Last Week in Security (LWiS) - 2021-07-19

iOS exploit campaign (@amnesty + others), PrintNightmare refuses to die (@gentilkiwi), readable SAM/SYSTEM hives (@jonasLyk), Ubuntu shifts LPE (@vdehors), SharpHound exfil in memory (@william_knows), Windows exploit dev (@33y0re), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-12 to 2021-07-19.



Tools and Exploits

  • CVE-2021-3492 is an exploit in the shiftfs driver in Ubuntu that was introduced in April 2019, affecting at least 20.04 and 20.10. It was used in Pwn2Own successfully, with the full details released this week in a blog post.
  • SharpImpersonation is a token impersonation tool written in C#. Lots of details in this blog post.
  • SharpExcelibur is a tool to read Excel spreadsheets (XLS/XLSX) using Cobalt Strike's execute-assembly functionality.
  • injectAmsiBypass is a Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
  • PetitPotam is a PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function. Disabling the EFS service seems not to mitigate the "feature".
  • CheeseSQL is Command Exec / Lateral Movement via MSSQL Trust. This tool has been developed to overcome some of the limitations given by already existing tools like ESC, mostly regarding MSSQL impersonation. Moreover, CheeseSQL has been specifically modified to run from Covenant (via reflective loading), and to automate the most important phases of MSSQL trust abuse.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • CVE-2020-1020-Exploit is the type1 font pool overflow LPE exploit. Supported OS: Windows 7,8,8.1 x64.
  • kerlab A Rust implementation of Kerberos for fun and detection. Implements a few Kerberos features from Rubeus as well as credential spraying and offline brute forcing.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.