Sunday, November 17, 2024
HomeCVE/vulnerabilityOpen Source C3 Frameworks Used In Red Teaming Assessments Vulnerable To RCE...

Open Source C3 Frameworks Used In Red Teaming Assessments Vulnerable To RCE Attacks

Published on

C2 frameworks, crucial for post-exploitation operations, offer open-source alternatives to Cobalt Strike. They streamline the management of compromised systems, enable efficient collaboration, and evade detection by providing customizable behaviors.

It is a toolset attackers use to control and manage compromised systems remotely. It comprises agents, team servers, and clients and features features like evasion, data exfiltration, and task management.

Agents connect to team servers, which handle communication and provide services like agent generation and data storage.

- Advertisement - SIEM as a Service
Architecture
Architecture

Open-source C2 frameworks are diverse and often limited by component coupling.

Golang and C# dominate modern frameworks, while Python and PowerShell are legacy choices. Popular frameworks include Mythic, Sliver, and Havoc.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

C2 frameworks face threats from compromised agents and team servers and unauthenticated third-party attacks, which can lead to data exfiltration, privilege escalation, and denial of service.

Sliver, a Golang-based C2 framework, offers powerful and reliable agents, versatile execution methods, and a vast extension library.

Its high-quality agent architecture and code ensure secure communication and reliable operations.

The vulnerability allowed authenticated Sliver operators to execute arbitrary code on the team server by overwriting a bundled binary with a Metasploit stager, which was fixed by removing the generate msf-stager command and instructing operators to develop their stagers locally.

Silver
Silver

Havoc, a C2 framework with a Qt GUI, offers process injection and .NET inline assembly for remote shellcode execution.

Despite its less mature codebase, Havoc’s impressive UI and active development make it a promising alternative to Sliver.

Its team server has an authenticated RCE vulnerability due to unsanitized “Service Name” input in an exec.Command() call.

An attacker can inject arbitrary commands into the compilation process by crafting a specific payload in the field, leading to remote code execution.

The researcher discovered an authentication bypass in Havoc’s Service API, where incorrect credentials would not result in a failed authentication, which allowed malicious services to connect to the team server and send unauthorized messages.

Ninja
Ninja

Authenticated RCEs in two C2 frameworks were found, but we couldn’t exploit them without authentication.

After investigating Ninja C2, a stealthy C2 framework, they found features similar to Sliver and Havoc with a focus on stealth.

The Ninja web server is vulnerable to unauthenticated arbitrary file downloads due to path traversal, leading to remote code execution.

A malicious agent can register with the team server and upload a malicious file to an arbitrary location, exploiting the vulnerability.

SHAD0W, a modular C2 framework, is vulnerable to unauthenticated RCE due to untrusted beacon-provided values being injected into commands run on the team server, which, used in module compilation, can be exploited by malicious actors to execute arbitrary commands on the team server.

Covenant
Covenant

The Covenant framework, previously popular for red team operations, is vulnerable to a privilege escalation attack, where a user can exploit a flaw in the user interface to obtain administrator privileges and then create custom HTTP profiles to execute arbitrary C# code on the server, potentially leading to remote code execution.

According to Include Security, the complexity of C2 frameworks and the need to handle untrusted input makes them vulnerable to RCE attacks.

While most frameworks implement validation measures, oversights can lead to exploitation.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...