Last Week in Security (LWiS) - 2021-06-28
Ghidra 10, Windows 11, Salesforce audit tool (@exploresecurity), XSS parser defeat (@bishopfox), Mythic C2 update (@its_a_feature_), Apache Tapestry RCE (@BelkahlaAhmed1), compressed CredBandit (@xenosCR), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-06-21 to 2021-06-28.
News
- Introducing Windows 11. Despite saying Windows 10 would be the last version of windows, Microsoft's marketing team has won and Windows 11 will be released this fall. It still uses the NT 10 kernel, and Windows 10 1507 looks very different than Windows 10 21H2, so perhaps the numbered releases are good for users and developers both (avoids the "well it works on some windows 10"). There have been rumors of new utilities and mandatory Microsoft accounts, and taking steps against digital sovereignty with a TPM requirement. At least you can bypass the TPM check during install with these two registry modifications. Microsoft also made sure to take shots at Apple during the re-introduction of the Microsoft App Store which allows developers to bring their own "commerce engine" and keep 100% of their revenue.
- Microsoft signed a malicious Netfilter rootkit. This signed kernel driver was shipping traffic to a Chinese IP. I'll be interested in the result of Microsoft's internal investigation.
- Offensive Security exam retakes now $250. Offensive Security's training courses have long been "the standard" but as things change, newer, more relevant courses (like Red Team Ops, or PNPT) have come along to challenge the leader. Their recent moves to re-vamp their courses is good, but hiking retake prices has caused some backlash.
- Standing With Security Researchers Against Misuse of the DMCA. The Digital Millennium Copyright Act (DMCA) was outdated when it was passed in 2000, and in 2021 it makes even less sense. It's good the EFF is pushing the issue of security research before it becomes a bigger issue.
- Announcing a unified vulnerability schema for open source. Google has developed a JSON standard for vulnerabilities as well as site to browse them.
- VMware Patches Privilege Escalation Vulnerability in Tools for Windows. This sounds very similar to this Cisco Immunet LPE.
- Learning from our Myths. Possibly the most flexible open source C2 framework Mythic gets a big update with the 2.2 release which moves to React/GraphQL as well as implementing subtasks, an OPSEC engine, translation containers, and more.
Techniques
- Oracle VirtualBox VHWA Use-After-Free Privilege Escalation Vulnerability. A kernel driver in VirtualBox was vulnerable to a use after free bug which can be exploited from a custom Windows driver to achieve code execution on the VirtualBox host machine.
- CVE-2021-24084 An unpatched information disclosure in Microsoft Windows. The mobile device management log export feature of Windows fails to impersonate the user and is vulnerable to a mount point attack. PoC here.
- LEXSS: Bypassing Lexical Parsing Security Controls. This one is for the web app pentesters or bug bounty hunters. By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content.
- Spear Phishing Campaign with New Techniques Aimed at Aviation Companies. The VBS to drop XML and run msbuild aren't new, but the way the link was disguised in the HTML email to look like an attachment was pretty clever. Combine it with a trusted open redirect and you have a powerful pretext template.
- A supply-chain breach: Taking over an Atlassian account. This is an awesome web application hack that uses XSS, CSRF. a SameSite “Strict” bypass, HTTPOnly Bypass, and Cookie Fixation to go from a click to a full account takeover. PoC video here.
- Using CVE-2020-9971 to escape Microsoft Office’s app sandbox. This post shows a method of escaping the Office sandbox using XPC services
Tools and Exploits
- Ghidra 10.0. The first major public point release and is backwards compatible with projects created in 9.x (but 10.x created projects are not backwards compatible). This is also the first public release of the debugger! Check out What's New.
- SharpMailBOF is a BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay. Useful for getting large files (lsass dumps?) on slow networks using a different exfiltration method.
- compressedCredBandit is a modification to CredBandit that compresses the data (using MSZIP) before sending it back which should reduce the noise on the wire.
- AttackSurfaceAnalyzer is a tool from Microsoft to help you analyze your operating system's security configuration for changes during software installation. Run it on a base install, then install all the programs your target has, re-run it, profit?
- raccoon is a Salesforce object access auditor. For more information, check the blog post.
- CVE-2021-27850_POC is a critical unauthenticated remote code execution vulnerability that was found in all recent versions of Apache Tapestry. By downloading the AppModule.class file you can leak the HMAC secret key used to sign all the serialized objects in Apache Tapestry.
- CVE-2021-31955-POC. While perhaps not useful on its own, if you have another vulnerability and are waiting on a kernel information disclosure for Windows, this is a nice PoC.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources. This could be of interest if you deal in data breaches or other threat intelligence.
- jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.
- useful-forks aims at increasing the discoverability of useful forks of open-source projects. GitHubs fork view is nearly worthless to determine if a fork added anything to the code or not.
- WindowsBinaryReplacements is a nice collection of small Windows utilities in C#. These would make great "built in" commands for a custom C# rat.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.