Last Week in Security (LWiS) - 2022-04-18
.NET execution with docx (@danonit), AV evasion masterclass (@_vivami), Phisher's errors (@Marco_Ramilli), global injection and hooking (@m417z), custom transport protocols in Burp(@pentagridsec), advanced fuzzing (@kasifdekel), coercing NTLM authentication from SCCM (@_Mayyhem), xss iframe traps (@hoodoer), patchless AMSI bypass (@_EthicalChaos_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-11 to 2022-04-18.
News
- Microsoft Patch Tuesday, April 2022 Edition. This was a big one: 120 security vulnerabilities in Windows, including a "wormable" RPC RCE CVE-2022-26809.
- APT Cyber Tools Targeting ICS/SCADA Devices. Some significant ICS/SCADA malware is on the loose. The use of a known-vulnerable driver for kernel code execution is a known tactic, but paired with the ICS capabilities described in this report can have serious physical world consequences. As always, vx-underground has the samples
- Web scraping is legal, US appeals court reaffirms. LinkedIn looses another round against scrapers. Public data is public, no matter how mad you get when someone accesses it in a way you don't like.
- Git security vulnerability announced. On Windows, for example, an attacker could create C:.gitconfig, which would cause all git invocations that occur outside of a repository to read its configured values. The Git uninstaller for Windows also had an privilege escalation vulnerability (DLL hijack in C:WindowsTemp).
- AWS RDS Vulnerability Leads to AWS Internal Service Credentials. The cloud is just someone else's computer, and they don't always lock it down as much as they should (but probably much better than most IT departments could). Official AWS publication here.
- Law Enforcement Seizes RaidForums, One of the Most Important Hacking Sites. One of the most important hacking sites? That might be a reach.
- Pwn2Own Miami 2022 Schedule. Looks like some good stuff on the docket if you are into ICS pwnage.
Techniques and Write-ups
- A blueprint for evading industry leading endpoint protection in 2022. Tons of gold in this post. Do not skip.
- From a Phishing Page to a Possible Threat Actor. "Cyber attackers are humans. Humans make mistakes or let behind actions details that could be used to trace them." The phishing site to creator's mirror selfie trip proves that nicely.
- Implementing Global Injection and Hooking in Windows. The technical bits to this are very cool, and the code for the injection can be found here. Want to be able to hook any function of any process? Why not just inject a DLL into every process? Bold.
- Teaching Burp a new HTTP Transport Encoding. If you ever need to implement a custom transport encoding scheme for a Burp extension, this blog will save you a lot of time. Code here.
- CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers. If you're hungry for deeply technical iOS vulnerability write ups, Ian Beer has you covered.
- Inside the Black Box | How We Fuzzed Microsoft Defender for IoT and Found Multiple Vulnerabilities. Some cool advanced fuzzing techniques in play in this post.
- Coercing NTLM Authentication from SCCM. Authentication coercion attacks are all the rage, and now you can get some sweet hashes from SCCM. SharpSCCM will help you get what you need.
- Persisting XSS With IFrame Traps. Users navigate away from your XSS payload too quickly? Using an "iframe trap" you can manipulate the address bar and get your victim to stick around long enough for your payload to complete, or even enter credentials on your xss-loaded site!
- In-Process Patchless AMSI Bypass. Using exceptions to patch amsi.dll's AmsiScanBuffer function. Very cleaver. This will make one of my favorite tools (BOF.NET) even more powerful. Example C code here.
- CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client. Time-of-check-time-of-use (TOCTOU) hits the AWS VPN client (patched in 3.0.0) and allows for arbitrary file overwrite as SYSTEM.
- Diving Deeper into WatchGuard Pre-Auth RCE - CVE-2022-26318. This is a cool look at a leaked exploit and the work needed to really understand how it works and how it can be modified.
- Make phishing great again. VSTO office files are the new macro nightmare?. There are some caveats, but executing .NET code from the internet with just a docx is crazy. Microsoft Office truly has way too many features that 99.9% of people never use, but attackers will happily leverage for shells.
Tools and Exploits
- frostbyte is a POC project that combines different defense evasion techniques to build better redteam payloads.
- msprobe is a tool for finding all things on-prem Microsoft products for password spraying and enumeration.
- spooler-splenumforms-iov is a memory corruption vulnerability in windows spooler service that was patched on most recent Microsoft Patch Tuesday, 2022-04-12.
- SharpWnfScan dumps Windows Notification Facility subscription information from process.
- stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- cdn-proxy is a tool that can be used by web app pentesters to create a copy of a targeted website with CDN and WAF restrictions disabled.
- ADInspect is a PowerShell script that automates the security assessment of Microsoft Active Directory environments.
- maat is an open-source symbolic execution framework. Bonus, the project's site uses m.css like this blog!
- wpgarlic is a proof-of-concept WordPress plugin fuzzer.
- ShadowClone - Unleash the power of cloud. Distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.
- SSOh-No is a tool for user enumeration and password spraying tool for testing Azure AD.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.