Jul 19 2021 Last Week in Security (LWiS) - 2021-07-19

News

• Revealed: leak uncovers global abuse of cyber-surveillance weapon. The latest model of iPhone on the latest version of iOS appears to be vulnerable to a 0click remote code execution exploit developed by NSO group and used to target political enemies and human rights activists around the world. While it isn't persistent, exploitation is reliable enough to simply re-exploit target devices. If you are an Android user feeling smug, rest assured there is a 0click RCE out there for your device as well. Stay updated and reboot your phones often! NSO group has denied any wrongdoing while releasing contradictory statements. Details and IOCs here, and a tool for analysis of backups or filesystem dumps here.
• Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus. More shady Israeli "cybersecurity" firms selling 0days that end up being used against political enemies. You've got to hand it to the "startup nation," it's been churning out more 0day vendors (likely unit 8200 "graduates") than any other country.
• How we protect users from 0-day attacks. This post details three campaigns: emailed links, Office documents that loaded web content in IE, and LinkedIn messages with links to exploit 0days in Chrome and IE.
• Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure. The US government is offering rewards for tips that lead to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure. They are running a SecureDrop instance on Tor as well. Maybe it is already working? An interesting note: "Reward payments may include payments in cryptocurrency." This is the first time, to my knowledge, the US federal government has offered to transact in cryptocurrency in any capacity.
• Advancing email security for Gmail and beyond with BIMI. The new Brand Indicators for Message Identification (BIMI) is a standard for hosting images to be included as logos for emails. It requires a SPF, DKIM, a good DMARC policy, a special type of SVG, a special DNS entry, and for verification: the logo be trademarked, and then a "verified mark certificate" (VMC) must be purchased and hosted with the SVG. Hopefully Let's Encrypt will be a VMC issuer soon?
• Windows Print Spooler Elevation of Privilege Vulnerability. PrintNightmare refuses to die. Benjamin Delpy has been keeping the PoCs rolling, even creating a "privesc as a service" hosting two printers that will write to System32 as SYSTEM. Don't worry, it works against non-domain joined Windows 11 machines too. If you wrap buggy code from 1994 in virtualization based security, it's still buggy code. Confused on how this all works? Read this: Windows Print Spooler Elevation of Privilege vulnerability (CVE-2021-1675) explained.
• The new #OpenSecurityTraining2 site has been launched at ost2.fyi!. Anyone can now sign up for the public betas of the first classes (with more to come soon!).
• [DEVELOPING] Windows 10 feature upgrades leave SAM and SYSTEM hive readable by any user. This has been seen on Windows 11 and fully up to date Windows 10.

Techniques

• Aruba in Chains: Chaining Vulnerabilities for Fun and Profit. Finding "smaller" bugs and then chaining them together leads to full unauthenticated remote code execution against an Aruba router running Aruba Instant. PoC here.
• Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 2. Connor is back with another banger. Another full walk through with detailed steps, screenshots, and full code. If you are interested in exploit development for windows, this is a must read.
• Remote code execution in cdnjs of Cloudflare. A vulnerability in the way Cloudflare automatically updated its JavaScript CDN allowed for RCE. Props to Cloudflare for the near instant incident response and remediation - impressive.
• Evade Sandboxes With a Single Bit – the Trap Flag. A relatively simple check can be used to determine if you are in a VM or on an actual host.
• Fetching SharpHound data entirely in-memory (no dropped ZIP or JSON files) using BOF.NET and Cobalt Strike. This is so good I had to test and implement it in my tooling the same day. Stop dropping files to target (even encrypted), and pull them straight back via BOF.NET. Be sure to check out this commit to CredBandit if you are interested in implementing this in your own BOFs (or just use the new BOF.NET). @spotheplanet has an updated section on dumping to memory as well.
• Gotta Catch 'Em All: Frida & jailbreak detection. If you have any interest in iOS security or jailbreak detection, this post is full of great details.

Tools and Exploits

• CVE-2021-3492 is an exploit in the shiftfs driver in Ubuntu that was introduced in April 2019, affecting at least 20.04 and 20.10. It was used in Pwn2Own successfully, with the full details released this week in a blog post.
• SharpImpersonation is a token impersonation tool written in C#. Lots of details in this blog post.
• SharpExcelibur is a tool to read Excel spreadsheets (XLS/XLSX) using Cobalt Strike's execute-assembly functionality.
• injectAmsiBypass is a Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
• PetitPotam is a PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function. Disabling the EFS service seems not to mitigate the "feature".
• CheeseSQL is Command Exec / Lateral Movement via MSSQL Trust. This tool has been developed to overcome some of the limitations given by already existing tools like ESC, mostly regarding MSSQL impersonation. Moreover, CheeseSQL has been specifically modified to run from Covenant (via reflective loading), and to automate the most important phases of MSSQL trust abuse.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• CVE-2020-1020-Exploit is the type1 font pool overflow LPE exploit. Supported OS: Windows 7,8,8.1 x64.
• kerlab A Rust implementation of Kerberos for fun and detection. Implements a few Kerberos features from Rubeus as well as credential spraying and offline brute forcing.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.