Last Week in Security (LWiS) - 2021-09-14
Word RCE, Advanced Nim tradecraft (@snovvcrash), TCC bypass (@_r3ggi), encrypted heap allocations (@waldoirc), vuln hunting with binary ninja (@renorobertr), token priv manipulation BOF (@the_bit_diddler + @hackersoup), Outlook for C2 (@0xBoku), automated DLL hijacking (@knight0x07), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-07 to 2021-09-14 (bonus day!).
News
- Introducing Android’s Private Compute Services. Google is aiming to put the Private Compute Core from Android in the cloud and they're vouching to do 3rd party validation via audits.
- VMware denies allegations it leaked Confluence RCE exploit. Bug bounty drama as a payload sent to VMware as part of a bounty was later added to the Nuclei scanner by a researcher who claimed they found it via "Pastebin scraping" and could not produce the source URL to the paste. Bug bounties rely on trust, and these types of incidents underscore that.
- FORCEDENTRY NSO Group iMessage Zero-Click Exploit Captured in the Wild. If your threat model includes nation states with massive war chests willing to burn 0days to get on your device, I think any stock OS is going to be insufficient to protect you. Perhaps the best way to fight against this type of exploitation is to capture and expose the exploits fast enough to make it economically unfeasible to use them against activists? Props to Citizen Lab for doing the work here.
- U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation. Three members of the RAVEN crew pled guilty in exchange for a three-year deferred prosecution agreement and fines. Interesting that the CFAA wasn't used in this case, as it is typically the hammer for anything computer related. How much taxpayer money did the US spend investigating and prosecuting these three? Imagine if the US Government instead paid competitive salaries so their own hackers didn't travel to the Middle East and hack for other governments...
- Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds.. Self host that CI/CD, that way the mistakes are your own.
Techniques
- Burp Suite RCE. The built-in Chrome browser in Burp Suite 2.0 is an old Chrome version, which can be combined with the "Use dynamic analysis techniques" feature to trigger RCE on an assessors Windows machine by simply browsing a site via the embedded Chrome browser. Is this ultimate WAF? Ransomware any Burp Suite users that browse your site?
- Hacking CloudKit - How I accidentally deleted your Apple Shortcuts. Even the big companies are not immune to misconfigured access controls. In this case the result was an assessor was able to delete all shared "shortcuts" links for iOS.
- Tickling VMProtect with LLVM: Part 1. This series gets into the weeds of using LLVM as a software based deobfuscation framework that initially targets binaries protected with VMProtect.
- Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja. Supporting macOS back to 10.13 had the effect of silently dripping stack protections, and the author uses the Binary Ninja Python API to help automate bug finding.
- Change home directory and bypass TCC aka CVE-2020-27937. By planting your own TCC database you can bypass the whole user TCC (Desktop, Documents, Address Book, Camera, Microphone, Photos and more).
- Hook Heaps and Live Free. Ecnrypted heap allocations. Now that is some legit tradecraft! This post is a gold mine of information about "in memory evasion" and practical examples of how to implement it with Cobalt Strike. Example code (for the first basic example) here. If you liked this post be sure to check out SleepyCrypt: Encrypting a running PE image while it sleeps which also dropped last week.
- CVE-2021-3437 | HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices. Perhaps its time to download any gaming related drivers and do a vulnerability hunt... 🤔
Tools and Exploits
- Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444. This was the big news of last week. RCE from simply opening a Word doc, thanks to old friends - directory traversal, IE, and ActiveX.
- Demo of an RTF variant working in the explorer preview
- KQL query
- Malicious docx generator
- Windows MSHTML zero-day defenses bypassed as new info emerges
- CVE-2021-40444 Analysis/Exploit - This is the best analysis/walkthrough I have come across.
- Microsoft Defender Attack Surface Reduction recommendations - Old but gold. "Block all Office applications from creating child processes" is what you want for this vulnerability specifically.
- BOF-Adios is a BOF that will zero, then delete your beacon's executable on exit! Useful if you are dropping a loader to disk as part of a phishing campaign.
- NimHollow is a Nim implementation of Process Hollowing using syscalls with some nice features like shellcode encryption, sandbox detection, and AMSI patching.
- iam-vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. More details on the BishopFox blog.
- Toggle_Token_Privileges_BOF is an (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.
- SharpSystemTriggers is a collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.
- azureOutlookC2 - Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
- ImpulsiveDLLHijack is a C# tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- wwwgrep is a rapid search “grepping” mechanism that examines HTML elements by type and permits focused (single), multiple (file based URLs) and recursive (with respect to root domain or not) searches to be performed.
- AppInitHook is a global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process. Developed to reverse engineer and customize random applications, it has broad implications for read teaming.
- ElusiveMice is a Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.