Last Week in Security (LWiS) - 2022-04-11
Full Edge exploit (@33y0re), dynamic P/Invoke (@bohops), Veeam exploits (@SinSinology), macOS LPE (@patch1t), AV debugger (@PlowSec), SMB over QUIC (@_xpn_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-04 to 2022-04-11.
News
- Improving software supply chain security with tamper-proof builds. As there is more pressure to secure the software supply chain, solutions like this will hopefully become more popular. Having to rely on GitHub's hosted runner is a downside I hope can be addressed.
- [PDF] Breaking Point: Is mounting pressure creating a ticking time bomb for a health crisis in cybersecurity?. Sample size of only 200, but perhaps some insight here. I wonder if the kind of people drawn to information security are pre-disposed to mental health issues or if the job is more to blame (a bit of nature vs nurture I suppose).
- IMPORTANT SECURITY BULLETIN: Trend Micro Apex Central Arbitrary File Upload Remote Code Execution (RCE) Vulnerability. Not that noteworthy except that remote, unauthenticated RCE in a security product is always rough. The active in-the-wild exploitation is the cherry on top.
- Establishment of the Bureau of Cyberspace and Digital Policy. Light on details, but a "Digital Freedom Coordinator" at least sounds good?
- New security features for Windows 11 will help protect hybrid work. Some interesting new defaults coming to Windows 11 that will make the OS more secure by default, but also feed more data into the "AI model for application trust within the Microsoft cloud."
- NginxDay - Nginx 18.1 04/09/22 zero-day repo (no code). I'll hold judgement until code is released. This could be a ruse.
Techniques and Write-ups
- Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 3). This series has been a treat. No one else I know of is putting together, detailed, well written, fully documented, modern exploit walk-throughs with DEP, ASLR, CFG, ACG, CIG, and no-child process mitigation bypasses. This is a SANS SEC760 course for free. Great work Connor!
- CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability. This post explores the bug that was exploited to unlock the San Bernadino iPhone.
- Unmanaged Code Execution with .NET Dynamic PInvoke. C# and P/Invoke have been the go-to solution after Powershell's advanced logging as introduced. This "dynamic" P/Invoke (note: not DInvoke) adds some stealth and different signatures to P/Invoke code.
- ABC-Code Execution for Veeam. Veeam is a widely used enterprise backup solution, and recently patch a few bad bugs. We've detailed the remote RCE in LWiS-2022-03-14 and LWiS-2022-03-21, but this covers two additional vulnerabilities. This post is from 2022-03-29, but the MDSec scraper I have only just updated with it. MDSec please include an RSS/Atom feed with your blog!
- Repurposing Real TTPs for use on Red Team Engagements. The job of a good Adversary Simulation offering is to take real TTPs and expand/adapt them to give customers a realistic but unique look at an adversary. This post explains exactly how that was done for a Bleeding Bear attack. Code here: BreadBear.
- MacOS SUHelper Root Privilege Escalation Vulnerability: A Deep Dive Into CVE-2022-22639. A nice LPE for macOS (patched in 12.3). Code here: CVE-2022-22639.
- Automatically extracting static antivirus signatures. The idea of an automated "AV debugger" isn't 100% novel (see: ThreatCheck), but this certainly goes a step further. avdebugger has the code.
- Making SMB Accessible with NTLMquic. SMB over QUIC support is included in Windows 11 and Server 2022. On Windows 11, it's enabled by default and will be attempted if normal TCP/445 fails. This might allow some authentication elicitation from restricted networks that allow QUIC out. Demo and code are up.
- ImportDLLInjection - An alternative method of injecting DLLs by modifying PE headers in memory. What if you simply replace the entire IMAGE_NT_HEADERS structure in a spawned process to include your DLL in the import descriptor list? This post does that and the spawned process will import the DLL!
- Abusing LargePageDrivers to copy shellcode into valid kernel modules. Once again the game cheat community is leading the charge with kernel exploit development.
Tools and Exploits
- ARCInject can overwrite a process's recovery callback and execute with WER.
- Jeeves is made for looking to Time-Based Blind SQLInjection through recon.
- bore is a simple CLI tool for making tunnels to localhost.
- ransomware-simulator is a ransomware simulator written in Golang.
- SwiftInMemoryLoading is a Swift implementation of in-memory Mach-O loading on macOS. Blog post soon?
- inflate.py artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
- com_inject performs process injection via Component Object Model (COM) IRundown::DoCallback(). Blog post here.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- WeakestLink is a browser extension that extracts users from LinkedIn company pages.
- uncover quickly discovers exposed hosts on the internet using multiple search engines.
- sub3suite is a research-grade suite of tools for Subdomain Enumeration, OSINT Information gathering & Attack Surface Mapping that supports both manual and automated analysis on variety of target types with many available features & tools.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.