Analysis revealed that the XSS vulnerability could be triggered by manipulating some client-side UI input fields, by simulating a Cobalt Strike implant check-in or by hooking a Cobalt Strike implant running on a host. The vulnerability was marked as Cross-Site Scripting (XSS) and was identified with the number CVE-2022-39197. On September 20, 2022, HelpSystems published an out-of-band update for Cobalt Strike to fix an issue discovered in Cobalt Strike version 4.7. This post outlines the analysis process conducted to make this evaluation: patch analysis, root cause review and vulnerability weaponization. X-Force requested a new CVE (CVE-2022-42948) and provided the technical details of the vulnerability to HelpSystems to aid in the development of a new patch. We discovered that creating Swing components from user input allows users to create arbitrary Java objects in the class path and invoke their setter methods, which can lead to remote code execution in specific cases. Our analysis proved that RCE was indeed possible and that the update in version 4.7.1 was insufficient to mitigate the impact of the vulnerability. The Adversary Simulation team at IBM Security X-Force Red performed a diligent review of the patch to ensure that there was no impact to our clients networks, data, and systems. On September 20, 2022, HelpSystems published an out-of-band patch for Cobalt Strike which stated that there was potential for Remote Code Execution (RCE).Ĭobalt Strike is one of several third-party C2 frameworks IBM Security X-Force Red leverages to simulate different threat actors when delivering adversary services for clients. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. ![]() Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. ![]() Command & Control (C2) frameworks are a very sensitive component of Red Team operations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |