TOPSEC Firewall Exploit (ELIGIBLE CONTESTANT)

Posted by Author Bharat Jogi on Posted on

Abstract:

Few days ago, an unknown threat actor, that goes by the name “The Shadow Brokers” leaked some highly sophisticated exploits. It is alleged that the exploits leaked by “The Shadow Brokers” belong to Equation Group – an elite cyber-attack group associated with the NSA. These leaked exploits work against many routers/firewalls from prominent vendors like Cisco, Fortinet, TOPSEC etc. In this post we will dive into the exploit that works against TOPSEC firewalls. The exploit goes by the name of “ELIGIBLE CONTESTANT”

Analysis:

ts_1

Fig. 1 Usage of the exploit script

As we can see in the Fig.1, there are 4 different commands that the scripts accepts i.e. touch,probe,exploit and clean.

The ‘touch’ command is used to identify if the target is a TOPSEC firewall. The ‘touch’ command issues a ‘HEAD’ request to target and creates a session file. The output of ‘touch’ command against a target is shown below in Fig.2

ts_2

Fig. 2 Output of script for ‘touch’ command

The touch command creates a file named ‘.last_session’. This session file contains the details of the target IP, post exploitation tools to use etc. A typical session file generated by ‘touch’ command is shown below in Fig. 3.

ts_3

Fig. 3 Typical session file

Once the session file is created, the next command to use is the ‘probe’ command. The probe command is used to check if the target is exploitable. It exploits a remote code execution vulnerability in the TOPSEC firewall target that is caused because of improperly sanitized user-input in the ‘cgi/maincgi.cgi’ file. To check if the target is vulnerable, the script first sends a HTTP GET request to target with payload command as “( cat /e*/is* && uname -a && /t*/b*/cfgt* system admininfo showonline && cat /*/*coo*/* )>/www/htdocs/site/pages/.<7-character random string>”. This creates a new page with with the output of the above command.

The script then issues another GET request to check if this new page is created. It also checks if the target is vulnerable and is indeed an x86 target. Even though x64 bit versions of the target are vulnerable to remote code execution, the exploit checks and only exploits x86 system.The Fig. 4 below shows the output of the ‘probe’ command.

ts_4

Fig. 4 Output of script for ‘probe’ command

 
Once the target is determined to be exploitable, we can use the ‘exploit’ command to take a complete control of the system. Fig. 5 shows the output of the script that shows that ‘nopen’ payload is successfully uploaded on the target and we have root shell of the target.

ts_5

Fig. 5 Output of script for ‘exploit’ command

Conclusion:

As we can see that it is very trivial for anyone to use the script and exploit TOPSEC firewall to get complete control. QualysGuard identifies this vulnerability with QID 11683. We highly recommend that customers scan their environment for this QID to identify these assets as soon as possible and apply appropriate remediations.

Leave a Reply

Your email address will not be published. Required fields are marked *