New APIs/syscalls for EDR bypass (@yarden_shafir), UAF browser exploit dev (@33y0re), PowerView replacement [EDD] (@FortyNorthSec), phishing banner defeat (@whynotsecurity), packer teardown (@fumik0_), NANDcromancy (@Atredis), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-19 to 2021-04-26.
News
- Ill-advised research on Linux kernel lands computer scientists in hot water. Researchers from the University of Minnesota purposely introduced bugs into the Linux Kernel as part of a study on the potential to introduce bugs into open source projects. I'm not sure why this was necessary as plenty of real bugs are already committed to open source projects, including the Linux kernel, that result in exploitable bugs. Linux maintainers responded, appropriately, by banning any contributions from a University of Minnesota email account. The researchers have issued an open letter to the Linux community, but the damage has been done.
- Security Incident Disclosure (Brew). Due to a way the Brew project's (package manager) GitHub actions were configured, it was possible to hide code from git_diff which would trick the auto-merge action into thinking only the version number was updated. This would allow an attacker to add malicious code to any Brew package without any human review. The issue has been fixed by disabling the automerge action as well as other steps including manual review.
- Computer security world in mourning over death of Dan Kaminsky, aged 42. A star in the infosec community, Dan most famously worked to fix multiple DNS implementations vulnerable to cache poisoning, gave multiple Blackhat and DEF CON talks, and was generally just a good person. His loss at a young age (due to diabetic ketoacidosis) is a reminder to step away from the keyboard and enjoy life.
- tmp.0ut Volume 1 is an homage to classic hacker zines packed full of great ELF knowledge.
- Google Chrome DNS Security Bypass. A Chrome "feature" called Async-DNS will perform DNS lookups to Google's DNS servers regardless of how the host is configured. This post also includes ways to disable this on Windows and macOS (add the --disable-async-dns flag to the command line), as it could prevent DNS based defenses or logging. If you rely on an internal DNS server, blocking UDP 53 outbound on your firewall is a temporary solution until Google starts using DNS-over-HTTPS for this "feature." Switching to Firefox is a permanent solution.
- REvil gang tries to extort Apple, threatens to sell stolen blueprints. Two interesting pieces of this story: The the stolen blueprints seem to confirm Apple's plans to add more ports and remove touch bar (all power users are happy about this), and the ransom is requested not it Bitcoin but in a much lesser known cryptocurrency called Monero which has true privacy.
- Project Jengo Redux: Cloudflare’s Prior Art Search Bounty Returns. Patent trolls are a symptom of a broken patent system, but Cloudflare's response to them is fantastic. A $100,000 bounty to invalidate the patents used by the trolls is a solution that can have positive outcome for Cloudflare and generate some publicity about this flaw in the patent system.
- clickstudios Passwordstate Incident Management Advisory #01. Supply chain attacks are here to stay, and what better software to hijack an update for than a password manager? Any critical systems should be protected by FIDO2 (U2F) hardware tokens. FIDO2 keys are a one-time investment that can save untold amounts of damage later on.
- Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective. Despite the questionable cryptocurrency moves, Signal proves it still has edge with this shade-ridden post about possibly, maybe, definitely including some Cellebrite parser 0days in a random selection of Signal user's devices. Interesting to see if this plays out in court with evidence rejected as it may have been tampered with or deleted by one of these exploits. Is it enough to cast doubt on any user's Signal data collected with Cellebrite?
Techniques
- Thread and Process State Change. A new Windows insider build added some APIs and syscalls to suspend and resume threads. This created new opportunities to sneakily handle some of the most monitored parts of process injection on Windows. Example code included at the end of the post.
- Anatomy of a simple and popular packer. Curious how popular packers are used to deliver "main stream" malware? This post tears apart Ficker Stealer and exposes the tricks it uses. Some of these techniques may be useful in your next adversary emulation engagement.
- Perun's Fart - yet another unhooking method. While many unhooking methods read a fresh copy of ntdll.dll from disk, this method simply starts a new process in a suspended state and copies ntdll.dll from that process which has no hooks as it has not started execution yet.
- AV Evasion Part 1. This post covers some basic AV evasion. If you are new to the game, this is a good place to start.
- NANDcromancy: Live Swapping NAND Flash. This is true hardware hacking sorcery. Replacing a NAND chip while a device is powered on is some next level hardware hacking.
- Exploit Development: Browser Exploitation on Windows - Understanding Use-After-Free Vulnerabilities. This post is a full start to finish walkthrough of a use-after-free bug in IE 8 on Windows 7 x86 from crash, to vulnerability identification, to shell. Careful Connor, any more complete and SANS will charge $7,500 a week for this.
- All Your Macs Are Belong To Us: bypassing macOS's file quarantine, gatekeeper, and notarization requirements. This now patched technique was found in the wild (0day) and managed to bypass all the protections put in place since 2015 to keep users from infecting themselves. Some times you have to test assumptions about security products to find a bypass. Just because something should never work, doesn't mean it won't.
- Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol. Potato exploits refuse to die, and in a special circumstance (you have a shell in session 0 and a Domain Admin has a shell in session 1) RemotePotato0 can escalate you to Domain Admin. Best/Worst of all, Microsoft labeled this a "won't fix."
- Azure Application Proxy C2. With Azure killing domain fronting, these types of "proxy C2" will become more popular.
- MS External Email Warning Bypass. When you put banners into user controlled HTML, you're going to have a bad time. Pro tip: look for the specific inserted HTML in a reply before you craft your defeat for your specific target.
Tools and Exploits
- CertStealer is a .NET tool for stealing and importing certificates in the Windows certificate store without touching disk. Useful for red team operations where you need to poach a certificate for pivoting purposes and want to do so with an in-memory post-ex payload.
- SharpNoPSExec is a fileless lateral movement tool that will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them. Once it select the service it will save its current state, replace the binary path with the payload of your choice and execute it. After waiting 5 seconds it will restore the service configuration.
- Meet EDD - He Helps Enumerate Domain Data. EDD is a .NET tool to enumerate Windows domain designed to be similar to the now unmaintained PowerView.
- PPLdump is a tool that implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping the memory of any PPL as an administrator.
- AsIo3Unlock is a proof-of-concept bypass of pseudo-security caller check implemented in AsIO3, "unlocking" this driver for usage with FULL R/W access.
- fakemeeting is a tool for creating fake meeting invites. More details here.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- STFUEDR. Everyone knows that userland hooks can be defeated, but some EDRs use drivers and kernel hooks. This project uses a driver signing bypass to defeat even those hooks!
This post is cross-posted on SIXGEN's blog.