Last Week in Security (LWiS) - 2022-05-23
Nighthawk 0.2 (@MDSecLabs), Parallels VM escape write-up (@ret2systems), Rust supply chain attack (@juanandres_gs), DPAPI entropy capture (@merrillmatt011), HVCI "work-around" (@33y0re), S4U2* attacks (@theluemmel), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-16 to 2022-05-23.
News
- Pwn2Own Vancouver 2022 - The Results. Always cool to see some nice 0day chains take down major names.
- DOJ Announces It Won't Prosecute White Hat Security Researchers. It's all about intent. However this is just an "agency policy" and doesn't actually change the law. Read the full PDF here.
- Kali Linux 2022.2 Release (GNOME 42, KDE 5.24 & hollywood-activate). Nothing crazy here, just quality of life improvements, version bumps, and a "hacker" screensaver.
- When Your Smart ID Card Reader Comes With Malware. Supply chain attacks in equipment meant to secure systems. The ultimate trojan horse? The major user of PIVs in the US is the government, so this attack would likely land on personal (or maybe even official computers) of government employees.
- CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware. Supply chain attacks aren't new, and this one was likely targeting other software supply chains via their CI to expand its reach.
- [PDF] Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. "On thousands of sites email addresses are collected from login, registration and newsletter subscription forms; and sent to trackers before users submit any form or give their consent."
- CISA, NSA, FBI and International Cyber Authorities Issue Cybersecurity Advisory to Protect Managed Service Providers (MSP) and Customers. Why hack individual companies when you can hack MSPs that have SYSTEM level access to all the endpoints in hundreds or thousands of companies?
- Out Of Band Update: Cobalt Strike 4.6.1. Minor fixes to the 4.6 release.
- **authenticated** PetitPotam still works even after latest updates.. Windows machines just really want to authenticate to you.
Techniques and Write-ups
- Nighthawk 0.2 - Catch Us If you Can. MDSec releases the second version of their in-house C2, and is kind enough to detail its features. If you are looking for an advanced red team framework to support engagements, seriously consider Nighthawk. I haven't gotten any hands on time yet, but it sure looks impressive. If anyone at MDSec wants to hook me up with a trial contact me.
- Exploiting an Unbounded memcpy in Parallels Desktop. This post details the development of a guest-to-host virtualization escape for Parallels Desktop on macOS, as used in a successful Pwn2Own 2021 entry to achieve code execution on a macOS host from a running a Linux guest via Parallels.
- EntropyCapture: Simple Extraction of DPAPI Optional Entropy. If you've decrypted DPAPI blobs but were left with gibberish data, perhaps the encrypting appliaction was supplying optional entropy to DPAPI. The new EntropyCapture uses hooks to capture that entropy so you can decrypt the blobs successfully.
- Exploit Development: No Code Execution? No Problem! Living The Age of VBS, HVCI, and Kernel CFG. Hypervisor-Protected Code Integrity (HVCI) and other modern protections make kernel level code execution difficult. Connor threads the needle with kernel-mode ROP in the post and takes you along every step of the way.
- S4fuckMe2selfAndUAndU2proxy - A low dive into Kerberos delegations. This post explores Kerberos delegation and ways to detect and exploit it, including the sometimes complicated S4U2self/proxy attacks.
- No-Fix Local Privilege Escalation Using KrbRelay With Shadow Credentials. This "manual" KerbRelayUp shows how the pieces work together to get a SYSTEM shell.
- Revisiting a Credential Guard Bypass. Patching two offsets in LSASS can bypass credential guard, but until now, those offsets have been hard-coded in tools. This post shows how they an be dynamically located at run time. The proof of concept is on GitHub.
- How I could exploit the CVE-2022-1388, F5 BIG IP iControl Authentication bypass to RCE. This is the background on the biggest bug of the last few weeks.
Tools and Exploits
- ghostrings - Ghidra scripts for recovering string definitions in Go binaries. More info in this blog post.
- Mortar Loader v2. Lots of improvements to this loader in version 2.
- SharpEventPersist. Persistence by writing/reading shellcode from Event Log.
- DynamicWrapperDotNet. Dynamically Loads Assembly and Calls Methods from JScript.
- bin2memfd. Encodes a program (which can be a script, despite the name) to a Perl or Python script which sticks it in a Linux memfd and runs it. The goal is to enable staged implants to be run with curl | perl, or something similar.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- BinAbsInspector - Vulnerability Scanner for Binaries.
- Labtainers - Docker-based cyber lab framework.
- privaxy - (work in progress) Privaxy is the next generation tracker and advertisement blocker. It blocks ads and trackers by MITMing HTTP(s) traffic.
- Argus is a lightweight monitor to notify of new software releases via Gotify/Slack messages and/or WebHooks.
- Red-Lambda - Leveraging AWS Lambda Function URLs for C2 Redirection.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.