Last Week in Security (LWiS) - 2022-02-22
VMware RCEs (@__mn1__ and @elk0kc), un-redacting text (@2600AltF4), undetectible AirTags (@positive_sec), Kerberos relaying via DNS (@_dirkjan), tmp.Out volume 2 (@tmpout), tclsh macOS dylib loading (@_D00mfist), Athena agent (@checkymander), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-14 to 2022-02-22.
News
- The Cyber Social Contract How to Rebuild Trust in a Digital World. US National Cyber Director Chris Inglis postulates that the free market can't solve cybersecurity. It will be interesting to see how this develops.
- Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users. Overwhelming victims with tons of push MFA messages until they finally click allow just to make them stop is a valid attack. Does your organization detect MFA floods, or does your MFA system lock accounts after a threshold of MFA tokens have been requested with no user action?
- Retrospective: Recent Coinbase Bug Bounty Award. Logic bugs in web apps can be bad, or they can be horrific. This one is horrific. A $250k bounty proves again cryptocurrency is where the money is for bug bounty hunters.
- tmp.Out Volume 2 released. tmp.Out is becoming a linux focused Phrak, and I'm here for it. Excited to dig into these articles!
- Passware Kit Forensic T2 Add-on: The First Password Recovery Tool for Macs With T2 Chips. According to 9to5mac, the exploit only allows ~15 attempts per second, so your 15+ character macOS password is probably safe. The attack requires phyiscal access. M1 macs are not affected.
Techniques and Write-ups
- Relaying Kerberos over DNS using krbrelayx and mitm6. This is the next generation of WPAD relaying! Dirk-jan delivers yet again. I had no idea there was such a thing as an authenticated dynamic update via DNS. I'm not sure how often this happens in production environments, but it's a neat technique to add to your toolbox.
- Hunting for bugs in VMware: View Planner and vRealize Business for Cloud. Seemingly tiny mistakes lead to big vulnerabilities (unauth RCE) in VMware products in this post. A great read for anyone who does web app assessments or source code review.
- A primer on DCSync attack and detection. DCSync is the "slam dunk" of many internal assessments, and this post shows how its done and details how to detect it in your environment including using DCSYNCMonitor.
- Production ready eBPF, or how we fixed the BSD socket API. Cloudflare's use case for tubular, a BSD socket API on steroids is to provide multiple service on the same port and listen on every port, but I can think of some more "rootkity" uses for tubular...
- Zabbix - A Case Study of Unsafe Session Storage. Many web apps store authentication information on the client side in cookies or other browser storage. Problems arrise when misconfigurations allow clients to dictate their role without backend checks, as was this case with Zabbix, whech led to full authentication bypass.
- Never, Ever, Ever Use Pixelation for Redacting Text. "When you need to redact text, use black bars covering the whole text. Never use anything else. No pixelization, no blurring, no fuzzing, no swirling. Oh, and be sure to actually edit the text as an image. Don’t make the mistake of changing your Word document so that it has black background with black text." If you need convincing, check out unredacter.
- Find You: Building a stealth AirTag clone. By exploiting the privacy functioanlity of AirTags and the amazing (and previously blogged about) openhaystack procject, this post shows how you can create, and detect, otherwise undetectable trackers. Check out the code in find-you.
- Useful Libraries for Malware Development. Some old and new friends in here. Worth a read for any tool developer!
- Kernel Karnage – Part 9 (Finishing Touches). This series has been a fun ride. The only sad part is no PoCs.
- Dylib Loads that Tickle your Fancy. macOS is full of strange, archaic, binaries (to be fair, so is every OS). One such binary, tclsh can load arbitrary dynamic libraries.
- Chasing the Silver Petit Potam to Domain Admin. Sometimes you get lucky and can crack the NTLMv1 hash from a DC authentication illicatation. In that case, its just one more step to DA!
- Steal Credentials & Bypass 2FA Using noVNC. Simply genious. Why bother with a tricky proxy solution, when you can just have the user log into a site with a browswer you control?
Tools and Exploits
- Athena is a fully-featured cross-platform agent designed using the .NET 6. Athena is designed for Mythic 2.2 and newer. Crossplatform operations with Athena has all the details.
- IgnoreAppLocker.dll is a DLL to launch a cmd.exe as NT AUTHORITYSERVICE, which doesn't get blocked or logged by AppLocker, and neither do any processes launched by this cmd.exe process.
- PELoader is a PELoader implement various shellcode injection techniques, and use libpeconv library to load encrypted PE files instead of injecting shellcode into remote thread.
- kraken is a dockerized multi-platform distributed brute-force password cracking system with a web front end.
- bflat is a concoction of Roslyn - the "official" C# compiler that produces .NET executables - and NativeAOT (née CoreRT) - the ahead of time compiler for .NET based on CoreCLR. Thanks to this, you get access to the latest C# features using the high performance CoreCLR GC and native code generator (RyuJIT). C# as you know it but with Go-inspired tooling (small, selfcontained, and native executables).
- BananaPhone is a go variant of Hells gate! (directly calling windows kernel functions, but from Go!) - not new, but now with Halo's gate!
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- lossless-cut aims to be the ultimate cross platform FFmpeg GUI for extremely fast and lossless operations on video, audio, subtitle and other related media files. The main feature is lossless trimming and cutting of video and audio files, which is great for saving space by rough-cutting your large video files taken from a video camera, GoPro, drone, etc. It lets you quickly extract the good parts from your videos and discard many gigabytes of data without doing a slow re-encode and thereby losing quality. Not offsec related, but useful!
- fastfinder is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.