Hacking the Hackers: Analysis of a Cobalt Strike Remote Command Execution Vulnerability - Rio Sherri

door is yours thank you okay so hi everyone so today's talk is going to be hacking the hackers uh the analysis of a cobblestrike remote command execution vulnerability so before we begin uh I want to give a brief introduction of myself uh so my name is serious Sherry I currently work at IBM adversary Services team where we run adversity simulation for a big number of clients including public and private sector I'm also the founder and organizer of besides Tirana we also have the call for papers open so if you want to participate scan the QR code here and you can submit your talks and I'll be really uh it will be really great to see

you there unless you're probably aware of I'm passionate about offensive security and I mainly focus on adversary simulation Windows internals reverse engineering malware development and also exploitation which has resulted in me discovering some vulnerabilities and several well-known products like Google Chrome Spotify Microsoft Edge Etc if you want to see some of my other work I'm not sure if it's readable here but uh my handle is 0x09al and you can find me on Twitter on GitHub to see some of my uh work so uh before going into details about the research I just wanted to give a brief introduction of why we actually started doing this research so in our day-to-day job we use Global strike quite a lot

because it's one of the most common uh used adversary simulation Frameworks and while we're in a project we receive an out of bound update for cobblestrike and it's usually an out of bond update is usually bad news because it's either like a vulnerability that needs to be patched immediately or there's some bug that may make the software unusable so we take we have to take a quick look and see what was happening so as you can see from the image here this is actually just a screenshot of just a screenshot of the release notes from cobblestrike so basically there was a new CV and they said it was an xss vulnerability which at the beginning we

kind of let's say downplayed it a little bit because usually when you have a CD an exercise vulnerability it's usually not really useful uh when it's a client-side program because we we initially thought it was some sort of self-exist which is not really useful from exploitation perspective but then when we're reading uh the real is not in details the the blog post actually mentioned that this exercise vulnerability could lead to potentially rce and it was like a really interesting uh thing and we decided to actually take a look and because this is one of the tools we use for our internal Services we need to make sure that the tools that we use and provide services to clients

need to be safe and started to digging deeper into the cobblestrike and then we discovered that this patch actually was not sufficient and that's what this talk is going to be about so uh before diving in I'm just going to give just a quick introduction of global strike so for those who are not aware cobblestrike is just like a software and it allows adversary simulation teams like the team I work with to provide these services essentially it allows you to have to manage and deploy malware remotely and also at the same time manage a large number of systems it was originally created by raffle Munch and now I think it's part of forta also for those that are a little bit old

school you probably remember the original Armitage which was similar to the UI of cobblestrike so cobblestrike was just let's say the pro version that was not using Metasploit anymore so just a brief introduction on the architecture as well because we need to to be aware of how the the software is the architecture of the software is before like understanding the vulnerabilities so we have three main components we have the team server so the team server is actually the the core of global strike is the back-end server that handles everything that happens in combo strike including the C2 profiles the generation of the payloads and uh the create the creation the handling of the https request

Etc and then we have the client which is the second component and the client is actually this interface as you see here it allows The Operators to actually interact with the team server and manage all the compromise systems that you have and also provides you with some attack methods that you can use to generate new payloads or like host payloads Etc uh the other component is the beacon so the beacon is actually the malware that is deployed on the systems and that is the one that's actually connects back to the team servers retrieves any commands that the operator sent to the team server and then executes and gives back the output and as I mentioned earlier is actually

one of the most used C2 Frameworks in the industry and this is by Red teams but also at the same time by a lot of threat actors so it was a really interesting Target to work on and try to understand try to reproduce the vulnerability so for those who do vulnerability research the first thing that you probably do is the same the steps that we follow here so we got the latest version of global strike and the previous one that was vulnerable and we decompiled them using a Java decompiler and try to find uh what were the differences between these two programs so the first thing that we actually saw there was a function within the beacon

