• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

NSA Equation Group Exploit Leak, What Does It Mean to You?

August 16, 2016 By Marc Laliberte

NSA (Image:  Christoph Scholz/flickr)

On Saturday, a hacking group calling themselves “The Shadow Brokers” announced via Twitter that they successfully hacked into the server of an NSA-backed group and dumped all of their exploit tools. The Shadow Brokers published a small set of tools openly and started an auction for the remainder, advertising the public release of more files if the auction reaches 1 Million Bitcoins (which equates to over half a billion US dollars). As the news swept the world on Monday, we joined other researchers to see what we could learn about the possible exploits.

In an analysis of the currently available tools, we found one set of python scripts, named ESCALATEPLOWMAN, that appear to target RapidStream appliances. This goes back a bit into WatchGuard history, but WatchGuard acquired RapidStream back in 2002. You’re probably curious how this published exploit affects current WatchGuard Firebox and XTM appliances. In short, it doesn’t. Let me break it down.

  1. The ESCALATEPLOWMAN python scripts aren’t actually an exploit in themselves. The scripts are used to generate a CLI command which the attacker then copy’s and runs in the CLI of the target system. The generated CLI command exploits a command injection vulnerability in the target system’s handling of the “ifconfig” debug-level CLI command. Specifically, the injected command instructs the target system to download and execute a file from a remote location. The exploit also sets an environment variable on the target system which appears to be a call-home address for the downloaded application, likely opening a back door. The ESCALATEPLOWMAN python scripts allow the attacker to configure the download and call home addresses, as well as choose whether to download the backdoor application via FTP, TFTP, or HTTP when generating the exploit CLI command.
  2. I know what you’re probably thinking. “You keep saying ‘target system’, don’t you mean ‘WatchGuard firewall?’” Well, no. The exploit CLI command relies on certain tools (like the TFTP client) to be located in specific directories in the operating system of the target. WatchGuard appliances do not store the required tools in the same filesystem locations as the old RapidStream appliances used to.
  3. IT professionals now might say, “well yeah, but you can just modify the exploit command to point to the correct locations of those tools,” which is true. However, the exploit itself, a command injection vulnerability in the “ifconfig” command, does not exist in the CLI of current WatchGuard appliances. “ifconfig” (usually used to view and modify interface IP addresses) is not an accepted command in the WatchGuard CLI. A few clever Twitter users noted that “arp” however is an accepted CLI command and a command injection vulnerability previously existed in RapidStream appliances involving the “arp” debug command. This RapidStream vulnerability did not carry over onto WatchGuard appliances. The WatchGuard CLI sanitizes the “arp” command and only allows one single subcommand, “flush” (which clears the appliance’s ARP cache if you’re curious).

WatchGuard takes all reported vulnerabilities very seriously. Our internal threat research team values being alerted to potential security issues and we always encourage responsible disclosure to [email protected]. Thank you Twitter user @hackerfantastic for alerting us to a potential issue with our current firewalls. If any of you happen to get your hands on an old RapidStream box, I would love to see your findings. – Marc Laliberte

(Image: Christoph Scholz/flikcr)

Share This:

Related

Filed Under: WatchGuard Articles Tagged With: Hacking, Infosec news

Comments

  1. Chris says

    August 18, 2016 at 12:09 pm

    Nice reporting. I wish this was laid out more plainly in the threat intel covering this topic.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use