Jun 20 2022 Last Week in Security (LWiS) - 2022-06-20

ASP .NET audit (@frycos), iOS ROP ⛓️ (@inversecos), EnumDisplayMonitors to run 🐚code (@Marco_Ramilli), pcap for problem solving (@DebugPrivilege), RPC vuln (@s1ckb017), 🎣 for persistence (@matterpreter), Azure attack paths (@ZephrFish), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-14 to 2022-06-20.

News

Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512. Remote unauthenticated users can reset the administrator password of the device at next reboot and SSH in.
Microsoft Patch Tuesday, June 2022 Edition. The best news? IE is officially out of service after 27 years. Follina (MSDT 0day) also got a patch.
New Research Suggests Always-On Bluetooth Could Be Used to Track Your Phone. Does your phone's Bluetooth chip have a "fingerprint?" Probably.
Now China wants to censor online comments. Consider this when your local politicians argue that all communication needs a backdoor to "protect the children."

Techniques and Write-ups

SmarterStats - Yet Another RPC Framework. This is an in-depth code audit of an ASP .NET web long analytics app.
Guide to Reversing and Exploiting iOS binaries Part 2: ARM64 ROP Chains. Some more binary exploitation on iOS. Be sure to bring a jailbroken iOS device to follow along.
Running Shellcode Through Windows Callbacks. Unique shellcode execution techniques can help your loader stay under the radar. Check out the AlternativeShellcodeExec for more.
How do I approach a technical topic? - Packet Capture (Part 1). I really like these types of posts that explore the methodology of solving problems.
Updated: Technical Advisory and Proofs of Concept - Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552). The U-boot advisory from 2022-06-03 gets updated and expanded.
NTLM Authentication with Firefox & FoxyProxy. This post shows how to authenticate to a web page over a SOCKS connection with NTLM.
CVE-2022-26809 Reaching Vulnerable Point starting from 0 Knowledge on RPC. A great zero to PoC post, but note this particular exploit requires sending 1,048,577 packets.
Automating Cobalt Strike with Python. The sleep language used to script Cobalt Strike is, unique, to say the least. Using something more widely known like Python helps more operators script the routine parts and focus on making assessments valuable for customers.
Oh my API, abusing TYK cloud API management to hide your malicious C2 traffic. As everything moves to the cloud, hiding C2 traffic alongside legitimate API endpoints will be key to staying out of SOC alerts.
Hang Fire: Challenging our Mental Model of Initial Access. The term "phishing for persistence" ia a good one. Breaking the link between phish and execution makes it harder to detect.
Rogue Shortcuts: LNK'ing to Badness. LNKs in zips or ISOs still prove to be an effective delivery mechanism.
Azure Attack Paths: Common Findings and Fixes (Part 1). Cloud assessments are becoming more common, and this post goes over some basics of Azure attack paths.
Embedding Payloads and Bypassing Controls in Microsoft InfoPath. Legacy Microsoft file types and handlers (in this case .xsn files) continue to be interesting payload delivery mechanisms.

Tools and Exploits

DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method. This can be used when the Spooler service is disable, and RPC filters prevent PetitPotam/File Server VSS authentication elicitation.
CVE-2022-26937 - Windows Network File System crash PoC.
hunter-1 (l)user hunter using WinAPI calls only.
cloud-middleware-dataset. This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).
Ekko. A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation. Detection: patriot.
NlsCodeInjectionThroughRegistry Dll injection through code page id modification in registry. Based on jonas lykk research.
Using macros and constexpr to make API hashing a bit more friendly.
antnium - A C2 framework and RAT written in Go. Slides about the development process here.
aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator.
SliverKeylogger is a Sliver C2 extension to log keystrokes on Windows.
OfficeIMO Fast and easy to use cross-platform .NET library that creates or modifies Microsoft Word and later also Excel files without installing any software. This could be useful to automate phishing lures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks.
Sealighter - Sysmon-Like research tool for ETW.
npmdomainchecker - Checks all maintainers of all NPM packages for hijackable domains.
snallybuckster - Locate interesting files in grayhatwarfare.com open S3 buckets and Azure blobs automatically!
NoteThief - Grab unsaved Notepad contents with a Beacon Object File.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.