C2 class that actually was changed and it had a new flag um unfortunately it's not readable in the screen but essentially the flag checked if there was a xss mitigations flag set in the team server.prop file which wasn't there before and another thing interesting thing was that the beacon entry class had some checks so for example it was checking the not sure if like the username the computer name the process name it was checking these labels for specific characters that contain an exercise string and they had two functions that they did this the first one was a potential xss and the other one was username potential xss so that was what we needed to understand

how these checks are done so as you can see here these two functions were implemented in the common HTML utils class so we have the first potential exercise function which takes as a parameter string and then we have the potential username xss so if you take a look and if you actually understood the like how exercise vulnerabilities happen like you can see that they're checking for some special characters and it's not the most ideal patch although it's effective and it works like they didn't have to do that and it it shows that whoever created this patch is probably not let's say the most aware software developer about uh xss vulnerabilities because you could make the patch way

more effective and just use one function and as soon as we saw this we understood that there was definitely something wrong happening because this quad quality was not something that you would expect to be in a software that is used by a lot of red teams so we found out that actually the patch was only checking for specific labels that I mentioned earlier go back so basically it was checking only these labels if they contained any xss um strings but every other label within the framework was not actually getting checked so that meant that if we somehow could manipulate any of the labels we could actually inject HTML objects um we found out that a lot of the labels

essentially all of them apart from the ones that they were checking could were still injectable with HTML objects like the notes one the HTML HTTP listener names so now we had reproduced let's say a new vulnerability similar to the previous one but at the same time we only had we only believed it will be a next success so we needed to dig a little bit deeper to actually find out how we can turn that to RC so before going back I'm uh going forward sorry uh I'm going to go through a little bit of java because this spoke will be heavily oriented in Java and if someone actually likes Java hair play to you but it's not my favorite language so

for those that are not aware of java is a high level object-oriented programming language and it's used in almost every device uh unfortunately and hence the famous installation uh installation program from java which says like it runs in three billion devices it's probably more now so the thing is that couple strike is built in Java so the team server and every component is built in Java and the one that we are interested in the cobblestrike UI which is the user interface and which was the vulnerable component is built on in Java using the Java Swing Library so going forward if you have good knowledge of java objects Etc I think it will be a really interesting tool I try to make

all the information processible by everyone even if you don't know Java but if you know Java it's going to be way easier so like SMS trailer recover strike was using the Java Swing Library so the Java Swing live framework is a framework that allows you to build the graphical user interfaces for Java programs and I'm pretty sure if you did Java school that's probably one of the first things you actually did and we found out actually that or at least I found out that I uh like Java Swing elements actually support HTML which I didn't know before so basically if you could if you could start a specific label or let's say a button with a HTML tag it will actually parse

that as HTML which was really crazy for me I'm not sure why they did that but at the end of the day is Java so everything is expected so before uh so now we have let's say on cobblestrike we have some fields that we could inject HTML to and we could like try and test the different HTML injection techniques that we could do but unfortunately uh we don't know like how cobblestrike may uh process that information or or how it's going to change it so for this reason to make it everything easier I've just decided to write a simple program I'm not going to go through it but I'm just going to say uh so basically the

idea is we're just create a new frame and then if you see here we have a HTML in the description of the label so just a hello and then H1 which is header from J label and then as you can see from the results it actually after compiling it or running it like the hello is actually just like the normal one and then from uh the from J level is actually parsys HTML as you can see here so that was a good point we could actually reproduce the HTML so I needed to find a way to actually make this HTML injection useful because at at this moment it was like not useful at all because we could only inject like uh

like headers and nothing so so basically uh the the release note said it wasn't xss but and I've been mentioning this like like an exercise vulnerability so an exercise vulnerability for those who don't know stands for cross-site scripting vulnerability which allows you to actually insert some JavaScript code somewhere but this was not an exercise at best you could call this the HTML injection because there was no possibility for actually injecting JavaScript so from an exploitment perspective this was useless because we couldn't do anything interesting I mean we could insert like images and maybe like uh insert some memes to The Operators without them actually expecting them but it wasn't really useful but what I found out was because knowing

