Last Week in Security (LWiS) - 2021-07-12

Arbitrary exe's as BOFs (@phraaaaaaa), .NET exe's via BOF (@anthemtotheego), enterprise grade RCE (@AdamOfDc949), built-in packet sniffing in Windows (@TheXC3LL), patching EternalBlue for embedded (@CaptMeelo), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-06 to 2021-07-12.

News

  • Multiple U.S. States Sue Google for Violating Antitrust Laws With Play Store Fees. Last year Google said that all app developers would be required to use the Google Play Store payment system for in-app billing, which comes with a 30% cut to Google. What this means for Apple, who had a trail in May against Epic Games for the same issue (decision pending) remains to be seen.
  • New privacy policy is completely unacceptable!. Audacity was bought by Muse Group (which owns Ultimate Guitar and MuseScore as well) and predictably want telemetry on the user base of their new toy or their lawyers slapped the boilerplate on it to cover all eventualities. Either way, there is now tenacity.
  • Biden Sets Up Tech Showdown With ‘Right-to-Repair’ Rules for FTC. This battle has been brewing for a while as companies push harder against consumers actually owning, well, anything really. With pressure from the top, perhaps a set of FTC rules could give power back to the people and ensure that you do actually own what you buy and are free to modify and repair it on your own.
  • DIVD-2021-00011 - Kaseya VSA Limited Disclosure. The Dutch CERT found and warned Kaseya about multiple vulnerabilities in April. Was the REvil exploit a case of parallel discovery, or perhaps a compromise of the Kaseya ticketing system?
  • Microsoft Bug Bounty Programs Year in Review: $13.6M in Rewards. While that is a big number, the bug bounty community, and Microsoft specifically have been at the center of some bug bounty drama. Hopefully it encourages more researches to responsibly report vulnerabilities, and other companies to enact their own bug bounty programs.

Techniques

Tools and Exploits

  • TokenTactics is an Azure JSON Web Token (JWT) manipulation toolset. Based on the work at AAD Internals, it adds the ability to pivot between token types, requiring (in certain setups) only one device code phish for wide access into Azure, Teams, Outlook, etc. The target inputs a code into a legitimate Microsoft page, but the codes are only good for 15 minutes.
  • InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of Main(string[] args) or Main(). This should allow you to run most released tooling without any prior modification needed. More information in the blog post.
  • TeamsUserEnum will determine if an email is registered on teams or not. More details on immunIT's blog.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • rustpad is an efficient and minimal collaborative code editor, self-hosted, no database required. Consider this where you would have used Etherpad in the past.
  • reconmap. This looks like a great tool to help operators collaborate on an external penetration test or red team engagement.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.