Last Week in Security (LWiS) - 2021-09-28

PPLDump BOF (@the_bit_diddler), code-signed rootkits (@HackingThings), remote windows password resets (@n00py1), XSS to RCE (@whynotsecurity), FinSpy bootkit (@kaspersky), Azure brute-forceable endpoint (@DrAzureAD?), and no C2 drama!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-20 to 2021-09-28.



  • Financially motivated actor breaks certificate parsing to avoid detection. By using End of Content markers in fixed length encoding, adware distributers were able to trick non-OpenSSL based products (i.e. Windows) to believe an invalid PE signature is actually valid. This is a neat trick, and I'm a bit surprised to see it burned on adware. Who else was aware/using it too?
  • XSS to RCE: Covert Target Websites into Payload Landing Pages. I really like this idea for delivering payloads for a red teaming phish, assuming the customer site is vulnerable to XSS that is otherwise not very valuable in terms of the assessment objectives.
  • Chrome in-the-wild bug analysis: CVE-2021-30632. Dig into the internals of the V8 JIT engine with GitHub as they analyzed this browser bug. PoC here.
  • Apache Dubbo: All roads lead to RCE. More GitHub technical content, this time a great article that goes from target identification to RCE using CodeQL. Be sure to check this out if you aren't using CodeQL for source code analysis/bug hunting.
  • Resetting Expired Passwords Remotely. Some great techniques to get past expired or must-be-reset passwords found on a Windows network.
  • IAM Vulnerable - Assessing the AWS Assessment Tools. This is a great test of the four major open source AWS IAM misconfiguration assessment tools. I wonder if the IAM Vulnerable project could be used with CI/CD for these tools to show "live" coverage of the test cases as they improve.
  • An Intro to Fuzzing (AKA Fuzz Testing). Just what the title says. One of the best intro articles that covers the basics.
  • Beyond the good ol' LaunchAgents - 20 - Terminal Preferences. Wild that this series is already up to 20. This one would only work against technical targets, as they have to open the terminal application to run your persistence.
  • Pwn2Own 2021: Parallels Desktop Guest to Host Escape. "Many evenings it is easier for me to read other people’s research, but I won’t find vulnerabilities reading blog posts. You find them by trying to do your own research." Damn, got me there. I've got some original research cooking (slow cooking, but still cooking).
  • New Azure Active Directory password brute-forcing flaw has no fix. The Azure Active Directory Seamless Single Sign-On has been good for user enumeration since 2019 but this new discovery allows brute forcing (via a web endpoint, so it will be slow) without even logging anywhere. Wild. A successful login will generate a log, but you can spray all day without alerting any organization that users pass-through authentication.
  • Everyone Gets a Rootkit. On Windows since Windows 8 the Windows Platform Binary Table has a weakness that can allow an attacker to run malicious code with kernel privileges when a device boots up. WPBT is a feature that allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content. Compromising this process can enable an attacker to install a rootkit compromising the integrity of the device.
  • FinSpy: unseen findings. What's better than a rootkit? A bootkit of course. FinSpy has been busy since it was last reported on in 2018 with some seriously advanced malware.

Tools and Exploits

  • injectEtwBypass is a CobaltStrike BOF that injects an ETW bypass into a remote process via syscalls using HellsGate/HalosGate. This BOF contains some excellent assembly primitives for finding syscalls dynamically.
  • PPLDump_BOF is a fully-fledged BOF to dump an arbitrary protected process.
  • Needle_Sift_BOF is a file search bof to find strings within files without downloading the file from target. It uses strstr to do the search, and is case sensitive (no strcasestr function in Windows).
  • Dragonfly: your next generation malware sandbox. A new sandbox with rules engine. Details are light but it looks like this sandbox uses binary emulation vs running samples in an instrumented virtual machine. Sign up for the Alpha here.
  • ThreadStackSpoofer is a PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
  • gitoops is Bloodhound for GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
  • SyscallNumberExtractor exports all ntdll.dll syscalls to syscalls.txt. Useful for hard coding direct syscalls if not using a *gate technique.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.