Last Week in Security (LWiS) - 2021-07-12
Arbitrary exe's as BOFs (@phraaaaaaa), .NET exe's via BOF (@anthemtotheego), enterprise grade RCE (@AdamOfDc949), built-in packet sniffing in Windows (@TheXC3LL), patching EternalBlue for embedded (@CaptMeelo), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-06 to 2021-07-12.
News
- Multiple U.S. States Sue Google for Violating Antitrust Laws With Play Store Fees. Last year Google said that all app developers would be required to use the Google Play Store payment system for in-app billing, which comes with a 30% cut to Google. What this means for Apple, who had a trail in May against Epic Games for the same issue (decision pending) remains to be seen.
- New privacy policy is completely unacceptable!. Audacity was bought by Muse Group (which owns Ultimate Guitar and MuseScore as well) and predictably want telemetry on the user base of their new toy or their lawyers slapped the boilerplate on it to cover all eventualities. Either way, there is now tenacity.
- Biden Sets Up Tech Showdown With ‘Right-to-Repair’ Rules for FTC. This battle has been brewing for a while as companies push harder against consumers actually owning, well, anything really. With pressure from the top, perhaps a set of FTC rules could give power back to the people and ensure that you do actually own what you buy and are free to modify and repair it on your own.
- DIVD-2021-00011 - Kaseya VSA Limited Disclosure. The Dutch CERT found and warned Kaseya about multiple vulnerabilities in April. Was the REvil exploit a case of parallel discovery, or perhaps a compromise of the Kaseya ticketing system?
- Microsoft Bug Bounty Programs Year in Review: $13.6M in Rewards. While that is a big number, the bug bounty community, and Microsoft specifically have been at the center of some bug bounty drama. Hopefully it encourages more researches to responsibly report vulnerabilities, and other companies to enact their own bug bounty programs.
Techniques
- Old dog, same tricks. Old "enterprise" software can be a gold mine for bugs. In this post a remote code execution vulnerability in Beagle Software’s ClockWatch is found and exploited. The vendor has declined to update, and thus this PoC should work forever (if you ever find ClockWatch in the wild).
- CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict. After login, the site creation process leads to deserialization of untrusted user data and the ability to run arbitrary OS commands. This was patched in May 2021.
- Issue 2189: mpengine: asprotect embedded runtime dll memory corruption. An old, obscure packer format (asprotect) was emulated by executing an embedded DLL without signature checks. By creating a special asprotect DLL, RCE as SYSTEM on file scan is achievable. How many more obscure format unpackers lie in wait inside defender and similar products?
- Adding a native sniffer to your implants: decomposing and recomposing PktMon. Following the "write your own tools" mantra, this post explores PktMon and how to write your own packet sniffer using the built in "Packet Monitor" (Win 10/2019 1809+).
- Filesec.io. Stay up-to-date with the latest file extensions being used by attackers. It's the LOLBins or GTFObins of file extensions.
- Printnightmare Network Analysis. This is the kind of analysis that "open source tools" (OSTs) enable. This is a great post on how to break down pcaps to generate network signatures for new techniques/tools.
- Patching DoublePulsar to Exploit Windows Embedded Machines. This is a great example of not giving up on the first error, trying harder, and digging into issues to find solutions. Although an Windows Embedded support wasn't added to metasploit, the author got a shell and was able to continue the assessment.
- Process Creation is Dead, Long Live Process Creation — Adding BOFs Support to PEzor. This is the coolest tool of the last week. Run arbitrary executables as BOFs with a single command in Cobalt Strike. We have reached full BOF weaponization.
Tools and Exploits
- TokenTactics is an Azure JSON Web Token (JWT) manipulation toolset. Based on the work at AAD Internals, it adds the ability to pivot between token types, requiring (in certain setups) only one device code phish for wide access into Azure, Teams, Outlook, etc. The target inputs a code into a legitimate Microsoft page, but the codes are only good for 15 minutes.
- InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of Main(string[] args) or Main(). This should allow you to run most released tooling without any prior modification needed. More information in the blog post.
- TeamsUserEnum will determine if an email is registered on teams or not. More details on immunIT's blog.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- rustpad is an efficient and minimal collaborative code editor, self-hosted, no database required. Consider this where you would have used Etherpad in the past.
- reconmap. This looks like a great tool to help operators collaborate on an external penetration test or red team engagement.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.