Last Week in Security (LWiS) - 2021-10-11

iOS 15 IOMFB exploit (@AmarSaar), new lsass dumper (@thefLinkk), SharpCalendar (@sadpanda_sec), gcpHound (@desi_jarvis + @Richarjb), macOS SBX (@epsilan), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-06 to 2021-10-11.

News

Techniques

  • Analyzing and Detecting a VMTools Persistence Technique. VMware tools binaries/services are commonly found on VMs and can be leveraged for persistence on power state changes. Unsure of how useful this would be in practice, as most legitimate target VMs would be in a datacenter somewhere powered on all the time?
  • Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2. An "in the wild" exploit of IOMobileFrameBuffer is cited in the iOS 15.0.2 patch notes, and this bindiff and PoC is incredibly quick. In the end a reliable crash with arbitrary data is achieved. Update those iOS devices (and/or save your SHSH2 blobs ;). What's amazing is this analysis/PoC was completed and published in under 2 hours of the patch being released. Very impressive.
  • gcpHound: A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP). This is a perfect tool to run after you land on a developer's machine with GCP credentials. Currently only available in the docker image desijarvis/gcphound:v1.1-beta and the tool is written in python at /root/gcpHound.
  • Environmental Disaster - a LaunchServices Tale. The ability to control environment variables when launching a process from an app sandbox on macOS leads to a few different kinds of sandbox escapes, with more likely lurking thanks to popular applications/frameworks and their use of environment variables that are not block-listed by Apple.
  • Backdoor .NET assemblies with… dnSpy 🤔. Everyone loves a good backdoor for persistence, data exfiltration, or even privilege escalation. .NET assesmblies can be modified to run arbitrary code with dnSpy, and if exposed to the internet, could even be triggerable!

Tools and Exploits

  • HandleKatz is a position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump(). The tool does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing (unlike Donut, sRDI, etc).
  • SharpCalendar is a tool that uses Microsoft.Office.Interop.Excel to retrieve Outlook Calendar details in operator defined one month chunks. Sometimes its nice to know if/when someone will be out of office!
  • Ninja_UUID_Dropper is a loader that uses module stomping, no new thread, HellsGate syscaller, and UUID encoding for x64 Windows 10. The technique of encoding shellcode in UUIDs was first seen in Lazarus malware.
  • covert-tube is a program to control systems remotely by uploading videos to Youtube using Python to create the videos and the listener. It creates videos with frames formed of simple text, QR codes with cleartext, or QR codes using AES encryption. It may be easier to use youtube comments/video descriptions with encrypted text instead of reading data out of the videos themselves?
  • weakpass_3a is the latest weakpass wordlist. 107.77 GB of plaintext password goodness to feed your GPU cluster.
  • hermes is a Swift 5 Mythic payload for macOS. It currently supports Mythic 2.2.8 and will update as necessary.
  • SuspendedThreadInjection is a meterpreter injection technique using C# that attempts to bypass Defender.
  • DInvoke_rs brings the popular DInvoke/direct syscall technique to Rust! I'm excited to see more rust tooling for red teams.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Viper is a graphical penetration tool that wraps metasploit in a nice, multi-user web-gui.
  • Clash is a rule-based tunnel daemon in Go that supports many protocols like VMess, Shadowsocks, Trojan, etc.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.