Last Week in Security (LWiS) - 2021-07-26
User readable SAM hives (@jonasLyk and @cube0x0), PetitPotam takes off (@topotam77), Smart AD bruteforcing (@_nwodtuhs and @podalirius_), automated advanced maldocs (@33y0re), Windows command line obfuscation (@Wietze), dockerized Android (@sickcodes), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-19 to 2021-07-26.
News
- Updates Regarding VSA Security Incident. Kaseya got their hands on a universal decrpytor for the randomsware that hit thousands of their customers on the Friday before the July 4th holiday in the US. They state that, "in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor." This leaves two possibilities: Someone found a flaw in the encryption scheme a professional ransomware crew with years of experience was using, or someone acquired the universal decryptor key without paying for it (leak, hack, deal to not get arrested by the FSB, etc). If there was a flaw in the encryption, have researchers been sitting on it like the allies allowed ships to be sunk after breaking the Enigma cypher in WWII? Was the Kaseya incident big enough to "burn" the technique? With the disappearance of REvil's public infrastructure, I suspect the FSB came knocking, demanded the key, and told them to take a nice vacation on the Black Sea while things cool off.
- OpenVPN Security Improvements and Changes. Two Ukrainian Windscribe VPN servers were seized and since they were unencrypted and had persistent disks, the authorities got hold of the OpenVPN private keys. In the age of ubiquitous HTTPS and HSTS preloading VPNs are effective against a very specific threat model, and are probably unnecessary for most people (despite what the YouTube ads will tell you).
- CVE-2021-36934 aka HiveNightmare aka SeriousSAM. For some reason, Windows 10 starting with 1909 and Server 2019 modified the SAM database access control lists to allow regular users to read the contents. While the files are locked by lsass normally, if the system has volume shadow copies (VSS), they will be available there. Check out CVE-2021-36934 to check for shadow copies and read them all in memory, and this Velociraptor query to hunt for it.
Techniques
- PetitPotam. While this was in last week's Tool/Exploits section, it has hit the news this week. Besides the classic Unconstrained Delegation method, there was talk of the following ways to leverage PetitPotam.
- Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability. SANS covers the PetitPotam + ADCS + Impaket + Rebeus route.
- WebDAV + NTLM is also an option
- Find a computer with a path to AD and SMB relay
- Mimikatz + Kekeo + Impacket
- Microsoft's response: Won't fix
- CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable. A sloppy strncopy with a size parameter controlled by the user in this driver from 2005 can lead an unprivileged user to SYSTEM. Look for the SSPORT.sys driver on your next engagement.
- Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909). A size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems (3.16 through 5.13.x before 5.13.4). Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. You can use cve-2021-33909-crasher.c to test if the vulnerability exists on systems, but a user to root PoC isn't in the wild yet. This could be the Dirty COW of 2021.
- fail2ban – Remote Code Execution. While not exploitable without MiTM or the ability to set whois information, the ~! feature of the mail binary can be abused to inject commands to any program that passes attacker controlled input to mail.
- Exfiltrating a victim's exact location (to within 5m). This is a great example of getting inside the mind of the defender to speculate what they did to "fix" a vulnerability, and then exploiting that "fix."
- Windows Command-Line Obfuscation. "Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analyzing other executables." Check out windows-command-line-obfuscation for the scripts and raw data.
- All Your Base Are [Still] Belong To Us: Fuzzing Modern UDP Game Protocols With Snapshot-based Fuzzers. Ever wanted to discover a potential RCE against a AAA multiplayer game without all that hardcore reverse engineering? Hit it with a well tuned fuzzer and let the vulnerabilities fall out!
- On Disk, The Devil’s In The Details. When persisting, or otherwise dropping files to disk, professionals will do the extra work to make their exes and dlls blend in. You should too! One tool not mentioned that I find useful: PeFixup.
- Guide to Named Pipes and Hunting for Cobalt Strike Pipes. It's probably worth going through your profiles to ensure your pipe names aren't in the table of default and common profile pipe names.
- OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux). This is a nice post on how to extract private keys from the memory space of OpenSSH after the introduction of "shielded private keys."
Tools and Exploits
- Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.
- smartbrute is a smart password spraying and bruteforcing tool for Active Directory Domain Services. Supports NTML over SMB or LDAP as well as Kerberos pre-authentication bruteforcing. It can also intelligently bruteforce a domain to prevent user lockouts.
- inno-shellcode-example is an InnoSetup template to that runs shellcode! How easy is it to convince a user they need to install Zoom, Adobe Reader XYZ, or whatever-app to join your meeting, read your document, etc? Now you can have a legit installer with some extra shellcode injection!
- Medusa is a cross-platform C2 agent compatible with Python 2.7 and 3.8, compatible with Mythic. This new agent has some nice features, but does require Python (just a base install) on the target to run.
- LittleCorporal is a C# automated maldoc generator. It uses a two step process to first self-inject into Word via an AutoOpen macro, and then inject the real payload from word into a running process. The use of InlineShape and automated building is just the cherry on top.
- ppmap is a scanner/exploitation tool written in Go, which leverages Prototype Pollution to XSS by exploiting known gadgets. Use this on your next web app assessment or bug bounty.
- dock-droid is dockerized android. Run QEMU Android x86 and Android ARM in a Docker with X11 Forwarding. This could be useful for CI/CD for Android or for poking at Android apps "live."
- BadAssMacros is an automated malicious macro generator written in C# with capabilities like VBA purging, sandbox detections, and shellcode obfuscation.
- RemotePotato0 Cross Session Activation. Version 1.1 drops the requirement for the victim to be in session 0. Now you can coerce and relay NTLM authentication from any user in any session!
- Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will return a list of detected API hooks or let the operator know no hooks were detected. This can be useful knowledge to have before performing certain post-exploitation actions.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- git-split-diffs brings GitHub style split diffs to your terminal.
- dorothy is a tool to test security monitoring and detection for Okta environments.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.