Part One of Two

Application-related vulnerabilities are an excellent opportunity for Red Teams to gain footing inside corporate networks. Cases like Equifax, where failure to patch internet servers against a software flaw led to the exposure of 147 million Americans’ personal data, prove that application vulnerabilities are a significant consequence of our current ecosystem of amplified digital transformation.

The Use Case

A large global organization engaged CBI’s Advanced Testing Services (ATS) team to perform a complete external Red Team engagement. The client requested an extensive scope of work, covering networks across multiple countries with thousands of applications. ATS separated tasks between two sub-teams: the first focused on web applications, and the second concentrated on the network layer. The sub-teams then merged their findings to gain access to the client’s internal network.  Once inside, the team was undetected and moved laterally to gain persistence by bypassing advanced detection controls and endpoint detection and response (EDR) technologies.

After extensive enumeration against an application-set housed on a domain containing the client’s sensitive information, CBI’s web application sub-team discovered an outdated version of Telerik UI software. Shadowing an attack-path previously positioned by Bishop Fox*, CBI constructed a shell on the organization’s application server. The Bishop Fox attack-path is a textbook example of how pentesters should think and operate to gather information, perform reconnaissance, and utilize findings to identify exploitation opportunities. The identified Telerik exploit leveraged two separate vulnerabilities – CVE-2017-11317** and CVE-2019-1893***. The first is an unrestricted file upload, used to deliver CBI’s payload to the desired location on an application server. The second is an insecure deserialization vulnerability used to execute arbitrary code.

Gathering Information & Performing Reconnaissance

The information gathering and reconnaissance stages necessitate the use of tools like Gobuster**** and custom Burp scans tailored towards identification. During this phase of testing, CBI identified the “/Telerik.Web.UI.WebResource.axd” file in use. CBI then checked the return string when passing the URL parameter “?type=rau” to this file and received the correct string in the response – “{“message”: “RadAsyncUpload handler is registered successfully, however, it may not be accessed directly.”}”. 

Utilize Findings to Identify Exploitation Opportunities

CBI’s team then validated the use of the “RadAsyncUpload” functionality. Continuing to use “cURL,” CBI investigated and confirmed that the client’s standing version contained both the CVE-2017-11317 and CVE-2019-1893 vulnerabilities. ATS’ next step involved a precise build of the PoC in conjunction with testing to determine possible exploitability via a timing discrepancy. Understanding that load-balancers, firewalls, and other types of perimeter utilities can skew timing attacks, CBI changed the sleep() function to a significantly longer interval. A file was sent using the Python exploit*****, and the client’s application server slept for the desired length of time before sending a response. Well-positioned to execute arbitrary code, CBI used the same “rev_shell.c” file provided by Bishop Fox, compiled the file to a DLL, and sent it – resulting in a reverse shell.

Obtaining an initial shell on critical infrastructure can be one of the most challenging steps of a Red Team engagement, especially when performed from an unauthenticated external perspective. From the shell, CBI used sophisticated obfuscation techniques to bypass one of the most effective EDR technologies on the market to illustrate the impact of the vulnerability to the client.

The TL;DR next steps involved CBI’s upgrade of the initial netcat shell, bypassing EDR using the information obtained about the host, building a customized payload, escalating privileges, and moving laterally from the DMZ to the LAN. This attack path demonstrated the full impact of the vulnerability by attacking and compromising additional areas of the environment (AD, ERP systems, etc.).

Next Steps

In many cases, Red Team engagements fail to allocate the necessary time or completely disregard application testing. It is CBI’s firm opinion that web application testing provides the client with a comprehensive understanding of their external attack surface risk and the post-exploitation value from the complete engagement. Without web application testing, vulnerabilities that are externally exploitable may go unnoticed.

Continue to part two: Web Application Testing: Infiltration through Obfuscation for a deep dive into our attack path for this client.

For more information on CBI and Advanced Testing Services, contact us.