The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

栏目: IT技术 · 发布时间: 4年前

内容简介:What do you get if you create a binary, a few bash scripts, a README and excellent timing?Before we dive into the actual research, a quick kudos to the team over at Checkpoint Research who found the original vuln and publishedSo rewind for a second, some o

What do you get if you create a binary, a few bash scripts, a README and excellent timing?

today on why people should read code and repos before they run them https://t.co/calGnBbllS exploits :eyes:9/10 would troll the internet again

— Andy Gill (@ZephrFish) July 14, 2020

#TIL creating a fake PoC to troll the entire internet will get traction if it is timed correctly. I'll update the numbers more after a few days https://t.co/DKDXb9h9kV #SIGRED #CVE20201350

— Andy Gill (@ZephrFish) July 15, 2020

Before we dive into the actual research, a quick kudos to the team over at Checkpoint Research who found the original vuln and published a great writeup which can be found here.

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

So rewind for a second, some of you may be reading thinking WTF is this? Can I have hax? Sorry folks, those who are after hax this is purely an analysis piece of why folks do not seem to understand basics of WHY YOU SHOULD NOT RUN CODE BLINDLY.

The PoC is Benign, it launches a canary token & a rick roll in shell.

The code in question:

ZephrFish/CVE-2020-1350

Bash Proof-of-Concept (PoC) script to exploit SIGRed (CVE-2020-1350). Achieves Domain Admin on Domain Controllers running Windows Server 2000 up to Windows Server 2019. - ZephrFish/CVE-2020-1350

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350 ZephrFish GitHub

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350
The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

It's an interesting project to map a few things:

  • How many people blindly trust what they read on the internet, what year is it folks 2020? Rick Rolling still alive...
  • It is a great way to catch insider threats!
  • The amount of TI feeds that just crawl things without validation and submit links
  • How beautiful the Internet is when people pick something up and run with it?

How many people blindly trust what they read on the internet?

This started out as a troll but quickly turned into a research project which has gathered  significant traction in a very short space of time. Goes to show people will run things without checking what they actually do.

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350
The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

It is a great way to catch insider threats!

In total at the time of publishing the canary tokens alone have caught five separate instances of potential insider threats and I've had messages to thank me :-).

The Amount of Threat Intel Feeds that Blindly Crawl...

The PoC was picked up by TI feeds and was live on several TI feeds pretty quickly:

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350
The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

Both have since taken down the posts but it was lovely to see, Vulcan came out and admitted they'd been hasty:

We should have been but weren't. We were hasty. The post has been updated accordingly.

— Vulcan Cyber (@VulcanCyber) July 15, 2020

Quick hat tip to TinkerSec too for his PoC:

tinkersec/cve-2020-1350

Bash Proof-of-Concept (PoC) script to exploit SIGRed (CVE-2020-1350). Achieves Domain Admin on Domain Controllers running Windows Server 2003 up to Windows Server 2019. - tinkersec/cve-2020-1350

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350 tinkersec GitHub

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350
The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

Voici le lien public sur le PoC : https://t.co/rgqrod9LCf

— Cert-IST (@cert_ist) July 15, 2020

How beautiful the Internet is when people pick something up and run with it?

At the time of publishing the canary tokens have triggered over 600 times, the repository has received in excess of 51k views, the original tweet is also close to 76k impressions. I'll update this post with more analysis after a few days of gathering locations of canary fires!

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

SANS also mentioned both PoCs in their webcast, saw the code and reviewed it as fake as can be seen below:

The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350

The tweet thread below shows some of the lessons learned!

The one thing that I've learned from all of this is that people will run anything, if I was a genuine malicious actor it's arguably one of the best ways to blindly phish people, replace that EXE with malware and you'd have 100s of shells. Pretty mental really pic.twitter.com/fBvQNVXi2G

— Andy Gill (@ZephrFish) July 15, 2020
The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350
Memes for Memes Sake

Timeline of Events

2020-07-14 20:00 GMT+1: Original blog post created by checkpoint

2020-07-14 20:04 GMT+1: PoC Repository first created

2020-07-14 20:09 GMT+1: PoC Tweeted from https://twitter.com/CVE20201350/status/1283116416191934467

2020-07-14 20:33 GMT+1: First retweet of the vuln

2020-07-14 20:48 GMT+1: PoC link hits Vulnmon TI feed

2020-07-14 21:06 GMT+1: First canary token hit from IP located in Brussels

2020-07-14 21:29 GMT+1: Tweet started gaining traction

2020-07-14 23:45 GMT+1: TinkerSec's PoC published

2020-07-15 09:09 GMT+1: Cert-IST posted False PoC

2020-07-15 16:10 GMT+1: This blog post posted :-)

Breakdown of the PoC in the Repo

The code in the repo is loaded with canary tokens and just general trolling, the list of files below details what each thing is and what it does.

  • CVE-2020-1350.exe - Benign binary which opens rick roll and pings canary token
  • Fix.bat - Batch file that applies the fix from Microsoft
  • LICENCE - The licence file, also does nothing
  • PoC.exe -  Benign binary which opens cmd.exe and additionally pings canary token
  • README.md - Details the README of the repo
  • README.pdf - Pings a canary token, also a benign document
  • exploit.sh - Rick roll in shell, also benign
  • windows-exploit.ps1 - Rick roll in shell, also benign

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

数据挖掘技术

数据挖掘技术

[美]MichaelJ.A.B / 别荣芳、尹静、邓六爱 / 机械工业 / 2006-7 / 49.00元

本书是数据挖掘领域的经典著作,数年来畅销不衰。全书从技术和应用两个方面,全面、系统地介绍了数据挖掘的商业环境、数据挖掘技术及其在商业环境中的应用。自从1997年本书第1版出版以来,数据挖掘界发生了巨大的变化,其中的大部分核心算法仍然保持不变,但是算法嵌入的软件、应用算法的数据库以及用于解决的商业问题都有所演进。第2版展示如何利用基本的数据挖掘方法和技术,解决常见的商业问题。 本书涵盖核心的数......一起来看看 《数据挖掘技术》 这本书的介绍吧!

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

MD5 加密
MD5 加密

MD5 加密工具

HEX HSV 转换工具
HEX HSV 转换工具

HEX HSV 互换工具