A few days ago, the penetration testing tool Cobalt Strike broke out an interesting vulnerability. Since the patch for this vulnerability is only sent to genuine users, pirated users who use the tool, including a large number of botnet systems, will fail to fix it in time. Vulnerabilities and face the threat of being “attacked”.
Cobalt Strike is known to be a legitimate security tool used by penetration testers to simulate malicious activity in the network. The software has been increasingly used by various hacker gangs over the past few years. For defenders and attackers, Cobalt Strike provides a complete collection of packages that allow infected computers and attacker servers to interact in a highly customizable way.
The main components of Cobalt Strike are the Cobalt Strike client (also known as Beacon) and the Cobalt Strike Team Server (Team Server), which sends commands to infected computers and receives the data they leak. The attackers start by launching a machine running Team Server that has been configured to use specific “extensibility” customizations, such as customizing how often clients report to the server or sending specific data periodically.
The attacker then installs the client on the target machine after exploiting the vulnerability, tricking the user, or otherwise gaining access. Next, the client will use these customizations to maintain persistent contact with the machine running Team Server.
The link that connects the client to the server is called the web server thread and it handles the communication between the two machines. The main thing in the communication is the “task” sent by the server to instruct the client to run a command, get a list of processes, or do other things. The client then responds with a “reply”.
Gal Kristal, a researcher at security firm SentinelOne, discovered a critical vulnerability in Team Server that could easily take the server offline. “The vulnerability works by sending a fake server reply, extracting all available memory from the C2’s web server thread,” the researcher said.
All that is required to execute the attack is to know some server configuration. These settings are sometimes embedded in malware samples provided by services such as VirusTotal. These configurations can be obtained by anyone with physical access to the compromised client.
To simplify the process, Sentinel One has released a parser that captures the configuration taken from malware samples, memory dumps, and the URL the client uses to connect to the server. Once these settings are mastered, an attacker can use the communication module included with the parser to pretend to be a Cobalt Strike client belonging to the server.
It is understood that the tool can:
Parse Beacon’s embedded Malleable configuration file description
Parse the configuration of the beacon directly from the active C2 (like the popular nmap script)
Basic code to communicate with C2 as fake beacon
A fake client can send a server reply even if the server doesn’t send the corresponding task first. A vulnerability in Team Server software, numbered CVE-2021-36798, prevents it from rejecting replies that contain malformed data. An example is the data attached to the screenshots uploaded by the client to the server.
“By manipulating the size of the screenshots, we can get the server to allocate memory of any size, the size of which is completely under our control, and by combining all the knowledge of the Beacon communication flow with our config parser, we have everything we need to fake a beacon ” Kristal wrote.
While this vulnerability could theoretically be used to attack both white hat and black hat hackers, interestingly, the latter may be the most vulnerable to the vulnerability. This is because most professional security maintainers have purchased a license for Cobalt Strike, compared to many malicious hackers using pirated versions of the software.