Last Week in Security (LWiS) - 2022-01-31
pkexec Linux LPE (@jogibharat), .NET remoting (@codewhitesec), usernames from CUCM (@n00py1), Notepad++ persistence (@_RastaMouse), Mythic update (@its_a_feature_), modern password spraying (@SprocketSec), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-25 to 2022-01-31.
News
- PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034). Easily the biggest story of the last week. This is the Dirty COW of 2022, except even more stable and trivial to exploit. There are countless PoCs on github. poc-cve-2021-4034 compiles nicely into a single executable.
Techniques and Write-ups
- Custom Previews For Malicious Attachments. This is a nice phishing technique that allows attackers to create fake previews for their malicious attachment with Google Mail using an intercepting proxy.
- Bypassing Little Snitch Firewall with Empty TCP Packets. Some nifty macOS tradecraft to bypass the popular client firewall. However, you'd have to bake this in to your initial access method or have advance knowledge of little snitch use.
- .NET Remoting Revisited. This deprecated .NET architecture is still seen in older .NET projects, and this post breaks down how it works and how it can be exploited.
- Hacking the Apple Webcam (again). 4 0days combine to give an attacker full control over every website visited by the victim and camera access. This bug chain included a universal XSS and netted Ryan $100,500. Given the level of access achieved, that payout seems reasonable.
- Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM). If you've ever dealt with Cisco phone systems, this post will bring back memories. If not, stash it away for when you inevitably do.
- Notepad++ Plugins for Persistence. These types of semi-legitimate persistence are great and usually undetected.
- Mythic 2.3 — An Interface Reborn. Mythic has become one of the major C2 players in the red team space thanks to its flexibility. This update looks great, and I look forward to trying out all the new features.
- Password spraying and MFA bypasses in the modern security landscape. You don't read much about password spraying these days, but done right it can be a useful technique. This post is a good example of how to spray correctly.
Tools and Exploits
- stratus-red-team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
- T.D.P. - Thread Description Poisoning uses SetThreadDescription and GetThreadDescription functions to hide the payload from memory scanners.
- CVE-2022-21882 is the win32k LPE bypass CVE-2021-1732.
- NimGetSyscallStub gets fresh Syscalls from a fresh ntdll.dll copy. This code can be used as an alternative to the already published awesome tools NimlineWhispers and NimlineWhispers2 by @ajpc500 or ParallelNimcalls.
- DefenderStop is a C# project to stop the defender service using via token impersonation.
- PurplePanda fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the cloud/saas configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.
- NimPackt-v1 is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer.
- wholeaked. s a file-sharing tool that allows you to find the responsible person in case of a leakage. I could see this being useful for sending multiple copies of phishing documents and seeing which ones end up on Virus Total or similar sites.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- hobbits is a multi-platform GUI for bit-based analysis, processing, and visualization. This reminds me of the 010 Editor and its templates.
- spraycharles a low and slow password spraying tool, designed to spray on an interval over a long period of time.
- cent or Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place.
- Frida HandBook is an amazing resource for all things binary instrumentation.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.