May 31 2022 Last Week in Security (LWiS) - 2022-05-31

Follina Word RCE (@_JohnHammond + @BillDemirkapi), PyPI CTX and PHPass compromise (@aydinnyunuss), Gargoyle w/ROP (@thefLinkk), Fuchsia OS kernel hacking (@a13xp0p0v), custom Cypher (@simondotsh), code audit process (@frycos), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-23 to 2022-05-31.

News

Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack. Follina aka CVE-2022-30190 is an RCE vector that uses the Microsoft Support Diagnostic Tool via a URL handler in a Word document (no macro) to execute code. There is more analysis here as well as official guidance. follina.py is the PoC.
Welcome to the next generation of ngrok. The popular tunneling utility used to exposed local ports to the public internet released version 3 with some cool new features. Oauth and OpenID support with a few command line switches make authentication easy. Ngrok has been used to host short lived phishing pages by threat actors in the past.
Broadcom to Acquire VMware for Approximately $61 Billion in Cash and Stock. If anyone witnessed the Symantec acquisition br Broadcom this is scary if you use any VMware products (vCenter, Carbon Black, etc). For what it's worth I've been using Proxmox at home and in production for a while and it's pretty great.
How I hacked CTX and PHPass Modules. This is a great example of how NOT to conduct "security research." By deploying malicious packages that actively harvested sensitive environment variables, this crosses the line and I would not consider it "good faith" research. However, the automated techniques used to target package registries are relatively low effort for an extremely high impact. The next attacker will not claim "research" and will use this access for ransomware or worse.
FTC fines Twitter $150M for using 2FA info for targeted advertising. Twitter used its 2FA phone numbers for advertising and got caught. I suppose when you loose 221 million USD a year you get desperate and every piece of data is up for sale.
Serious security vulnerability in Tails 5.0. Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. 5.1 will be released 2022-05-31.

Techniques and Write-ups

Spoofing Microsoft 365 Like It's 1995. What if you wanted a scanner to send emails to your internal users but you use O365 email? How about an MS mail server that listens on port 25, has no auth, and delivers mail straight to your users from any email even if it doesn't exist in your domain? What could go wrong?
Issue 2254: Zoom: Remote Code Execution with XMPP Stanza Smuggling. XML being parsed differently by two different libraries ends ups in RCE. Impressive research.
A Kernel Hacker Meets Fuchsia OS. This is a long post that goes from "download the src" to "plant a rootkit."
The printer goes brrrrr!!!. The ability to exploit an implant a network printer could give you network access for years. No one watches their printers, and the often have access to many subnets.
Debugging and Reversing ALPC. No big reveal at the end of the post, but it does give good instructions on setting up a Windows VM for local or remote kernel debugging. For a more detailed post check out Offensive Windows IPC Internals 3: ALPC.
Leveraging AWS QuickSight dashboards to visualize recon data. Use the AWS "business intelligence" tool to visualize all your "business intelligence" or make sense of some very verbose command line output.
Capitalizing on BloodHound's Data: Cypher, Object Ownerships and Trusts. Investigate object ownerships across domains using custom Cypher queries.
Taking ESF For A(nother) Spin. ESF is the macOS ETW.
Security Code Audit - For Fun and Fails. While there is no epic RCE to end this post, there is tons of good knowledge and process described throughout.
Intro to Web App Security Testing: Burp Suite Tips & Tricks. Some basic Burp Suite usage to get you started poking at web apps.
Automating Azure Abuse Research — Part 1. Every website has an API, some just make you work harder to automate their usage than others. In this case Andy automates the "Run Command Script" function of Azure via Powershell, but the technique is generally applicable.
VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive. Host header manipulation and a custom "logon server" allow you to bypass authentication on multiple VMware products. PoC here.

Tools and Exploits

DeepSleep is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC.
VLANPWN is a VLAN attack toolkit (double tagging and DTP hijacking).
mempeek is a command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory.
KaynStrike is a User Defined Reflective Loader for Cobalt Strike Beacon that spoofs the thread start address and frees itself after entry point was executed.
freeBokuLoader is a simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
Shelltropy - A technique of hiding malicious shellcode via Shannon encoding.
MachoBins is designed to provide information on Mac lolbins, similar to https://gtfobins.github.io/ or https://lolbas-project.github.io/, but specifically for Mac!
NimlineWhispers3 - A tool for converting SysWhispers3 syscalls for use with Nim projects.
CdpSvcLPE - Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking).

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

BofRoast - Beacon Object Files for roasting Active Directory.
BatchGuard - Batch file AV evasion and obfuscation solution.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.