Last Week in Security (LWiS) - 2021-09-20
OMI agent RCE in Azure (@shirtamari), dynamic mac malware RE (@philofishal), Teams spoofing (@mrd0x), AMD info disclosure (@kyREcon), CABless Word RCE (@Edu_Braun_0day), dBase fuzzing for code exec (@spaceraccoonsec), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-14 to 2021-09-20.
News
- Google is partnering with Open Source Technology Improvement Fund, Inc to sponsor security reviews of critical open source software.. Google is funding the review of eight libraries, frameworks, and apps including Git, lodash, and Laverel.
- Kali Linux 2021.3 Release. The most popular offensive security Linux distribution gets its third release of the year, with minor tweaks to better support VMs, old TLS versions, new tools, and updates throughout the OS.
Techniques
- NSA Meeting Proposal for ProxyShell. By combining the "NSA Metting" and "ProxyShell" exploits for Exchange, a unique RCE chain can be created that may not otherwise be detected. Code here.
- Defeating macOS Malware Anti-Analysis Tricks with Radare2. Working around anti-debug measures is critical to dynamic analysis. This post shows how r2 can be used to manipulate execution and bypass checks.
- Microsoft Teams Spoofing Attacks. This post contains a message request approval bypass, attachment spoofing, and link spoofing techniques. If you phish via Teams, this is a must read.
- AMD Chipset Driver Information Disclosure Vulnerability. Two vulnerabilities exist across modern AMD chipsets that allow for information disclosure via reading uninitialized physical memory pages.
- All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035). Top tier exploit write up, from fuzzing to code execution.
- Beginners Guide to 0day/CVE AppSec Research. I'm not sure how this guy sleeps with the consistency of long form content and code he produces. This post has a walk through of how to setup and instrument a PHP app for testing.
- Full-Spectrum Cobalt Strike Detection. This report is a technical profile of the commercial post-exploitation framework Cobalt Strike. It contains details on the capabilities of the framework, observed threat actor use, host-based and network-based detections, and SOAR strategies for detection and response. This report is intended for security operations audiences who focus on detection engineering.
- VSCode BOF Development Trick. Set your compiler to mingw32-gcc and Intellisense will help you out!
Tools and Exploits
- OMIGOD
- “Secret” Agent Exposes Azure Customers To Unauthorized Code Execution. This is the post the started it all. Another Azure find from Wiz. Simply removing the authorization header allowed for RCE as root. Amazing that is a thing in 2021.
- Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions. The official Microsoft response.
- OMIcheck is a set of scripts from Microsoft to check and upgrade your omi agents.
- CVE-2021-38647 is a nice wrapper for the PoC in the Wiz post.
- Azure OMI RCE Attempt shows a small sample of "in the wild" exploitation.
- goblin is a phishing tool that can host sites and display notices if uses click call to action buttons. This won't replace GoPhish any time soon.
- fapro is a multi-protocol honey pot with ELK logging support. Looks like no source code is available (yet?).
- PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.
- CVE-2021-40444--CABless. Your favorite Word RCE, now with no CAB and a single line of javascript.
- CFG_Allowed_Functions is a pykd version-independent tool that finds and dump functions allowed by Control Flow Guard (CFG).
- Zerotier - Multiple Vulnerabilities. An attacker may chain Zerotier root-server identity overwriting, insecure identity verification and various information leakage vulnerabilities to gain unauthorized access to private Zerotier networks. To exploit, see ZTCrack.
- Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more.
- Rosplant Pis a proof of concept to leverage Roslyn for post-exploitation (Roslyn + Implant = Rosplant). It comes in two parts, the server and client. Raw C# is entered into the server's console by the attacker, which is sent to the client (via TCP for the PoC). The client uses Roslyn to evaluate the code and sends the results back to the attacker.
- SharpExfiltrate is a tiny but modular C# framework to exfiltrate loot over secure and trusted channels. It supports both single-files and full-directory paths (recursively), file extension filtering, and file size filtering. Exfiltrated data will be compressed and encrypted before being uploaded. While exfiltrating a large amount of data will require the output stream to be cached on disk, smaller exfiltration operations can be done all in memory with the "memoryonly" option.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Smersh is a pentest oriented collaborative tool used to track the progress of your company's missions and generate rapport.
- Obfuscating Malicious, Macro-Enabled Word Docs. Missed this one last week, but some great tips on macro-obfuscation techniques for when that Word RCE stops being useful.
- be-a-hacker. This is a road map to being a self-taught hacker.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.