Last Week in Security (LWiS) - 2022-07-05
In the wild 0days (@maddiestone), new Win11 primitive (@yarden_shafir), Cloudflare ZeroTrust for C2 (@zux0x3a), macOS LPEs (@LinusHenze + @zhuowei + Jack Dates of @ret2systems), SCCM abuse (@subat0mik + @_Mayyhem), Diamond Tickets (@4ndr3w6S), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-27 to 2022-07-05.
News
- 2022 0-day In-the-Wild Exploitation…so far. Browsers and phones are were people do most of their work these days, and thats where most of the 0days are too, unsurprisingly.
- Issue 2268: Windows: Windows Defender Remote Credential Guard Authentication Relay EoP. The handling of Windows Defender Remote Credential Guard credentials is vulnerable to authentication relay attacks leading to elevation of privilege or authentication bypass. Fixed on 2022-06-15 as CVE-2022-30150.
- GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5. TLDR: authenticated RCE. "an authorised user could import a maliciously crafted project leading to remote code execution," plus other issues.
- Bug Bounty Platform's Employee Abused Internal Access to Steal Bounties. As if bug bounty providers needed any more bad press...
- Service Fabric Privilege Escalation from Containerized Workloads on Linux. A compromised container could escape the container and compromise the entire cluster. Yikes! More at FabricScape: Escaping Service Fabric and Taking Over the Cluster.
- Malware Steel Mill. "Some Malware causing a catastrophic failure of a bucket full of molten steel." Iran seems to be the testing ground for cyber-physical attacks.
- When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. This will surely add fuel to the C2 twitter drama fire.
Techniques and Write-ups
- CloudGoat detection_evasion Scenario: Avoiding AWS Security Detection and Response. Step up your AWS exploitation game by not getting caught by automated defenses in this new scenario.
- Golang code review notes. This post is a good summary of some of the bug classes in Go.
- Spoofing Call Stacks To Confuse EDRs. Thread stack spoofing isn't new, but this post leverages it to actively trick EDRs with legitimate looking stacks while doing nasty things (like dumping lsass). CallStackSpoofer is the GitHub project.
- One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11. "This technique is a post exploitation primitive unique to Windows 11 22H2+ - there are no 0-days here. Instead, there's a method to turn an arbitrary write, or even arbitrary increment bug in the Windows kernel into a full read/write of kernel memory." Code is IoRingReadWritePrimitive.
- Abuse Cloudflare Zerotrust for C2 channels. Abuse is a strong word. "Repurpose" is perhaps a better term. Cool research, and as these kinds of services become more widespread, organizations are going to have to determine how to handle them. Want more cloudflare repurposing? Check out MitM at the Edge: Abusing Cloudflare Workers.
- Bulk Analysis of Cobalt Strike's Beacon Configurations. How unique are your post-ex and C2 profile choices?
- Bypassing .NET Serialization Binders. "Serialization binders are often used to validate types specified in the serialized data to prevent the deserialization of dangerous types that can have malicious side effects with the runtime serializers such as the BinaryFormatter. This blog post looks into cases where this can fail and consequently may allow to bypass validation and walks though two real-world examples of insecure serialization binders in the DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277), that both allow remote code execution."
- CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus. Java web applications and deserialization vulnerability, name a more iconic duo.
- Enforcing a Sysmon Archive Quota. If you are using Sysmon's FileDelete archive hook to store deleted files, you likely already have a solution like this but if not, it should come in handy.
- Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763). macOS local privilege escalation walk thorough with PoC code.
- Exploiting Intel Graphics Kernel Extensions on macOS. More macOS exploitation?! ret2systems posts are always excellent and this is no exception.
- Relaying NTLM Authentication from SCCM Clients. What can't you relay authentication with in an active directory environment these days? But SCCM has even more fun in store: The Phantom Credentials of SCCM: Why the NAA Won't Die.
- A Diamond in the Ruff. You've heard of Golden Tickets but what about Diamond Tickets? They offer some OPSEC advantages, and you can use them in Rubeus with this pull request.
- nday exploit: netgear orbi unauthenticated command injection (cve-2020-27861). A detailed post on how the vulnerability was found and exploited.
- Offensive Hunting. The automation and "offensive hunts" in the presentation are awesome. RedELK is great and advanced teams should be using it already. Excited to see more development with it!
Tools and Exploits
- PINKPANTHER Windows x64 handcrafted token stealing kernel-mode shellcode. Be sure to check out the caveats.
- the-poor-mans-obfuscator - Binary & scripts associated with "The Poor Man's Obfuscator" presentation.
- TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
- CVE-2019-7040 + CVE-2021-21042. POCs and exploit code for Microsoft Internet Explorer & Microsoft Word (in DOCX & RTF formats).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- awsEnum - Enumerate AWS cloud resources based on provided credentials.
- nali - An offline tool for querying IP geographic information and CDN provider.
- maldev-for-dummies - A workshop about Malware Development.
- ExtractedDefender - An attempt to group extracted data from Defender for research purposes.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.