Last Week in Security (LWiS) - 2022-03-14
Embedded reversing (@zi0Black), SQL injection despite prepared statements (@Dooflin5), AutoWarp Azure token leak (@Yanir_), Viscosity DPAPI defeat (@checkymander), password tricks without mimikatz (@n00py1), Chakra exploitation (@33y0re), rethinking phishing assessments (@matterpreter), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-28 to 2022-03-14.
News
- The Dirty Pipe Vulnerability. Linux 5.8+ was vulnerable to a DirtyCOW-esq bug that allows overwriting data in arbitrary read-only files. It can also be used as a Docker container escape. PoCs available here: CVE-2022-0847-DirtyPipe-Exploits.
- Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. Veeam is a very popular virtual machine backup vendor. While hopefully not publically exposed, once inside these vulnerabilities could prove very useful to a red team.
- iCloud Private Relay: information for Cloudflare customers. An interesting post about Cloudflare's role in "Private Relay." The part that stuck out to me was: '"Private Relay is designed to ensure only valid Apple devices and accounts in good standing are allowed to use the service. Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple." Because of these advanced device and user authorization steps, you might consider allowlisting Private Relay IP addresses explicitly.' Are burner Apple IDs and Private Relay a quick way to bypass anti-fraud controls?
- Cobalt Strike Roadmap Update. Cobalt Strike has continued to grow after the acquisition by HelpSystems, and this post promises to continue that growth. As the most popular adversary simulation tool on the market, Cobalt Strike is the standard that all other C2's and agents are compared to.
- Leaked stolen Nvidia key can sign Windows malware. The Nvidia data has been leaked, and the perpetrators have moved on to Samsung.
- Ubisoft Cyber Security Incident Update. Lapsus$ is a likely culprit. Unconfirmed, but Lapsus$ shared the link on their Telegram with a smirk emoji - that's attribution in 2022 right?.
- Conti Ransomware Group Diaries. Krebs does a great job digging into the Conti chat log leaks. The Conti group was well financed, and run much like you'd expect a mid size business to run - with all the infighting and drama that entails.
- Introducing the InternetDB API. Free, and no API key required. Information isn't super detailed, but you get open ports, Common Platform Enumeration (CPE), hostnames, tags, and vulnerabilities with a single request.
Techniques and Write-ups
- Reversing embedded device bootloader (U-Boot) - p.1. Encrypted kernel images for IoT devices can be a pain, and when they use custom encryption it can be even worse. This post shows the struggle of finding the decryption routine for an ARM powered IoT device that boots with U-boot.
- Finding an Authorization Bypass on my Own Website. If you think prepared SQL statements protect you from all SQL injections, this post is for you. Edge cases can be crazy, and lead to auth bypasses!
- Good file… (What is it good for) Part 1. What PDB paths and GUIDs do your tools use? Maybe time to do some research into good files on your own and reuse "good" elements in your tooling.
- Microsoft Defender for Office 365 Identification. A quick and easy check to see if an organization is using the paid Defender for O365 by sending a single email.
- Disclosure of Vulnerability in Azure Automation Managed Identity Tokens. This is the corporate response, but the simple truth is much more frightening.
- Decrypting Viscosity Passwords. The DPAPI protected credentials for the VPN software are protected with a custom salt that causes common automated DPAPI decryption tools to fail. The use of WinDBG to find the salt is generally applicable and a good trick to stash in your toolbox.
- Manipulating User Passwords Without Mimikatz. Some excellent attack options that avoid well signatured binaries/tools in this post. The ShadowCredentials trick is a sneaky favorite.
- Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 1). If you're even remotely curious about browser exploitation, take an hour and read this post. Connor never disapoints and his blog has more knowledge packed into it than 700 level SANS courses.
- Finding gadgets like it's 2022. CodeQL strikes again, this time in a unqiue application - to find gadgets for Java exploits! You have to have the source code of the target app and be able to compile it, but otherwise, this is a neat new technique to find gadget chains.
- Revisiting Phishing Simulations. I once had a boss tell me "we never will do assumed breach." I hope he reads this. "Given enough time and resources, a motivated and reasonably sophisticated threat actor will eventually gain access to your environment." Purple teams are the way of the future for mature organizations.
- macOS Red Teaming: Bypass TCC with old apps. macOS privacy framework (TCC) got you down? Use an old version of an app that is vulnerable to dylib injection, inherit the legitimate TCC permission, and win!
- Abusing Kerberos Constrained Delegation without Protocol Transition. There seem to be no end to the ways to can abuse Kerberos in special circumstances.
- Expanding the Hound: Introducing Plaintext Field to Compromised Accounts. Modify the BloodHound database to fit your use cases.
Tools and Exploits
- Removing PowerShell Comments, Whitespace, and Handles. A simple script to help make your Powershell less detectible.
- oxasploits. All of these exploits are originally coded by oxagast / Marshall Whittaker. Some of them were already known vulnerabilities that they took and re-evaluated then wrote an exploit for them that they thought was more functional or logical in some way. Some of these vulnerabiltiies are partial PoC exploits that will make something crash, but not actually get root. Some will straight drop you at a root shell. None of this code should ever under any circumstances be run in a production environment, or on a system that you do not have express permission to run a penetration test on.
- RunOF is a .NET application that is able to load arbitrary BOFs, pass arguments to them, execute them and collect and return any output. For more details check out Introducing RunOF – Arbitrary BOF tool.
- graphql-cop is a small Python utility to run common security tests against GraphQL APIs.
- nrich is a command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline.
- donut this is a donut fork that contains syscall support for AMSI/WDLP patching.
- SyscallPack is a BOF and some shellcode for full DLL unhooking using dynamic syscalls.
- SysWhispers3 is SysWhispers on Steroids - AV/EDR evasion via direct system calls.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- iocscraper is a python tool that enables you to extract IOCs and intelligence from different data sources.
- litefuzz is a multi-platform fuzzer for poking at userland binaries and servers.
- BlueTeam.Lab is a Blue Team detection lab created with Terraform and Ansible in Azure.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.