Last Week in Security (LWiS) - 2021-12-14

Log4j RCE, sAMAccountName [DA from any user] (@exploitph), XLAM tricks (@_DaWouw), Cobalt Strike 4.5 and MiTM (@joevest, @DidierStevens), CVEtrends (@SimonByte), additional Windows kernel tricks (@cerbersec), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-07 to 2021-12-14.

News

Techniques

  • CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
  • A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
  • Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
  • MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
  • Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
  • KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.