Last Week in Security (LWiS) - 2022-04-04
Shared section abuse (@BillDemirkapi), ISOs and office MOTW (@DidierStevens), better fuzzing harnesses (@h0mbre_), PoshC2 Linux ELF loader (@jdsnape), "Event pipes" for IPC (@x86matthew), Linux LPE (@pqlqpql), .soap webshells (@0xbad53c), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-28 to 2022-04-04.
News
- Spring Core on JDK9+ is vulnerable to remote code execution. "Spring4Shell" aka "SpringShell" aka CVE-2022-22865 is a one-request RCE against some Spring Core installs (tomcat hosted). TrustedSec has technical goodies.
- Now in preview: Azure Virtual Machines with Ampere Altra Arm-based processors. You can spin up ARM VMs in Azure (Linux and Windows 11). The age of ARM is upon us. The feature is in preview, so you'll have to fill out this form.
- The price of Cobalt Strike for new customers will be $5,900 per user for a one-year license. Bigger development team = bigger budget.
- GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7. GitLab security releases often include serious vulnerability patches, but this one is especially bad. "A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts." You can see the change to o_auth/user.rb here.
- .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021. After the news that macros will be blocked by default this month, many attackers were comforted by the fact there are many ways to deliver a payload without a Mark-of-the-web. The Microsoft Office team has taken one option off the table with some specific ISO inspections. This is an Office feature, as Windows does not add the MOTW to files in an ISO. You can still use other formats in tools such as PackMyPayload.
- Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests. Why hack when you can just ask for data? KrebsOnSecurity has more detail.
- MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies.. Time to update your threat models.
Techniques and Write-ups
- FORCEDENTRY: Sandbox Escape. This post focuses on the sandbox escape used in the wild GIF JBIG2 decoder-as-stack-based-VM exploit.
- Veni, MIDI, Vici — Conquering CVE-2022-22657 and CVE-2022-22664. The bugs aren't the coolest, but the technique of "associative fuzzing" is valid and underused.
- Sharing is Caring: Abusing Shared Sections for Code Injection. After being forced to look for a new position due to sharing of LASPUS$ victim IR report screenshots (I guess?), Bill is back to writing interesting technical blogs (although he never stopped). A loss for Zoom, a win for us!
- PHP Supply Chain Attack on PEAR. Insufficient randomness strikes again!
- Fuzzing Like A Caveman 6: Binary Only Snapshot Fuzzing Harness. Fuzzing is all about speed, so being able to reset state and feed input from memory means more test cases, and hopefully more unique crashes.
- New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits. Digitally signed rootkit drivers are scary, but there are lots of potential IOCs here that should be detected. Even the digital signature should have been suspect in an enterprise (unless you are a game dev perhaps).
- EventPipe - An IPC method to transfer binary data between processes using event objects. A clever, but perhaps low bandwidth way to do inter-process communication on Windows that may not be as detected as standard named pipes or shared memory.
- Pwning 3CX Phone Management Backends from the Internet. This is an interesting journey from "whats on shoadan" to RCE.
- IIS - SOAP. IIS will process .soap files, enabling webshells with this little known extension.
Tools and Exploits
- Introducing PoshC2 v8.0. BOF compatibility, and a very slick Linux loader make version 8 worth checking out.
- CVE-2022-1015 Local privilege escalation PoC for a bug in the nf_tables component of the linux kernel. More details here.
- Smug_Fu3k is a HTML smuggling generator.
- Introducing PacketStreamer: distributed packet capture for cloud-native platforms. tcpdump is perhaps my favorite debugging tool, but with the #distributed #microservices world we live in now, it can be hard to actually get packets from where you need them. PacketStreamer aims to be a universal packet forwarder to enable network visibility and debugging.
- DDexec is a technique to run binaries filelessly and stealthily on Linux by tricking dd into pwning itself (reflective injection).
- boopkit is a Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
- nim-loader is a WIP shellcode loader in nim with EDR evasion techniques.
- Dump-Chrome-Cookies a modified version of CookieBro and scripts to leverage it to dump Chrome cookies. Check out the blog post for more info.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Melody is a language that compiles to regular expressions and aims to be more easily readable and maintainable.
- Rip Raw is a small tool to analyze the memory of compromised Linux systems.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.