Last Week in Security (LWiS) - 2021-08-09
Cobalt Strike Updates (@joevest, @adamsvoboda), ProxyShell [another exchange RCE] (@orange_8361). DeployPrinterNightmare (@Flangvik), Pulse Connect patch bypass (@buffaloverflow), Snapcraft App exploitation (@itszn13), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-02 to 2021-08-09.
News
- WireGuardNT, a high-performance WireGuard implementation for the Windows kernel. The WireGuard team continues to impress with a Windows kernel driver to increase speed (up to 5x speedup) and decrease battery usage. It's currently experimental and can be enabled with reg add HKLMSoftwareWireGuard /v ExperimentalKernelDriver /t REG_DWORD /d 1 /f.
- Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Private Life. The company that once said, "What happens on your iPhone stays on your iPhone," and famously refused to unlock a terrorist's iPhone is rolling out software that will scan images on an iPhone. This type of client-side scanning breaks end to end encryption, and while it is being used initially to combat child exploitation, how difficult would it be to use the same system to censor or report on iPhone users that share images such as "tank man?"
- Cobalt Strike News
- Cobalt Strike 4.4: The One with the Reconnect Button. In addition to some nice to have features, 4.4 comes with some major OPSEC changes. Users can now define their own reflective loader and sleep obfuscation technique. This should make it much more difficult to statically signature Cobalt Strike in memory. A good primer for the sleep mask functionality is Sleeping with a Mask On. For the customer loader this blog post is a good starting place for creating a DLL injector BOF.
- Cobalt Strike DoS Vulnerability (CVE-2021-36798). "Hotcobalt" was an issue with screenshot processing on the Cobalt Strike teamserver that allowed a "malicious" beacon to crash the teamserver. More details on the SentinelOne blog.
- Introducing Cobalt Strike Community Kit. The Community Kit is a great place to find community additions to the popular C2 framework. Be sure to vet anything before using it live!
- Kubernetes Hardening Guidance. The NSA and CISA drop 59 pages of Kubernetes hardening guidance. Just because you can push code to a cluster in one command doesn't mean you can forget about the security implications of doing so.
- The Conti ransomware gang (aka Hermes aka Ryuk) had some of their "affilaite" training material leak last week. Here is a roughly translated PDF if you are interested in their tradecraft.
Techniques
- You're Doing IoT RNG. "Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use."
- A New Attack Surface on MS Exchange Part 1 - ProxyLogon! and A New Attack Surface on MS Exchange Part 2 - ProxyOracle!. The master Orange Tsai is back to shell Exchange some more. This variant is dubbed "ProxyShell" and despite being patched in April a good number of Exchange servers on the internet appear to be vulnerable. Double check those patches and grab the web_exchange_proxyshell.yml Sigma rule.
- HTTP/2: The Sequel is Always Worse. There are some tricky issues with HTTP/2, especially in an environment of load balancers, front and back end request processors, and the like. Web app assessors or bug bounty folks should pay special attention to this one.
- Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass). Some bugs don't die on the first patch. NCC Group takes a swing at Pulse Secure and develops a patch bypass for an authenticated remote code execution vulnerability.
- Snapcraft Packages Come With Extra Baggage: Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348. A crash while launching docker led to a "DLL sideloading" type issue against the snap container engine in Ubuntu. While the bug was patched in March of 2021, this is a great writeup.
- Bypassing Windows Hello Without Masks or Plastic Surgery. By spoofing an external USB camera, researchers were able to bypass Windows Hello authentication. It does require an IR photo of the victim, but otherwise becomes a quick USB skeleton key to the targeted Windows computer.
- Multi-Stage Offensive Operations with Mythic. Modular toolkits, varied C2 mechanisims, but a unified back end are the future of offensive operations.
- Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit. With all the Windows issues recently, it was only a matter of time until someone made a combo attack walkthrough.
- Relaying NTLM authentication over RPC again…. "Due to the absence of global integrity verification requirements for the RPC protocol, a man-in-the-middle attacker can relay his victim’s NTLM authentication to a target of his choice over the RPC protocol." No code released yet.
- CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation of Privilege (EoP). "Intel Driver & Support Assistant (DSA) is a driver and software update utility for Intel components. DSA version 20.8.30.6 (and likely prior) is vulnerable to a local privilege escalation reparse point bug. An unprivileged user has nominal control over configuration settings within the web-based interface. This includes the ability to configure the folder location for downloads and data (e.g. installers and log files). An unprivileged user can change the folder location, coerce a privileged file copy operation to a “protected” directory through a reparse point, and deliver a payload such as a DLL loading technique to execute unintended code."
Tools and Exploits
- DeployPrinterNightmare is a C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
- whoc is a container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!
- Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). This is the toolset promised with the release of Certified Pre-Owned: Abusing Active Directory Certificate Services in June of 2021. A recent post covered the attacks in more practical terms.
- EyeWitnessTheFitness is a combination of EyeWitness (web screenshot OSINT tool) and fireprox (IP rotation proxy via AWS API gateway) that only uses one fireprox API for all EyeWitness targets.
- SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys, etc) without invalidating or breaking the existing signature. This looks particularly nasty and is used by APT 10.
- SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. This tool was released along side the talk Operation Bypass Catch My Payload If You Can.
- BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. Check out IsBeaconProcess to make sure your beacon wouldn't get picked up.
- concealed_position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.
- haklistgen is a tool that turns any junk text into a usable wordlist for brute-forcing (subdomains, words in HTTP response, etc).
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- RegExp is a replacement for the Windows built-in Regedit.exe tool. Improvements over that tool includes many enhanced features.
- reverse-ssh is a A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access.
- dnsmonster is a passive DNS collection and monitoring built with Golang, Clickhouse and Grafana. This is a scalable solution to do enterprise DNS monitoring.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.