Abstract:
Few days ago, an unknown threat actor, that goes by the name “The Shadow Brokers” leaked some highly sophisticated exploits. It is alleged that the exploits leaked by “The Shadow Brokers” belong to Equation Group – an elite cyber-attack group associated with the NSA. These leaked exploits work against many routers/firewalls from prominent vendors like Cisco, Fortinet, TOPSEC etc. In this post we will dive into the exploit that works against TOPSEC firewalls. The exploit goes by the name of “ELIGIBLE CONTESTANT”
Analysis:
Fig. 1 Usage of the exploit script
As we can see in the Fig.1, there are 4 different commands that the scripts accepts i.e. touch,probe,exploit and clean.
The ‘touch’ command is used to identify if the target is a TOPSEC firewall. The ‘touch’ command issues a ‘HEAD’ request to target and creates a session file. The output of ‘touch’ command against a target is shown below in Fig.2
Fig. 2 Output of script for ‘touch’ command
The touch command creates a file named ‘.last_session’. This session file contains the details of the target IP, post exploitation tools to use etc. A typical session file generated by ‘touch’ command is shown below in Fig. 3.
Fig. 3 Typical session file
Once the session file is created, the next command to use is the ‘probe’ command. The probe command is used to check if the target is exploitable. It exploits a remote code execution vulnerability in the TOPSEC firewall target that is caused because of improperly sanitized user-input in the ‘cgi/maincgi.cgi’ file. To check if the target is vulnerable, the script first sends a HTTP GET request to target with payload command as “( cat /e*/is* && uname -a && /t*/b*/cfgt* system admininfo showonline && cat /*/*coo*/* )>/www/htdocs/site/pages/.<7-character random string>”. This creates a new page with with the output of the above command.
The script then issues another GET request to check if this new page is created. It also checks if the target is vulnerable and is indeed an x86 target. Even though x64 bit versions of the target are vulnerable to remote code execution, the exploit checks and only exploits x86 system.The Fig. 4 below shows the output of the ‘probe’ command.
Fig. 4 Output of script for ‘probe’ command
Once the target is determined to be exploitable, we can use the ‘exploit’ command to take a complete control of the system. Fig. 5 shows the output of the script that shows that ‘nopen’ payload is successfully uploaded on the target and we have root shell of the target.
Fig. 5 Output of script for ‘exploit’ command
Conclusion:
As we can see that it is very trivial for anyone to use the script and exploit TOPSEC firewall to get complete control. QualysGuard identifies this vulnerability with QID 11683. We highly recommend that customers scan their environment for this QID to identify these assets as soon as possible and apply appropriate remediations.