Last Week in Security (LWiS) - 2021-06-28

Ghidra 10, Windows 11, Salesforce audit tool (@exploresecurity), XSS parser defeat (@bishopfox), Mythic C2 update (@its_a_feature_), Apache Tapestry RCE (@BelkahlaAhmed1), compressed CredBandit (@xenosCR), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-06-21 to 2021-06-28.

News

Techniques

Tools and Exploits

  • Ghidra 10.0. The first major public point release and is backwards compatible with projects created in 9.x (but 10.x created projects are not backwards compatible). This is also the first public release of the debugger! Check out What's New.
  • SharpMailBOF is a BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay. Useful for getting large files (lsass dumps?) on slow networks using a different exfiltration method.
  • compressedCredBandit is a modification to CredBandit that compresses the data (using MSZIP) before sending it back which should reduce the noise on the wire.
  • AttackSurfaceAnalyzer is a tool from Microsoft to help you analyze your operating system's security configuration for changes during software installation. Run it on a base install, then install all the programs your target has, re-run it, profit?
  • raccoon is a Salesforce object access auditor. For more information, check the blog post.
  • CVE-2021-27850_POC is a critical unauthenticated remote code execution vulnerability that was found in all recent versions of Apache Tapestry. By downloading the AppModule.class file you can leak the HMAC secret key used to sign all the serialized objects in Apache Tapestry.
  • CVE-2021-31955-POC. While perhaps not useful on its own, if you have another vulnerability and are waiting on a kernel information disclosure for Windows, this is a nice PoC.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources. This could be of interest if you deal in data breaches or other threat intelligence.
  • jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.
  • useful-forks aims at increasing the discoverability of useful forks of open-source projects. GitHubs fork view is nearly worthless to determine if a fork added anything to the code or not.
  • WindowsBinaryReplacements is a nice collection of small Windows utilities in C#. These would make great "built in" commands for a custom C# rat.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.