On Saturday, a hacking group calling themselves “The Shadow Brokers” announced via Twitter that they successfully hacked into the server of an NSA-backed group and dumped all of their exploit tools. The Shadow Brokers published a small set of tools openly and started an auction for the remainder, advertising the public release of more files if the auction reaches 1 Million Bitcoins (which equates to over half a billion US dollars). As the news swept the world on Monday, we joined other researchers to see what we could learn about the possible exploits.
In an analysis of the currently available tools, we found one set of python scripts, named ESCALATEPLOWMAN, that appear to target RapidStream appliances. This goes back a bit into WatchGuard history, but WatchGuard acquired RapidStream back in 2002. You’re probably curious how this published exploit affects current WatchGuard Firebox and XTM appliances. In short, it doesn’t. Let me break it down.
- The ESCALATEPLOWMAN python scripts aren’t actually an exploit in themselves. The scripts are used to generate a CLI command which the attacker then copy’s and runs in the CLI of the target system. The generated CLI command exploits a command injection vulnerability in the target system’s handling of the “ifconfig” debug-level CLI command. Specifically, the injected command instructs the target system to download and execute a file from a remote location. The exploit also sets an environment variable on the target system which appears to be a call-home address for the downloaded application, likely opening a back door. The ESCALATEPLOWMAN python scripts allow the attacker to configure the download and call home addresses, as well as choose whether to download the backdoor application via FTP, TFTP, or HTTP when generating the exploit CLI command.
- I know what you’re probably thinking. “You keep saying ‘target system’, don’t you mean ‘WatchGuard firewall?’” Well, no. The exploit CLI command relies on certain tools (like the TFTP client) to be located in specific directories in the operating system of the target. WatchGuard appliances do not store the required tools in the same filesystem locations as the old RapidStream appliances used to.
- IT professionals now might say, “well yeah, but you can just modify the exploit command to point to the correct locations of those tools,” which is true. However, the exploit itself, a command injection vulnerability in the “ifconfig” command, does not exist in the CLI of current WatchGuard appliances. “ifconfig” (usually used to view and modify interface IP addresses) is not an accepted command in the WatchGuard CLI. A few clever Twitter users noted that “arp” however is an accepted CLI command and a command injection vulnerability previously existed in RapidStream appliances involving the “arp” debug command. This RapidStream vulnerability did not carry over onto WatchGuard appliances. The WatchGuard CLI sanitizes the “arp” command and only allows one single subcommand, “flush” (which clears the appliance’s ARP cache if you’re curious).
WatchGuard takes all reported vulnerabilities very seriously. Our internal threat research team values being alerted to potential security issues and we always encourage responsible disclosure to [email protected]. Thank you Twitter user @hackerfantastic for alerting us to a potential issue with our current firewalls. If any of you happen to get your hands on an old RapidStream box, I would love to see your findings. – Marc Laliberte
(Image: Christoph Scholz/flikcr)
Nice reporting. I wish this was laid out more plainly in the threat intel covering this topic.