Last Week in Security (LWiS) - 2022-04-25
Acrobat extension issues (@WPalant), ECDSA signature in Java vuln (@neilmaddog), GPO LPE (@decoder_it), SSN resolution from process structs (@modexpblog), AWS container escape (@yuvalavra), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-18 to 2022-04-25.
News
- The More You Know, The More You Know You Don't Know: A Year in Review of 0-days Used In-the-Wild in 2021. "When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities." Keep looking for adjacent vulnerabilities!
- Pwn2Own Miami 2022 Results. 26 ICS focused 0days!
- Cobalt Strike 4.6: The Line In The Sand. Minor updates include a new user defined size limit for execute-assembly, and a unified "arsenal kit." The bigger updates are around the "security" (anti-piracy) features which may make it harder for criminals to use Cobalt Strike.
- Infosec Salaries - the myth and the reality. TLDR: Always take more base over options.
- SMB1 now disabled by default for Windows 11 Home Insiders builds. The unwillingness of Microsoft to break backward compatibility has caused many a vulnerability, perhaps the tide is turning? You can still enable SMBv1 but soon even the binaries will be gone and will be a separate unsupported install.
- OffensiveCon22 Youtube Playlist. Which talks were your favorite?
Techniques and Write-ups
- No Hardware, No Problem: Emulation and Exploitation. This is a good post for anyone interested in IoT devices as it contains some nice gotchas and workarounds.
- Adobe Acrobat hollowing out same-origin policy. Browser add-ons continue to be a silent killer. No one seems to be publicizing the power they have now that every app is a web app. Perhaps it will take a large add-on compromise for the industry to wake up?
- Bypassing PESieve and Moneta (The "easy" way....?). Memory scanners can pose an problem to red team tooling, but there are clever (not not new) tricks to keep memory encrypted until it's needed.
- CVE-2022-21449: Psychic Signatures in Java. "If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU)." A Java rewrite of a C++ cryptographic library introduced this flaw in Java 15. All those enterprise Java apps still on Java 8 are safe 😂. PoC to demonstrate the vulnerability here.
- A not-so-common and stupid privilege escalation. These kinds of hard-to-automatically-find vulnerabilities are what make red teams valuable. This is a cool find, and one to look out for on your next assessment or in your own environment. Lock down those shares!
- Adventures with KernelCallbackTable Injection. This is a shellcode injection technique not often used. PoC here: KernelCallbackTable-Injection.
- Access Token Manipulation Part 0x01. How do the token tricks for your favorite C2 work under the hood? It turns out the Windows APIs for tokens are pretty straight forward.
- Resolving System Service Numbers using the Exception Directory. The use of a Control Flow Guard "feature" for malware dev is juicy. Classic hacking. The runtime function table method has a wider set of compatibility, and may be more useful.
- AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation. Two weeks in a row with AWS issues, that's unusual. In this case a hotpatch was a bit too hot and ran any process named "java" in a container with elevated permission in order to patch them. This has been fixed, and AWS has an official announcement.
- Abusing Azure Container Registry Tasks. The cloud is just someone else's computer, and if you configure it poorly, there are shells to be had.
Tools and Exploits
- KrbRelayUp is a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
- memray is a memory profiler for Python. Not specifically security related, but very cool.
- Issue 2274: Linux: watch_queue filter OOB write (and other bugs). Google Project Zero found another Linux LPE. This one affects kernel from 5.8 to 2022-03-11 (5.16.15, 5.15.29, 5.10.106). PoC exploit is included, but may be unstable.
- C2-Tool-Collection is a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. This is from Outflank so you know its going to be good.
- cdnstrip is a tool for striping CDN IPs from a list of IP Addresses.
- elfpack does ELF Binary Section Docking for Stageless Payload Delivery.
- HalosUnhooker is a Halos Gate-based NTAPI Unhooker.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- htmlq is like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.
- KDStab is a BOF combination of KillDefender and Backstab.
- ADReaper is a fast enumeration tool for Windows Active Directory Pentesting written in Go.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.