"The campaign's use of new samples to avoid detection by security products is also quite notable." "Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them," the researchers concluded. Chief among its features include the capability to enumerate directories and list, upload, download, and execute files. "The central C&C server's response is actually the next-stage C&C server's domain/IP, which dneSpy has to communicate with to receive further instructions."ĪgfSpy, dneSpy's counterpart, comes with its own C&C server mechanism that it uses to fetch shell commands and send the execution results back. "One interesting aspect of dneSpy's design is its C&C pivoting behavior," Trend Micro researchers said.
MATTERMOST EXPLOIT DOWNLOAD
Of the other two backdoors, dneSpy, and agfSpy, the former is engineered to amass system information, capture screenshots, and download and execute malicious commands received from the C&C server, the results of which are zipped, encrypted, and exfiltrated to the server. To be honest I haven’t spend much time into analyzing this because it doesn’t seem to be very auto-exploitable due to the origin mismatch, but luckily the same error page does also suffer from multiple other content injections, which in the end lead to a fully customizable error page.What's changed this time around is the use of Mattermost server to keep track of the deployment across multiple infected machines, in addition to creating an individual channel for each machine to retrieve the collected information from the infected host. s ( https : //localhost/static/:10:4069) rethrowCaughtError main. c ( https : //localhost/static/:12:7881) at Object. js : 14 Uncaught DOMException : Failed to execute ' pushState ' on ' History ' : A history state object with URL ' data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8元NjcmlwdD4= ' cannot be created in a document with origin ' ' and URL ' '. Back to Mattermost īut when you click on the link, which should pop up the Base64 payload, nothing happens and your browser debugger will show an error like the following: main. “Unfortunately” due to the presence of httpOnly, it’s not possible to steal session tokens using this attack, however the rest of the attack vectors like redirecting users to malicious pages or exploit browser/plugin vulnerabilities is still possible.Ī prepared link could look like the following: This inserts the value of the “link” parameter in the response body: Error An error has occoured. Mattermost versions 3.5.1 and below are vulnerable to an unauthenticated Cross-Site Scripting, which can be exploited by attackers to insert a Base64 encoded DATA URI in the return link on the Mattermost error page and thereby hide and execute JavaScript payloads.
MATTERMOST EXPLOIT UPDATE
So here’s quick writeup about a quite interesting vulnerability in the open source Slack-alternative Mattermost, which I have found in December last year and coordinated with the Mattermost team. You can also read about the full advisory here - make sure you update your Mattermosts asap. I’m quite busy with bug bounties lately, but sometimes I still discover stuff, which might also be interesting for the rest of you -).
0 kommentar(er)
