Aug 16 2021 Last Week in Security (LWiS) - 2021-08-16

ProFTPd UAF (@lockedbyte), API hacking (@hakluke and @Farah_Hawaa), file ext tricks (@mrd0x), built-in AD searching w/ADSI (@Gr1mmie), DCE/RPC fingerprints (@hdmoore), SAML issues (@joonas_fi), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-09 to 2021-08-16.

News

Apple drops intellectual property lawsuit against maker of security tools. The battle against the virtual iOS device host finally ends with a fizzle. The case was scheduled to start next week. "The terms of the settlement were confidential."
AI Wrote Better Phishing Emails Than Humans in a Recent Test. This is the dystopian future we were promised.

Techniques

Having fun with a Use-After-Free in ProFTPd (CVE-2020-9273). This post analyzes the ProFTPd vulnerability and how to exploit it bypassing all the memory exploit mitigations present by default (ASLR, PIE, NX, Full RELRO, Stack Canaries etc). Two different exploits available at CVE-2020-9273.
How to Hack APIs in 2021. Type confusion, JWTs, undocumented APIs, versioning, rate limiting, race conditions, XXE injection, switching content types, HTTP methods, injection vulnerabilities, and more are covered in this great post.
Comparison of reverse image searching in popular search engines [OSINT hints]. TLDR: consider Yandex next time you need to reverse search an image.
TeamServer.prop. Have you been wondering what those TeamServer.prop warnings were in Cobalt Strike 4.4? It turns out you can tweak the screenshot and keylog callback data settings to customize how the team server handles potentially DoS-able data.
Spoofing File Extensions Using Google Drive and OneDrive. The tricks in this post may be helpful when/if you deliver payloads via email.
Playing Detection with a Full Deck. If you've ever done any Purple teaming, this post will hit home. Understanding the full context of a system (i.e. how are services created) is critical to good detection rules.
Phishing for NetNTLM Hashes. There are many ways to leak NTLM hashes but this post shows the results of testing and Security Zones are treated by web clients. Once you have NTLM and network access, this relay page has amazing charts for what is possible.
Going for the Gold: Penetration Testing Tools Exploit Golden SAML. Golden SAML hit the headlines after the SolarWinds breach, and this post breaks down how powerful it can be. The three custom tools they mention are not public.
Tools, Techniques, and Grimmie?: Experimenting w/ Offensive ADSI. Did you know there was a built in AD enumeration tool as far back as Windows 7 called adsisearcher?
SAML is insecure by design. SAML is bad and should feel bad. Lots of good ammo in here for your next web assessment that uses SAML.
[EX007] How playing CS: GO helped you bypass security products. The use of a vulnerable driver allows reading process memory from a userland helper to dump lsass while EDR watches helplessly.
Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication. Rumble uses DCE/RPC UUIDs to fingerprint AV, EDR, and other software agents remotely and unauthenticated. This could be very useful for advanced red teams attempting to avoid detection.

Tools and Exploits

CobaltStrikeReflectiveLoader is perhaps the first public User-Defined Reflective Loader for Cobalt Strike 4.4. If you are writing your own, be ready to write a lot of assembly...
ProxyShell is the Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write) patched in April and May of 2021 (but not published in an advisory until July 2021). Also check out proxyshell-poc. See here for the technique break down: My Steps of Reproducing ProxyShell.
MiniDump is a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps.
LazySign creates fake certs for binaries using windows binaries and the power of bat files. If you're on Linux try Limelighter.
CobaltSpam is a tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons.
COM-Hijacking is an example of COM hijacking using a proxy DLL.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

raivo-otp / ios-application. A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP! Why switch from my current OTP app? See here.
reko is a decompiler for machine code binaries. If Ghidra or redare2/Rizin aren't your thing, give reko a shot.
SysmonTools contains the following: Sysmon View: an off-line Sysmon log visualization tool, Sysmon Shell: a Sysmon configuration utility, and Sysmon Box: a Sysmon and Network capture logging utility.
RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are: API calls, encryption keys used by MSF payloads, decrypted 2nd stage coming from MSF, and Cobalt-Strike configurations (if CobaltStrikeParser is installed).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.