Java and it's low for object the serialization vulnerabilities I just tried the object tag which is really an old uh tag and it's not used a lot anymore and then I see this interesting Behavior I have this two question marks in red and I was really suspicious because like there's something happening right because when we included like different tags like it was nothing was happening and then the object tag we get that those question marks so there was something interesting and was definitely not what we expected so we decided to dig deeper and then decided to take a look at the object tag from Java Swing and to my surprise uh not really but to everyone's surprise

the object tag in Java Swing actually allows specific objects to be included which was again surprising so if you see here it says that this view will try to load the class specified by the class ID attribute and then it will loads the document Etc so essentially if you see here a simple example HTML invocation you can see that it creates a new object with the class ID the name of uh Java x dot swing.j label and then we have the parameter text and the value sample text so that this means that we can actually create specific Java objects so in my test program I go back there and just created a simple HTML tag in this

case the object class ID and try to create a Java X swing J button which is a class for creating buttons and as you can see here the button was actually created within the J label so okay we can create arbitrary objects and probably everyone that's familiar with Java exploitation when you can create arbitrary objects you can do a lot of stuff and that's what I thought so I was really happy because finally I could create some objects and I was thinking of just like okay so we can create arbitrary objects we just call initialize a new instance of java length.frontime.exec which is a class in Java and then we'll be able to just get

remote command execution right so it's just simple easy so tried to initialize it nothing was happening we just got the question marks again which was frustrating and this this is actually me when I tried it and then we attempted to initialize other classes without success and they were not working so we had to actually study what was happening and dig a little bit deeper so I started analyzing how the the HTML parsing was actually happening and how the tags each text was getting processed so if you see here this is from the the Java Swing framework so basically it has some specific tags and the tag that we're interested in this case is the object tag and the object tag

uses the object view object view class for it shows that the objective class is actually responsible for handling the object tag so uh then we decided to actually analyze uh this this new class so as you can see here the create component function I'm not sure if it's readable but I'll try to explain it a little bit so basically if you read the code the create component function it's actually the one that let's say creates the the the the the element that you defined in the object tag so if you see here the first thing it does it gets all the attributes in an attribute set which is the specific variable and then it gets the class name

from the class ID so after it does that uh it creates a new instance of the of this class like it does some Java magic which I'm not going to go deep into it because there will probably be another thought but essentially it creates a new instance of this object and then it will check if this instance is and is a child of component so the component class let me just try to get back yeah so if you see here the component class is actually I don't think it's visible but the component class it's actually uh the parent for the J component and the J component is parent for all the the different elements that Java Swing framework has

like the J menu J table J level J button Etc so it checks if that's part of the component if it's a child of component and then if it is it will call the set parameters function with component uh with the new newly created class and the attribute that you got earlier and then if it's not an instance of component or that uh there is some error it will call the get unloadable representation which if you read the function it actually creates a new label with two question marks and makes them red which was the initial uh behavior that we were seeing so that means that previously when we tried to load those specific classes

here uh like here for example if we try to load specific class this was actually what was happening and that's why we're getting the red question marks uh but what if we find something that's part of that's an instance of components and uh we we started to analyze what was happening with the set parameters function so the set parameters function uh it's not really complex function essentially it does what it does is it checks if any of the parameters uh that we were specified in the attributes of the HTML element uh for each of them it will check if there is a Setter method or I calculated right method or a function essentially what the setter method is is if you have

a class you have a certain variable for example employee and then you have employee name you have you would call the setter method a function that would change the value of the employee name for example and then if this method actually exists or this function it will call the appropriate function with a specific specified value that we provided earlier on this so just to make it a little bit easier because I know it's a little bit complex so basically if we provide the following HTML to the library itself to Java Swing what it will do is it will first create an instance of this object the Hello by name object and then it will check if this object is

actually a subclass or a child of java.awt.component and then if it's a child of that class it will actually call the setter method for the my name parameter and set the value to real so I I know it's a little bit complex and I'll be talking Java for a long time but I I wanted to kind of explain all the requirements and all the steps that we follow because if you don't understand all the steps that went to each you probably won't understand the vulnerability itself so basically at this moment we can um we can initialize some objects but we have some very specific needs so for example if we want to actually achieve command execution what we have to do is

we have to find the class it's actually a subclass of java.awt.component and this class should have a Setter method and this Setter method should only have a single parameter of type string and when we call this method we can sum we should be able to somehow manipulate to achieve command execution or some other thing but like going through the internet source code of cobblestrike not Source but the decompiled version of global spike is not really easy so um with we didn't want to manually analyze all of it right so what what can we do about it because it's like searching a needle in haystack so for this reason we decided to use Derby so for those who are not aware of

this tool is actually really awesome it's probably uh have it in Your Arsenal okay uh so tab is an open source code analysis tool for Java it's it's mainly used to actually discover the serialization gadgets but you can use it for like other code analysis uh to code analysis techniques that you want so basically in the background what it does it has the neo4j database and you can import different types of java programs like draw files and essentially any like common on files for Java compiled programs as well and what it will do is like analyze these files and create graphs based on these functions on the functions that that are within these programs so for this reason uh we loaded the

Cobra strike uh draft file into copy analyze it with a database and then we just wrote a custom Cipher query so Cipher query is kind of similar to SQL but it's for um it's for neo4j databases so for example what I told the program here which is not readable is I told it like give me all the classes that are subclasses of java.aw component and that have a method that starts with set and has one specific uh parameter of type string and that it's not some specific values that I excluded from it so in total I think we got I think around 48 I'm not sure uh so 48 functions to analyze is not a big

job manually so we decided to take a look at all the functions so all the 48 methods or functions that we discovered weren't really interesting they were like mainly to just change a text label or maybe like update something but nothing was like really useful from an exploit the exploitation perspective so out of these 48 discovered methods we found out that the set URI method in the jsvg canvas class was interesting because it's uh it matched all our requirements so it started with set and it was for the URI element it had a single parameter which was stock type string in this case you know URI and then using this uh this variable it actually

called another function which was load SVG document and this fulfilled all our requirements and uh if if you're if you actually saw discovered like a nexus's vulnerability uh you probably know that SVG files allow you to include xss so at this point I was pretty certain that this was the vulnerability itself so I have an SVG file I'll just include it script alert one which is the most common scripting uh payload that probably most people use so I I thought okay so the previous one was an uh was the next success but was was not a real xss so at this time we have the SVG file so it's probably an xss and we can

exploit it right well no so basically uh what I did was I hosted the SVG file in a remote location and injected the following HTML in the notes field so basically as I mentioned earlier just the object class that we wanted and we have the parameter URI and this is the URL and we're I was expecting it to actually uh give me the the alert one but even though the SVG file was actually loaded we got an exception so now the SVG file was sparse but then this filed through an exception because it tried to load the class which did not find and it was org that Mozilla the JavaScript are scriptable and at this point I was like okay so

this SVG file is somehow now loading in your class that is not finding it so can we somehow manipulate this to to actually load the class of our liking and uh yes we can so basically we found out that jsvg canvas class was actually part of the Apache batik Library and we'll search the documentation in details and was reading it for probably like way too longer than we should have and then we found out this uh this entry so basically it says referencing Java code from a document from an SVG document and everyone who's in security probably knows that's not the best idea so it had some specific requirements so the first one is it should have been a

script element which we used before and then in order for this to actually work correctly it should be an application Java archive so the the script element type should have been like that and then the the link of the jar file it should have been in x-link href so essentially at this moment we understood that we have this this SVG file then some with this SVG file we can reference external jar files and actually execute code and uh I was feeling a little bit like excited but uh all the other attempts that failed I was like still suspicious if it will work or not so it's an exploitation plan so we have everything to potentially kind of to

actually execute code so we have the HTML injection we have the object reaction Etc so basically the next step was to actually build an SVG file that references the malicious jar package so you can see it here like following the documentation we just like linked a jar file which we create which I'll talk to you later on and then just leave the SVG like that and then we create the malicious jar file so we had to do some specific uh so for example here we had to manually modify the Manifest file uh to include the class that we actually want to call and then we implemented the class and within the class you have to actually

Implement another event listener and the event listener will essentially just call runtime dot get runtime exec with a calculator and it will uh we'll execute the calculator so I created the SVG and the jar file we hosted them remotely we injected the malicious HTML in the vulnerable field that we were testing in this case notes and after injecting this in the node field we can see here that we got some requests first we get the SVG file and then the jar files and then we can see here the notes actually is getting rendered and just executing the calculator so this was like a success because we finally managed to prove that it was still possible to actually execute code

and calculator probably is not the easiest way to start the calculator but I think it's one of the coolest one but this is all good right uh but the problem with with this vulnerability is because it's triggered in the note field so the note field is only accessible by an operator so for example I can only change that if I actually have credentials to the team server and it's not really useful also you can actually compromise other operators your colleagues it's I don't think it's something that uh has an impact in the real world so we decided to actually see how we can exploit this from another perspective so basically if if you recall earlier I

explained the architecture of global strike and we were trying to actually exploit this vulnerability from the beacon itself because the beacon is actually the malware that's deployed in several systems and once you deploy the malware in the system that means that someone that you have compromised can actually hack you back and like compromise your your system essentially where you're running Google strike so this was the main focus and some of the fields that we found out were still vulnerable from a beacon perspective the first one was the process browser UI which is uh here on the right essentially just like a user interface that you can see uh the remote processes that are ran on a Target so

for example you have the process name pit the architecture Etc and then you have the the other field fields which is the file browser UI which is here so the process browser UI is not really used because Google strike has also uh a console command which uh it's probably that's the best way to actually use and in my day-to-day operations I rarely use the process browser UI but on the other hand the file browser UI is something really useful and I use it quite heavily because it's really difficult to actually browse the file system without using a a user interface so this was essentially the file browser was essentially a better Target uh yeah so if you if we wanted to use

the process browser we could still do that but it was not uh really useful so we decided to focus on the file browser so the first thing that we actually needed to do to actually uh exploit this from the beacon perspective was try to see which function was responsible for the beacon to find or listing the files so for example we have here the function finds next file a which like after reversing the beacon uh we found out it was the function that was using to find the files and list the files and you have two parameters the first one is just a handle uh to a folder and then you have I think a file or folder it doesn't

matter but uh it's just the handle and then you have uh another parameter which is the long pointer to a win32 find data structure so basically the structure definition is here uh essentially it has all the details for the files so uh you have like the file name the alternate name the file type Creator type Etc so everything so basically if you see here the file name is actually uh a v chart so basically it's just a string sorry and so basically like the file name that we have here is basically just a string so if we can somehow modify the response to this function and modify the file name we can include our HTML or uh injection object and then

perform remote command execution on the UI from the beacon but how can we do that so we we decided to just like hook the function uh so basically for those who don't know what hooking is essentially is the process of intercepting um a function call by or in a program by redirecting it and so how it works is you have the function and then you rewrite the function to uh you rewrite the function codes to actually jump to another location and then you can do whatever you want with that function so there are several methods to actually perform it there is a Microsoft detours there is three dust grapes Etc uh just to make things easier

I use the fermion which is the tool uh develop one or by one of my colleagues and essentially just like a cross-platform framework that allows you to use Freeda scripts and easily develop them so basically the plan was develop a free dust script that somehow will redirect the will modify the response of the finex file a function so we can see here uh on the right it's just a simple function essentially we have the Interceptor data touch which will find the pointer to that function and then it will modify so if you see here on leave it says it will modify when the function returns rather than when it starts so if you see here we just replay uh

replace the the string of the or the file name itself with our exploitation string which is the malicious HTML as you can see up so basically sorry so basically the plan was to actually inject this one to the beacon uh and change the return value and uh fortunately for me after several failed attempts it actually worked so basically when the operator uh opens the file browser and tries to interact with a beacon the beacon will receive the commands and Define next file a will be modified by our malicious script and then it will return the malicious code uh the malicious HTML object which will indeed execute the SVG file the jar file and then the calculator and yes that's me

after getting it after two weeks of actually probably not sleeping a lot so I'm just going to show a quick demo should be open here Yeah so basically we have the cobblestrike interface UI and this was the latest version at that time and then we have the victim PC where we execute the beacon the beacon is the malware that I mentioned earlier and then we see I just run the command task list to actually get uh the bit of the beacon and if is as you see there is probably not visible we inject the the free dust script to that uh to that process and and everything is working fine so now from the operator perspective the operator

after getting access to your system we'll try okay so I want to see uh the file bro like what files this user has and we're just going to take a little bit because I think sleep time was one minute Yeah so basically this is just waiting because the local strike UI has a sleep time of one uh one minute so basically as soon as everything loads uh you can see that several calculators popped up and we can see that the injection uh on the right was actually successful so that's that's how we finally managed to execute remotely execute code in the global strike UI from the beacon perspective so before like uh finishing off with the

presentation as I mentioned earlier uh this my work wouldn't be possible without the amazing resources that I've listed here so if you want to take a read I highly recommend it uh so yeah uh there was my talk thank you everyone if you have any questions [Applause] real thank you very much it was great presentation does anybody has any question even if you don't want to make them public feel free to reach out later on so thank you very much