Tables turned as red teaming tool gets pwned

A security researcher has turned the tables on offensive security tool Covenant by identifying a series of bugs that eventually allowed him to achieve remote code execution (RCE).

Covenant is a .NET-based command and control (C2) framework by Ryan Cobb of SpecterOps that red teamers and pen testers use for offensive cyber operations.

The open source framework features GUI, API, and plugin driven exploitation options that allow operators to interact with other offensive toolkits.

A security researcher nicknamed ‘Coastal’ was able to achieve full administrative access to the C2 server via the API exposed by Covenant.

Further work allowed them to achieve remote code execution. Both the related exploits were possible without any authentication, as explained in a detailed technical write-up that explains the attack path.

Hunting the hunters

Exploitation of Covenant was possible because of the exposure of secrets through the "accidental commit of an ephemeral development application settings file”, as the researcher explains:

Due to an accidental commit of an ephemeral development application settings file, the secret value of all JWTs [JSON web token] issued by Covenant was locked to a single value across all deployments.

Given the project is open source, the value is known to attackers which allows them to spoof JWTs in order to gain full administrative access of any Covenant server that exposes the management interface on port 7443 (which is the default).

With administrative access, a malicious listener can be configured that, upon implant handshake, results in arbitrary code execution as the Covenant application user (root by default).

The bug was discovered and disclosed in mid-July with a temporary patch developed the same day. The embedded admin token that was the root of the issue expired on August 3.

Covenant v0.6 was released with a more permanent fix in early August, nearly three months before Coastal went public with his write-up earlier this week.

“The vulnerabilities that were chained were a hard coded JWT secret that was accidentally committed to source code which allowed me to spoof administrative rights, paired with an abuse of a legitimate communications system built into the framework in order to get code execution on the server,” Coastal told The Daily Swig.

The Daily Swig has contacted Cobb, the developer of the framework, with additional questions. We’ll update this story as and when more information comes to hand.

READ MORE Semgrep: Static code analysis tool helps ‘eliminate entire classes of vulnerabilities’