Last Week in Security (LWiS) - 2021-11-22
AFL++ on Android (@Gr33nh4t), Qualcomm NPU exploits (@mmolgtm), sysWhipser research (@CaptMeelo), TPM sniffing (Julien Oberson), CheckCert and SQLRecon (@sanjivkawa), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-16 to 2021-11-22.
News
- GitHub’s commitment to npm ecosystem security. Dependancy package security is a hard problem to solve, but it seems NPM has gotten a lot of flak recently. Mandatory 2FA and other measures may help. "But I use rust," you say? Read on...
- Backdooring Rust crates for fun and profit. Running other people's code easily is a bedrock feature of any software dependency or library manager. It's quite difficult to make sure that code isn't malicious.
- An in-depth look at hacking back, active defense, and cyber letters of marque. Interesting conclusion (government should be in control) for a guy who prevented a malware outbreak with "active defense" as a civilian. Perhaps that gives more weight to his argument, having "seen the other side?" I have yet to read any opinion pieces by current or former government offensive security professionals on the matter - aside from Jake Williams of course.
- Emotet, once the world's most dangerous malware, is back. What is dead my never die? Keep track of the threat here.
- NUCLEUS:13. The IoT/OT/embedded OS from Siemens, Nucleus RTOS, had flaws in its TCP/IP stack including a buffer overflow in the FTP USER command. The project-memoria-detector can help identify the TCP/IP stack of a device if you think you may have some Nucleus systems in your environment.
Techniques
- AFL++ on Android with QEMU support. Ever wanted to fuzz close-source libraries directly on your Android phone? Now you can!
- Nanodump: A Red Team Approach to Minidumps. The tool has been out for a while, but this post explains the motivation and technical details.
- Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver. Some interesting bugs found in the NPU driver accessible from the untrusted app sandbox on (presumably) lots of Android devices.
- When You sysWhisper Loud Enough for AV to Hear You. Static syscalls have their signatures. This post explores some work arounds, but some *Gate (Hell's, Heaven's, etc) would prevent these artifacts in your code at all (but introduce others).
- An Illustrated Guide to Elliptic Curve Cryptography Validation. Elliptic curves are becoming the standard way to perform asymmetric cryptography, but how do they actually work? This post can serve as a refresher for that college cryptography class you took or didn't take.
- Active Directory Attack Paths — “Is it always this bad?”. From experience: yes. This post is mostly an ad for Bloodhound Enterprise, but that's ok.
- Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321). After ProxyShell, Exchange got some serious attention and to no one's surprise more RCE fell out of it. This one affected Exchange 2016 CU21/22 and 2019 CU10/1 but he post goes into technical detail and stops just short of a PoC.
- HackSys Extreme Vulnerable Driver — Arbitrary Write NULL (New Solution). This is a very detailed post on a cool privilege escalation against a vulnerable by design driver.
- Abusing Google Drive's Email File Functionality. This is a great way to abuse legitimate services to deliver phishing emails. Very tricky!
- ExternalC2.NET. This is the post that explains the tool released last week.
- Pentest tale - Dumping cleartext credentials from antivirus. Sometimes memory dumps and findstr is all it takes to find credentials of value.
- Picky PPID Spoofing. This post has some good example code to help find svchost processes with your integrity level to allow them to be used as a PPID for your process.
- No Logs? No Problem! Incident Response without Windows Event Logs. You can also read this as, "All the things you need to clean up to help stay undetected."
- Using CVE-2021-40531 for RCE with Sketch. "This post covers a vulnerability in Sketch that I discovered back in July — CVE-2021-40531. In its simplest form, it is a macOS quarantine bypass, but in context it can be used for remote code execution."
Tools and Exploits
- tldraw is a tiny little drawing app. Check it out at tldraw.com.
- msticpy. Ever wonder how Microsoft's MSTIC threat hunt group finds evil? msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks with many data analysis features.
- fileless-xec is a stealth dropper executing remote binaries without dropping them on disk.
- TPM sniffing. With $49 of hardware you too can read a bitlocker key as it leaves the TPM of a laptop. TPM 2.0 has support to encrypt this value, but until then/even after consider adding a second factor to your laptop's decryption routine (PIN, hardware key, etc).
- CheckCert A small utility to request the SSL certificate from a public or private web application implemented in C# and as a BOF.
- SQLRecon is a C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
- Oh365UserFinde is used for identifying valid o365 accounts and domains without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
- Visual-Studio-BOF-template is a baseline template that can be reused to develop BOFs with Visual Studio without having to worry about dynamic function resolution syntax, stripping symbols, compiler configurations, C++ name mangling, or unexpected runtime errors.
- GPUSleep moves the beacon image to GPU memory before the beacon sleeps, and move it back to main memory after sleeping. Check out the blog post here.
- MultiPotato is another "potato" to get SYSTEM via SeImpersonate privileges, but this one is different since tt doesn't contain any SYSTEM auth trigger for weaponization so the code can be used to integrate your favorite trigger by yourself. Also, tt's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.
- DumpNParse is a Combination LSASS Dumper and LSASS Parser adapted from other projects.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- digital-forensics-lab is a free hands-on digital forensics labs for students and faculty. Note that on windows it actually drops the binary to disk and runs it, going against the very name of the project...
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.