraries introduced in this post can help you build your own pipeline.
Tools and Exploits
- bofnet_executeassembly. If you aren't using BOF.NET you are missing out. With this pull request, there is no excuse as you can drop in standard .NET assemblies and use them without any modification as a BOF. No more fork and run - opsec++. More details in this blog post.
- Polkit-exploit is a proof of concept for an authentication bypass on polkit, which allows unprivileged user to call privileged methods using DBus (blog post in LWiS 2021-06-14).
- image-upload-exploits is a nice collection of ways to potentially leverage image uploads on web applications for data leaks or even shells!
- BloodCheck enables Red and Blue Teams to manage multiple Neo4j databases and run Cypher queries against a BloodHound dataset.
- Syscalls-Extractor is a script for automatically extracting syscall numbers for an OS.
- admin-login is a wordlist of potential admin panels for web app testing.
- brick is a small tool designed to identify potentially vulnerable SMM modules in a UEFI firmware image. It is comprised out of a collection of modules (implemented as IDAPython scripts), each responsible for identifying a specific vulnerability/anti-pattern in SMM code.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- malwarescarecrow is a tool designed to make physical devices detectable by malware and make system look like virtual machine.
- Real-Time-Voice-Cloning. This vishing (voice phishing) implications of this are scary. Imagine calling a supervisor to get audio samples, then using those to train the model and create a script to demand action on a phishing email from an employee. Demo here.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.