macOS ESF playground (@jbradley89), Azure privesc via service principles (@_wald0), Java gadget finding (@hugow_vincent), malicious Azure AD OAuth2 (@nyxgeek), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-11 to 2021-10-19.
News
- Firefox Suggest lands in the US, bringing ads to the browser search bar. Add this to the list of check boxes to uncheck on new Firefox installs. Settings -> Privacy & Security -> Address Bar — Firefox Suggest -> Contextual suggestions.
- Cheat Maker Is Not Afraid of Call of Duty’s New Kernel-Level Anti-Cheat. This is the second major video game maker to move to the kernel. As these drivers will be allow listed by AV, any vulnerability in them could prove valuable to red teamers.
- Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site. This is the level of computer literacy in government. RCVS-hack contains this 31337 darkweb 0day. 🤦
- Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. The US government isn't totally hopeless and this push to use hardware tokens to prevent phishing from the White House is a great move!
- The Shenanigans of Jonathan Villareal. The fake iOS 0days were absent from this curated blog (you're welcome), but they show how easily manipulated the "infosec community" can be. This post breaks down the "RCE" and shows industry expert reactions.
- L0phtCrack is Now Open Source. Perhaps the oldest password "audit" tool is now open source. The GPU supply shortage and other factors caused Terahash to default on the terms of the sale of L0phtCrack and thus it was repossessed and open sourced.
- Sysmon For Linux. Breaking: temperature in Hell nearing freezing, hogs show signs they may be capable of flight.
- Windows Print Spooler Spoofing Vulnerability - CVE-2021-36970. This PrintNightmare may never end.
Techniques
- House of IO - Heap Reuse. This new modification to the House of Io even has some example code so you can follow along.
- Azure Privilege Escalation via Service Principal Abuse. Despite well defined password policy safeguards, Application Administrators can often elevate to Global Administrators if the application has Global Admin service principle. "Azure admins can prevent this attack path by auditing roles held by service principals and comparing those roles to the other identities with control of apps."
- Finding gadgets like it's 2015: part 1. This article explains the CommonCollection 1 and 7 gadget chains to help understand the new chain found in the Mojarra library.
- Resource Based Constrained Delegation. RBCD is one of the more complicated Active Directory attack paths. This article shows practical, step-by-step exploitation of this path which should help drive home the process.
- Countering threats from Iran. Interested in what an actual APT phishing campaign and infrastructure looks like? Look no further.
- Creating a Malicious Azure AD OAuth2 Application. Emulate those OAuth2 APTs (see above) with this practical guide from trustedsec.
- Exploiting Redis Through SSRF Attack. This post shows different ways the Redis key-value store can be exploited using SSRF.
- How a simple Linux kernel memory corruption bug can lead to complete system compromise. This post is unique in that the mitigations sections is three times as long as the vulnerability/PoC walk through.
- Microsoft Windows Antimalware Scan Interface Bypasses. AMSI bypasses have been around for a few years, and this post shows the internal workings of how the memory patches work.
Tools and Exploits
- Cobalt Strike Sleep Python Bridge. Rejoice! You no longer need to write sleep (a Java/Perl hybrid) to interact with Cobalt Strike. Lots of cool examples of how it can be used in the post. It's only a matter of time before someone writes a nice web GUI for cobalt strike, or writes an integration for Mythic. For prior art, check out pycobalt.
- The ESF Playground will let you view events from the Apple Endpoint Security Framework on your mac. This is particularly useful when trying to write detections and see how different processes are behaving.
- ScareCrow v3.0 released. This popular shellcode loader has been updated with more EDR bypass tricks and some bug fixes.
- Introducing Snowcat: World’s First Dedicated Security Scanner for Istio. Istio is a popular service mesh and Snowcat is a tool to audit it.
- nosferatu is an lsass NTLM authentication backdoor DLL that is injected into lsass and provides a skeleton key password for all accounts. On domain joined machines SMB, WinRM, and WMI are functional with the skeleton key password, on non-domain joined machines authentication via RDP, runas, and the lock screen also accepts the skeleton key password.
- AnyDesk Escalation of Privilege (CVE-2021-40854). You've got love a privesc that involves a classic Open dialog -> run cmd.exe path that results in SYSTEM in 2021.
- LDAPmonitor monitors creation, deletion and changes to LDAP objects live during your pentest or system administration!
- Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. Probably want to review the code before use (same goes for all tools).
- WPBT-Builder is a simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell. This is a PoC for Everyone Gets a Rootkit.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.