Last Week in Security (LWiS) - 2021-12-14
Log4j RCE, sAMAccountName [DA from any user] (@exploitph), XLAM tricks (@_DaWouw), Cobalt Strike 4.5 and MiTM (@joevest, @DidierStevens), CVEtrends (@SimonByte), additional Windows kernel tricks (@cerbersec), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-07 to 2021-12-14.
News
- log4j logging framework vulnerable to RCE (10.0 CVSS3). Who knew that the ability to do Jndi lookups with user supplied data could be such and awful idea. Early reports claimed a recent version of Java and some environment variables would mitigate the vulnerability, but they were mistaken. Check out this Blue Team Cheatsheet for links to advisories.
- Pixel prevented me from calling 911. When you give up control of a core function like dialing to third party apps, in this case Microsoft Teams, bad things can happen.
- Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. You can now submit drivers directly to Microsoft with details about how they are vulnerable or malicious.
- Cobalt Strike 4.5: Fork&Run – you’re "history". "We dedicated a significant portion of this release to improving controls around product licensing." When your tool is used in nearly all ransomware events, I suspect HelpSystems got a call from someone to put more controls in place. The biggest change in this release for users is the ability to define custom process injection technique as well as increased size limits for sleep mask kit and user reflective loaders. Cobalt Strike continues to innovate and adapt to the changing offensive security landscape - the reason why it is the go to tool in the space.
Techniques
- CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
- A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
- Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
- MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
- Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!
Tools and Exploits
- CVE Trends is a dashboard for expensive threat intel monitoring twitter without having to learn about tweetdeck. This is a really nice site check for the latest log4j RCE or to put up in your NOC.
- Podman Desktop is the Docker desktop replacement you may be looking for now that Docker Desktop is no longer free for most companies.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
- KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.