Last Week in Security (LWiS) - 2023-04-10
Windows installer LPE (@a_denkiewicz), unhooking without direct syscalls (@Kharosx0), dynamic linking injection (@praetorianlabs), suspending AV (@freefirex2), dir2json (@bitsadmin), DPAPISnoop (@lefterispan), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-03-20 to 2023-04-10.
News
- The Cure Tried to Stop Scalpers. Brokers Are Selling Entire Ticketmaster Accounts Instead. That's the thing about hackers, they will find a way around arbitrary restrictions.
- CVE-2023-1671: Critical Pre-Auth Command Injection Vulnerability in Sophos Web Appliance. "A pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code."
- Stopping Cybercriminals From Abusing Security Tools. Is this the first time a C2 vendor has taken "proactive" action against hosted copies of its own software?
- Meta Manager Was Hacked With Spyware and Wiretapped in Greece. Unsure of the phone's OS (the capability covers both Android and iOS), but it was an SMS link that appears to be the infection vector (1-click). This is your reminder to reboot your phone often - persistence of Predator was an extra 2.4 million euro add on in 2021.
- 3CX DesktopApp Security Alert. One of hte bigger supply chian attacks since SolarWinds.
Techniques and Write-ups
- Build a secure code mindset with the GitHub Secure Code Game. Learn CodeQL in a fun CTF-style "game." For pointers, be sure to read: CodeQL zero to hero.
- Windows Installer EOP (CVE-2023-21800). "This blog post describes the details and methodology of our research targeting the Windows Installer (MSI) installation technology." Spoiler: "the environment variables set by the unprivileged user were also used in the context of the SYSTEM user invoked by the repair operation."
- In-Memory Disassembly for EDR/AV Unhooking. Have your cake and eat it too. Without using hooked functions, Christopher Vella is able to call unhooked functions without direct syscalls. The code is nicely commented. It's in rust too (and probably written on arch btw).
- Dynamic Linking Injection and LOLBAS Fun. Some very sneaky DLI exploitation using system binaries to drop and run secondary payloads.
- Veeam Backup and Replication CVE-2023-27532 Deep Dive. Unauthenticated access to cleartext credentials? Yikes.
- Obfuscating C2 Traffic with Google Cloud Functions. Tired of the blue team blocking your egress domains? Why not use a high reputation domain like cloudfunctions.net?
- Microsoft Defender for Identity OWIN HTTP Listener. An interesting dive into MS Defender for identity's API (localhost only and cert auth protected). It has some interesting features like the ability to get a handle to the Group Managed Service Account token. Staying tuned for more.
- Bypassing software update package encryption - extracting the Lexmark MC3224i printer firmware. This part 1 is cut off in the opening summary, but part 2 has some great low level exploitation.
- Living Off The Land Drivers. loldirvers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks.
- Pwning Pixel 6 with a leftover patch. Excellent low level android exploitation content.
- Escaping Adobe Sandbox: Exploiting an Integer Overflow in Microsoft Windows Crypto Provider. Some good low level windows Exploitation.
- Shellcode: Entropy Reduction With Base-32 Encoding.. A custom Base-32 encoding can help data appear less random.
- Attacking Visual Studio for Initial Access. It turns out you don't even have to compile a malicious solution, just open it, to get pwned.
- I'd TAP That Pass. Temporary Access Passwords can bypass MFA in some situations to allow pivoting into Azure from a compromised user context.
- Disabling AV With Process Suspension. AV giving you a hard time? Put it on ice while you do your detected actions then bring it back like nothing happened. Be sure to test this as it can cause instability while the AV is suspended.
- BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover. Wiz has proven again and again they are the undisputed kings of cloud. Always scared/excited when a new technical post drops from Wiz.
Tools and Exploits
- Tool Release - shouganaiyo-loader: A Tool to Force JVM Attaches. Inject your own Java code into processes that have disabled the agent attach API.
- PoC for CVE-2023-28206 - exploit for an out-of-bounds write in the IOSurfaceAccelerator, allowing a malicious actor to execute arbitrary code with kernel privileges on macOS/iOS by utilizing a specially crafted application. Note this is just a kernel panic PoC.
- EPScalate - Exploit for elevation of privilege vulnerability in QuickHeal's Seqrite EPS.
- OffensiveCpp - This repo contains C/C++ snippets that can be handy in specific offensive scenarios.
- Implant execution via PrintBrm.exe - use PrintBrm to extract & execute an implant from an ISO.
- EntropyReducer - Reduce Entropy And Obfuscate Your Payload With Serialized Linked Lists.
- PhoenixC2 - Command & Control-Framework created for collaboration in python3. This looks very alpha.
- HardHatC2 - A C# Command & Control framework. Another alpha C2, but this one has a lot of features in the agent already.
- dir2json - Tool for efficient directory enumeration. Read the blog post.
- DPAPISnoop - A C# tool to output crackable DPAPI hashes from user MasterKeys.
- GodPotato - ImpersonatePrivilege == SYSTEM. At this point I think its just a feature of Windows.
- Chaos-Rootkit - x64 ring0 Rootkit with Process Hiding and Privilege Escalation Capabilities.
- rogue - A barebones template of 'rogue' aka a simple recon and agent deployment I built to communicate over ICMP. Well, without the ICMP code.
- wmiexec-Pro - Lateral movement with WMI using only port 135.
- inline-syscall - Inline syscalls made for MSVC supporting x64 and x86.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- serge - A web interface for chatting with Alpaca through llama.cpp. Fully dockerized, with an easy to use API.
- Game Hacks: Among Us - IL2CPP Walkthrough. The same techniques can be used to locate sensitive data and craft exploits in more serious applications.
- espanso - Cross-platform Text Expander written in Rust.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.