The Day I Trolled the Entire Internet: Accidental Research Project CVE-2020-1350
source link: https://blog.zsec.uk/cve-2020-1350-research/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
What do you get if you create a binary, a few bash scripts, a README and excellent timing?
today on why people should read code and repos before they run them https://t.co/calGnBbllS exploits :eyes:9/10 would troll the internet again
— Andy Gill (@ZephrFish) July 14, 2020#TIL creating a fake PoC to troll the entire internet will get traction if it is timed correctly. I'll update the numbers more after a few days https://t.co/DKDXb9h9kV #SIGRED #CVE20201350
— Andy Gill (@ZephrFish) July 15, 2020Before we dive into the actual research, a quick kudos to the team over at Checkpoint Research who found the original vuln and published a great writeup which can be found here.
So rewind for a second, some of you may be reading thinking WTF is this? Can I have hax? Sorry folks, those who are after hax this is purely an analysis piece of why folks do not seem to understand basics of WHY YOU SHOULD NOT RUN CODE BLINDLY.
The PoC is Benign, it launches a canary token & a rick roll in shell.
The code in question:
It's an interesting project to map a few things:
- How many people blindly trust what they read on the internet, what year is it folks 2020? Rick Rolling still alive...
- It is a great way to catch insider threats!
- The amount of TI feeds that just crawl things without validation and submit links
- How beautiful the Internet is when people pick something up and run with it?
How many people blindly trust what they read on the internet?
This started out as a troll but quickly turned into a research project which has gathered significant traction in a very short space of time. Goes to show people will run things without checking what they actually do.
It is a great way to catch insider threats!
In total at the time of publishing the canary tokens alone have caught five separate instances of potential insider threats and I've had messages to thank me :-).
The Amount of Threat Intel Feeds that Blindly Crawl...
The PoC was picked up by TI feeds and was live on several TI feeds pretty quickly:
Both have since taken down the posts but it was lovely to see, Vulcan came out and admitted they'd been hasty:
We should have been but weren't. We were hasty. The post has been updated accordingly.
— Vulcan Cyber (@VulcanCyber) July 15, 2020Quick hat tip to TinkerSec too for his PoC:
Voici le lien public sur le PoC : https://t.co/rgqrod9LCf
— Cert-IST (@cert_ist) July 15, 2020How beautiful the Internet is when people pick something up and run with it?
At the time of publishing the canary tokens have triggered over 600 times, the repository has received in excess of 51k views, the original tweet is also close to 76k impressions. I'll update this post with more analysis after a few days of gathering locations of canary fires!
SANS also mentioned both PoCs in their webcast, saw the code and reviewed it as fake as can be seen below:
The tweet thread below shows some of the lessons learned!
The one thing that I've learned from all of this is that people will run anything, if I was a genuine malicious actor it's arguably one of the best ways to blindly phish people, replace that EXE with malware and you'd have 100s of shells. Pretty mental really pic.twitter.com/fBvQNVXi2G
— Andy Gill (@ZephrFish) July 15, 2020
Memes for Memes Sake
Timeline of Events
2020-07-14 20:00 GMT+1: Original blog post created by checkpoint
2020-07-14 20:04 GMT+1: PoC Repository first created
2020-07-14 20:09 GMT+1: PoC Tweeted from https://twitter.com/CVE20201350/status/1283116416191934467
2020-07-14 20:33 GMT+1: First retweet of the vuln
2020-07-14 20:48 GMT+1: PoC link hits Vulnmon TI feed
2020-07-14 21:06 GMT+1: First canary token hit from IP located in Brussels
2020-07-14 21:29 GMT+1: Tweet started gaining traction
2020-07-14 23:45 GMT+1: TinkerSec's PoC published
2020-07-15 09:09 GMT+1: Cert-IST posted False PoC
2020-07-15 16:10 GMT+1: This blog post posted :-)
Breakdown of the PoC in the Repo
The code in the repo is loaded with canary tokens and just general trolling, the list of files below details what each thing is and what it does.
- CVE-2020-1350.exe - Benign binary which opens rick roll and pings canary token
- Fix.bat - Batch file that applies the fix from Microsoft
- LICENCE - The licence file, also does nothing
- PoC.exe - Benign binary which opens cmd.exe and additionally pings canary token
- README.md - Details the README of the repo
- README.pdf - Pings a canary token, also a benign document
- exploit.sh - Rick roll in shell, also benign
- windows-exploit.ps1 - Rick roll in shell, also benign
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK