Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 31 Mar 2016 17:02:05 -0700
From: Brian Wallace <bwall9809@...il.com>
To: oss-security@...ts.openwall.com
Cc: Christopher Truncer <ctruncer@...l-framework.com>
Subject: CVE Request - Multiple remote command injection vulnerabilities in
 Veil-Evasion RPC

Hello,

Three remote code execution vulnerabilities have been discovered in
Veil-Evasion's RPC, which is instantiated with `veil-evasion --rpc` or
`python Veil-Evasion --rpc`.  Additionally, previous to version 2.25, this
RPC allowed connections from any IP address instead of only "localhost",
increasing the severity of the command injection vulnerabilities and
allowing for remote exploitation.  This RPC public availability may also be
considered a vulnerability itself, as it was unintended.

All issues have been reported to the developers of the Veil-Evasion
project, and patches have been applied for version 2.25.  Issues are
believed to affect versions of Veil-Evasion from 2.5.2 through 2.24.


Remote command injection in "native/hyperion" module:
This module allows for injection into a command line call to the hyperion
utility.  A vulnerable version of the command line call can be found here:
https://github.com/Veil-Framework/Veil-Evasion/blob/c30d2f085a1a1644395b64a6d151cb0ea5a19dfb/modules/payloads/native/hyperion.py#L42
An attacker can control input to this field through the ORIGINAL_EXE
field.  A sample RPC call exploiting this vulnerability is as follows (will
create the file /tmp/victory):
{"method": "generate", "params": ["payload=native/hyperion",
"outputbase=base", "pwnstaller=N", "ORIGINAL_EXE=/tmp $(touch
/tmp/victory)"],"id": 1}
An attacker could use this vulnerability to execute any desired commands on
the victim host.

This issue is resolved in the following commit (version 2.25):
https://github.com/Veil-Framework/Veil-Evasion/commit/cd9d95ad368959d1eee03a250ec61206a046829a


Remote command injection in "native/pescrambler" module:
This module allows for injection into a command line call to the
pescrambler utility. A vulnerable version of the command line call can be
found here:
https://github.com/Veil-Framework/Veil-Evasion/blob/c30d2f085a1a1644395b64a6d151cb0ea5a19dfb/modules/payloads/native/pe_scrambler.py#L42
An attacker can control input to this field through the ORIGINAL_EXE
field.  A sample RPC call exploiting this vulnerability is as follows (will
create the file /tmp/victory):
{"method": "generate", "params": ["payload=native/pe_scrambler",
"outputbase=base", "pwnstaller=N", "ORIGINAL_EXE=/tmp $(touch
/tmp/victory)"],"id": 1}
An attacker could use this vulnerability to execute any desired commands on
the victim host.

This issue is resolved in the following commit (version 2.25):
https://github.com/Veil-Framework/Veil-Evasion/commit/cd9d95ad368959d1eee03a250ec61206a046829a


Remote command injection into "msfvenom" parameter:
When msfvenom is used to generate shellcode, a user may supply options to
the msfvenom command line call.  An attacker may use this to insert other
commands to be executed.  The command line execution of msfvenom can be
found here:
https://github.com/Veil-Framework/Veil-Evasion/blob/c30d2f085a1a1644395b64a6d151cb0ea5a19dfb/modules/common/shellcode.py#L498
Based on the functionality provided, the selected solution to the problem
was to parse input as a shell script, and deny any input which appeared to
include attempts at command injection.  An attacker can abuse this with the
following RPC call in version 2.24 (different versions may require
different modules depending on msfvenom support):
{"method": "generate", "params": ["payload=c/shellcode_inject/flatc",
"msfvenom=$(touch /tmp/victory)", "outputbase=base", "pwnstaller=N",
"COMPILE_TO_EXE=Y", "INJECT_METHOD=Virtual", ], "id": 1}
An attacker could use this vulnerability to execute any desired commands on
the victim host.

This issue was resolved in the following commit (version 2.25):
https://github.com/Veil-Framework/Veil-Evasion/commit/be10ddddaeacf232cec9dca5e49461454237ee8a


RPC unauthenticated public access:
The RPC provided on port 4242 for Veil-Evasion is exposed to external IP
addresses instead of only to localhost from its initial implementation up
until 2.25 patched this issue.  Aside from the issues noted above, this
would allow for an attacker to send commands to the Veil-Evasion RPC,
generating payloads, and other available functionality which may not be
desirable to unauthorized users.  The code causing the issue can be
observed here:
https://github.com/Veil-Framework/Veil-Evasion/commit/533d58721cef3f9d68303d628999d34d9ba3482b#diff-406918d36f7373d0d7e29279ceff3c8bR201

This issue was resolved in the following commit (version 2.25):
https://github.com/Veil-Framework/Veil-Evasion/commit/3cffe14ee5f9361697496ea045a95d62b38d52d4


Vulnerabilities were discovered and reported by Brian Wallace
bwall9809@...il.com.

Chis Truncer (cc'd) is the primary developer for Veil-Evasion, and showed
an exemplary response to the vulnerability reporting.

CVEs for these issues have not been previously requested.

A combined proof of concept in Python 2.7 is attached.

This is my first request to this mailing list, so I apologize in advance
for any misinterpretations of protocol.

Thank you,
Brian Wallace

Content of type "text/html" skipped

View attachment "poc.py" of type "text/x-python" (1118 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