Jan 03 2022 Last Week in Security (LWiS) - 2022-01-03

News

• China suspends deal with Alibaba for not sharing Log4j 0-day first with the government. Note this isn't as bad as the headline makes it seems, as China only suspended a "cooperative partnership... regarding cybersecurity threats and information-sharing platforms." Regardless, it sends a clear message. If you find a vulnerability in China, you'd better tell the government about it before anyone else.
• ZeroPeril Deep dive into executable packers & malware unpacking Training Course Announcement. New fully remote training that uses x86/x64dbg. Training is fully remote (Teams).
• How did LastPass master passwords get compromised?. A number of users received emails that their master password had correctly been used from a suspicious location, even after changing it. Is this an email error or something deeper? Either way, not a good look for LastPass, which has already lost credibility.
• In 2022, YYMMDDhhmm formatted times exceed signed int range, breaking Microsoft services. Duct tape and glue. It's all just duct tape and glue.

Techniques

• Android Application Testing Using Windows 11 and Windows Subsystem for Android. You've heard of the Windows subsystem for Linux, but how about the Windows subsystem for Andrid? Now you can use your favorite mobile assessment tools like objection and Burp suite without needing a real android device!
• Hopper Disassembler. This post shows how to use Hopper to bypass simple jailbreak detection by modifying a single jump instruction. Sometimes it is that simple, but the trick is knowing which byte to change.
• MS Teams: 1 feature, 4 vulnerabilities. None of these are severe, but some are simple issues that you wouldn't expect a market leader in connectivity to be making.
• Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation (PDF). System on a Chip (SoC) designs can include multiple wireless technologies with shared components. This overlap can lead to one compromised protocol being able to read or edit data on another medium via the shared resources.
• How to exploit Log4j vulnerabilities in VMWare vCenter. Unauthenticated remote code execution as root against vCenter via Log4j. The post covers good post-exploitation options and even drops the PoC: Log4jCenter.
• Where's the Interpreter!? (CVE-2021-30853). This dead-simple Gatekeeper bypass makes you wonder what other silly tricks are out there. Patrick doesn't stop at the PoC and dives deep into the root cause of this bug. Notably this fix is absent for Catalina (10.15.7), however my very limited testing indicates it may not be vulnerable.
• A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard. If you're interested in what "real" APT malware looks like, this long post covers a lot of tools.
• Remote Process Enumeration with WTS Set of Windows APIs. With the proper privileges you can get a remote process list using standard Windows APIs. This would be a nice tool to avoid machines with EDR or other programs running.
• CVE-2021-31956 vulnerability analysis (Chinese). This post explores CVE-2021-31956, a local privilege escalation within Windows due to a kernel memory corruption bug which was patched within the June 2021 Patch Tuesday and contains actual exploit code.
• HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization
• Dumping LSASS with Duplicated Handles. Rastamouse walks through how to use duplicated handles to dump LSASS which builds on his previous post on enumerating and duplicating handles. It still dumps to disk, so a pure in-memory implementation will get you even more evasion points.
• Another Log4j on the fire: Unifi. Another great walkthrough on how to go from login page to backdoored appliance from Nicholas at Sprocket Security. 67,000 exposed instances on shodan... RIP in peace.
• Phishing With Spoofed Cloud Attachments. "Abuse the way O365 Outlook renders cloud attachments to make malicious executable cloud attachments look like harmless files." This is phishing gold. Paired with a nice sandbox aware firewall/redirector it will likely yield success with a simple docuement.pdf.exe payload because the mail looks so good.
• Edition 14: To WAF or not to WAF Effectiveness of WAFs are a hotly debated subject in AppSec circles. This post tries to bring a structure to that discussion.

Tools and Exploits

• KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
• WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
• hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
• Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
• Invoke-Bof loads any Beacon Object File using Powershell!
• Inject_Dylib is Swift code to programmatically perform dylib injection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
• Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
• iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
• Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
• whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
• The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
• TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
• LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
• Desktop environment in the browser. This is just... wow. Code here: daedalOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.