Last Week in Security (LWiS) - 2022-02-14
Prevent IP takeover (@infosec_au), Windows LPE via handles (@last0x00), Exception Oriented Programming (@BillDemirkapi and @x86matthew), Bloodhound 4.1 (@_wald0), object overloading (@_xpn_), arb file write on DCs (@Junior_Baines), KrbRelay (@cube0x0), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-07 to 2022-02-14.
News
- 🌹 Roses are red, Violets are blue 💙 Giving leets 🧑💻 more sweets 🍭 All of 2022!. There is big money in Linux Kernel and Kubernetes 0days and 1days these days.
- Cryptocurrency firm MakerDAO offers record $10m in newly launched bug bounty program. The real money is in hacking smart contracts. Don't believe me? You should.
- Prosecutor will not charge Post-Dispatch for DESE data vulnerability story. Four months after a reporter used "view-source" to find social security numbers on a state run school website, the county prosecutor said he will not prosecute. A bit crazy it had to go all the way to a prosecutor before someone had enough sense to shut it down.
- 2021 Trends Show Increased Globalized Threat of Ransomware (PDF). NCSC, CISA, and the NSA team up to warn everyone about ransomware. This would be a good release for 2017.
Techniques and Write-ups
- Object Overloading. This is a dense but very interesting article. TLDR is you can convince processes to load DLLs from directories on start with ProcessDeviceMap, but this isn't an article to skip over. ObjectOverloadingPOC has the code.
- Eliminating Dangling Elastic IP Takeovers with Ghostbuster. IP takeovers can be dangerous (see compromising the email supply chain of Australia's most respected institutions -also AUS based 🤔), so shubs developed ghostbuster which scans all your cloud assigned IPs, then checks if there are any DNS records pointing to IPs you don't have control over.
- Gaining the upper hand(le). Sometimes SYSTEM level processes on Windows spawn lower integrity processes but keep high integrity handles open. This post shows how that can be exploited and teases a tool that does it all automatically. No release yet though.
- Abusing Exceptions for Code Execution, Part 1. This is a similar post to WindowsNoExec, but with more detail and macOS PoC to boot. Exception oriented programming (EOP) is the future?
- AD CS: from ManageCA to RCE. ManageCA and ManageCertificates permissions were suggested to be dangerous in the Certified Pre-Owned (PDF) paper, but now a user with the ManageCA permission has the ability to perform an arbitrary file write on any local path on the CA server or on any remote path where that server has write permissions, and thus RCE. Check the BlackArrow Certify for the new features.
- Active Directory, whoami?. Last week there was a tool release (SharpLdapWhoami) I didn't fully understand the use for. A helpful reader spelled it out for me!
- Introducing BloodHound 4.1 — The Three Headed Hound. Three new edges arrive in 4.1: AddKeyCredentialLink, AddSelf, and WriteSPN. Read the post to learn about each of them.
- StackScraper - Capturing sensitive data using real-time stack scanning against a remote process. This memory searching tool could be very useful for post-exploitation credential harvesting, or app security research.
- Dropping Files on a Domain Controller Using CVE-2021-43893. The December patch tuesday patch for CVE-2021-43893 (remote privesc against encrypted file systems (EFS)) was't completely patched. Jake from Rapid7 decided to weaponize it and on top of authenticated users being able to write arbitrary files to a DC, the incomplete patch allows for yet another authentication elicitation technique. Sprinkle on some relaying, and before you know it you're authenticated as a DA's machine account (if a machine account in in the DA group that is)! The tool is called blankspace.
Tools and Exploits
- KrbRelay is a framework for Kerberos relaying. The relaying game just got a whole lot more interesting. The demo is very impressive.
- CobaltBus is a Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus.
- TymSpecial is a SysWhispers integrated shellcode loader w/ ETW patching, anti-sandboxing, & spoofed code signing certificates
- PPL_Sandboxer is a A small C POC to make Defender Useless by removing Token privileges and lowering Token Integrity.
- SpoolFool is an exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE) that should work by default on all Windows desktop versions up to the 2022-02-08 patch.
- hygieia is a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.
- pdfrip is a fast PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
- monorepo.tools. "Everything you need to know about monorepos, and the tools to build them." With a bit of nudging to use Nx because the team the wrote this is selling Nx (but honestly Nx looks pretty awesome).
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.