Saturday, December 14, 2024
HomeCVE/vulnerabilityOpen Source C3 Frameworks Used In Red Teaming Assessments Vulnerable To RCE...

Open Source C3 Frameworks Used In Red Teaming Assessments Vulnerable To RCE Attacks

Published on

SIEM as a Service

C2 frameworks, crucial for post-exploitation operations, offer open-source alternatives to Cobalt Strike. They streamline the management of compromised systems, enable efficient collaboration, and evade detection by providing customizable behaviors.

It is a toolset attackers use to control and manage compromised systems remotely. It comprises agents, team servers, and clients and features features like evasion, data exfiltration, and task management.

Agents connect to team servers, which handle communication and provide services like agent generation and data storage.

- Advertisement - SIEM as a Service
Architecture
Architecture

Open-source C2 frameworks are diverse and often limited by component coupling.

Golang and C# dominate modern frameworks, while Python and PowerShell are legacy choices. Popular frameworks include Mythic, Sliver, and Havoc.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

C2 frameworks face threats from compromised agents and team servers and unauthenticated third-party attacks, which can lead to data exfiltration, privilege escalation, and denial of service.

Sliver, a Golang-based C2 framework, offers powerful and reliable agents, versatile execution methods, and a vast extension library.

Its high-quality agent architecture and code ensure secure communication and reliable operations.

The vulnerability allowed authenticated Sliver operators to execute arbitrary code on the team server by overwriting a bundled binary with a Metasploit stager, which was fixed by removing the generate msf-stager command and instructing operators to develop their stagers locally.

Silver
Silver

Havoc, a C2 framework with a Qt GUI, offers process injection and .NET inline assembly for remote shellcode execution.

Despite its less mature codebase, Havoc’s impressive UI and active development make it a promising alternative to Sliver.

Its team server has an authenticated RCE vulnerability due to unsanitized “Service Name” input in an exec.Command() call.

An attacker can inject arbitrary commands into the compilation process by crafting a specific payload in the field, leading to remote code execution.

The researcher discovered an authentication bypass in Havoc’s Service API, where incorrect credentials would not result in a failed authentication, which allowed malicious services to connect to the team server and send unauthorized messages.

Ninja
Ninja

Authenticated RCEs in two C2 frameworks were found, but we couldn’t exploit them without authentication.

After investigating Ninja C2, a stealthy C2 framework, they found features similar to Sliver and Havoc with a focus on stealth.

The Ninja web server is vulnerable to unauthenticated arbitrary file downloads due to path traversal, leading to remote code execution.

A malicious agent can register with the team server and upload a malicious file to an arbitrary location, exploiting the vulnerability.

SHAD0W, a modular C2 framework, is vulnerable to unauthenticated RCE due to untrusted beacon-provided values being injected into commands run on the team server, which, used in module compilation, can be exploited by malicious actors to execute arbitrary commands on the team server.

Covenant
Covenant

The Covenant framework, previously popular for red team operations, is vulnerable to a privilege escalation attack, where a user can exploit a flaw in the user interface to obtain administrator privileges and then create custom HTTP profiles to execute arbitrary C# code on the server, potentially leading to remote code execution.

According to Include Security, the complexity of C2 frameworks and the need to handle untrusted input makes them vulnerable to RCE attacks.

While most frameworks implement validation measures, oversights can lead to exploitation.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...