Jan 18 2022 Last Week in Security (LWiS) - 2022-01-18

CI/CD pipeline war stories (@0xZon1 + others), Serv-U exploit writing (Carl Livitt of @bishopfox), Safari IndexedDB leak (@FingerprintJS), RDP services vuln (@sztejnworcel), a very slick loader (@cerbersec), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-10 to 2022-01-18.

News

Illegal Activities of members of an organized criminal community stopped (REvil) [Russian, fsb.ru] The FSB claims that due to recent "joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized." You can even see video of the takedowns on YouTube. While 14 individuals were arrested, it's too soon to see if this will impact REvils operations. If it does, what prompted Russia to finally take action? Google translate of the FSB releases says the "basis for the search activities was the appeal of the competent US authorities."
HTTP Protocol Stack Remote Code Execution Vulnerability. Patch tuesday brought with it an unauthenticated RCE in Window's http.sys drivers for Windows 10 (1809+) and Server (2019+). What looks like a crash PoC is available here, complete with a pointless 17 second sleep.
Coming Soon: New Security Update Guide Notification System. Microsoft is making it easier to get notifications of changes to security update guides but the biggest news is that this system no longer requires a Live ID. A separate email/password combo can be used for the new system.
Exploiting IndexedDB API information leaks in Safari 15. "Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." WebKit is slowly becoming the internet explorer of the modern browsers. PoC code here.

Techniques

Load nanodump as an SSP. The most advanced lsass dumper BOF was updated to allow you to load it as a Security support provider (SSP) which prevents your process from opening any handles to lsass.exe. More details on SSPs can be found here.
10 real-world stories of how we’ve compromised CI/CD pipelines. I like the thesis here that CI/CD pipelines are just "execution engines," and without proper protection can be abused like any other system. This one is worth a read and ponder if your CI/CD pipelines would fall to any of these or similar attacks.
Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211. This is a great walkthrough of going from CVE to shell.
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more. This is incredible research and a serious vulnerability. The smart card demo was particularly impressive. This was patched last Tuesday, but should give pause to using RDP on machines with any high privileged account.
CyberArk Endpoint Manager Local Privilege Escalation CVE-2021–44049.. Off the high of the last article (written by a CyberArk employee), this one shows that simple permissions issues can lead to LPEs.
Mixed Messages: Busting Box’s MFA Methods. The use of a valid app-based MFA token for a controlled account allows bypass on a target account when a user only has SMS based MFA. The back end of Box must have been missing some pretty basic checks for this to work, but props for trying it!
Zooming in on Zero-click Exploits. A deep look at Zoom reveals a buffer overflow and information leak. It's not surprising that the massive code base of Zoom has issues.
BreadMan Module Stomping & API Unhooking Using Native APIs. This new type of module stomping has some advantages, namely you don't need to load an arbitrary library into our memory space and the starting function call of the thread will point to an address space resolved usually by trusted DLLs such as ntdll.dll. Code here.

Tools and Exploits

azure-function-proxy is a basic proxy as an azure function serverless app to use *[.]azurewebsites[.]net domain for phishing.
Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. This loader has a bunch of nice features and is far beyond the typical loader released on Github.
ParallelNimcalls is a Nim version of MDSec's Parallel Syscall PoC. Last week it was in C++ and C#, now it's in Nim!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

vapi is a Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios.
reFlutter is a Flutter Reverse Engineering Framework for iOS and Android apps. This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.