Last Week in Security (LWiS) - 2021-10-27

Windows LPE 0day (@KLINIX5), and lots more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-19 to 2021-10-27.

News

Techniques

Tools and Exploits

  • ProfSvcLPE is an currently unpatched local privilege escalation that shares the same root cause as CVE-2021-34484, but wasn't properly patched. The repo contains a word doc with a writeup as well.
  • ZipExec is a unique technique to execute binaries from a password protected zip on Windows.
  • Phishious is an open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers. This is the coolest tool I've seen in a while.
  • FakeAMSI. Have you ever persisted by pretending to e an antivirus product?
  • SharpSelfDelete is a C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs.
  • CallbackHell is an exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
  • DLL_Imports_BOF is a BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • cloudspec is an open source tool for validating your resources in your cloud providers using a logical language.
  • jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.