Last Week in Security (LWiS) - 2021-10-27
Windows LPE 0day (@KLINIX5), and lots more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-19 to 2021-10-27.
News
- EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline. Congrats to Patrick Gray; they finally released the hounds!
- Infosec skills gap widens in all regions bar Asia-Pacific – report. "(ISC)² now estimates the global infosec skills gap to stand at around 2.7 million unfilled positions worldwide... The underlying issue isn’t just that demand is growing, it is that the jobs market consistently can’t attract enough people into cybersecurity careers to service demand."
- Pixel 6: Setting a new standard for mobile security. The flagship phone from Google comes with 5 years of security updates (matching iPhones), as well as a feature that looks like a built in Android version of iVerify.
- March 2019 FBI CAST Cellular Analysis & Geo-Location Field Resource Guide. Well this is interesting. Note: this document was acquired legally via a public record act request.
- New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts. Is this the first confirmed case of a US person being hacked with NSO exploit presumably by a Saudi-linked operator (Jeff Bezos hack-and-leak had weak attribution)? Are the "gloves off" now? Artifacts go back as late as 2018.
Techniques
- Using Kerberos for Authentication Relay Attacks. The great James Forshaw is back with a tome on Kerberos for relaying.
- Windows Exploitation Tricks: Relaying DCOM Authentication. Kerberos wasn't enough, so DCOM got the James Forshaw treatment too.
- Car hijacking swapping a single bit. These physical attacks are always cool to me. The same basic principle of exploitation applies to them: to exploit a system, you often must totally understanding it - sometimes better than the designers.
- Don't Ruck Us Too Hard - Owning Ruckus AP devices. This research involved a cool setup of Ghidra and dockerized QEMU emulation. Any IoT or embedded researchers should read this.
- Double spending bug in Polygon’s Plasma bridge. This bug was awarded a $2 million USD bounty. Perhaps it's time to switch focus to cryptocurrencies and smart contracts.
- AlphaGolang | A Step-by-Step Go Malware Reversing Methodology for IDA Pro. If you've ever had to reverse Go programs, you know it's a mess. AlphaGolang aims to help the analysis with IDA Pro with a series of helpful scripts.
- Servers are overrated – Bypassing corporate proxies (ab)using serverless for fun and profit.. This post comes complete with a "bug not a vuln" which lets you register subdomains of azurewebsites.net that includes reserved words like "microsoft."
- Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses. Woah.
- Formalized Curiosity. This post is a good look at a process for conducting research.
- Driver Buddy Reloaded. Use this on your hunt for Windows driver vulns!
Tools and Exploits
- ProfSvcLPE is an currently unpatched local privilege escalation that shares the same root cause as CVE-2021-34484, but wasn't properly patched. The repo contains a word doc with a writeup as well.
- ZipExec is a unique technique to execute binaries from a password protected zip on Windows.
- Phishious is an open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers. This is the coolest tool I've seen in a while.
- FakeAMSI. Have you ever persisted by pretending to e an antivirus product?
- SharpSelfDelete is a C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs.
- CallbackHell is an exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
- DLL_Imports_BOF is a BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- cloudspec is an open source tool for validating your resources in your cloud providers using a logical language.
- jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.