Equation Group Musings: The /s*/?[f]*g Command
The ShadowBroker’s EquationGroup Leak is undoubtedly one of the most informational artifacts detailing cyber warfare techniques, tactics, and procedures used by a nation-state actor. Inside the dump are many well-thought-out strategies for identifying and exploiting targets. Of the techniques used, one worth shedding light on is the delivery technique identified in the ELIGIBLECONTESTANT (ELCO) exploit.
The ELCO module is designed to target TOPSEC firewalls, affecting versions 3.3.005.057.1 to 3.3.010.024.1. It takes advantage of a command injection vulnerability in the web interface of the device. The ELCO module contained nine functions, the following four were used to interact with the target:
- touch: Sends a HEAD request to obtain http response headers from the webpage
- probe: Tests to see if a device is vulnerable by attempting to exploit it and deliver a payload that creates a webpage on the victim with system information
- exploit: Delivers a payload to the target for execution
- clean: Removes temporary files left from probe and exploit
Where the ELCO module really shines is how it obfuscates the commands to be run on the target machine. Traditionally, obfuscation over web requests involves a series of URL encoding techniques layered to obfuscate the true meaning of the request.
As shown in the screen shot below, the probe function takes a different approach (string concatenation added for clarity):
From here, the string is passed to the _run_cmd method, which essentially takes the string and replaces all spaces with tabs and sends it as a parameter to sh –c for execution.
What makes this stand out compared to other command injection techniques? In my opinion, it is the use of wildcards to obfuscate the payload’s intention. More specifically, the use of bash shell expansion – but the idea can be applied to more than just bash itself.
Wildcard Use: Pros vs. Joes
Users of Unix systems are typically no strangers to wildcards or even regular expressions. When you initially think about it as an obfuscation technique, it may not seem clever – until it is put into practice. I think the main advantage outside of obscuring the intent, is that it does not rely heavily on URL encoding to obfuscate its meaning during command injection via the web. The other advantage would be a reduced payload size for tricky rules that may limit input size.
To provide a better perspective, I created the following table. It contains a command, its URL-encoded form, and wildcard obfuscation form. There are definitely a lot of different ways to leverage URL encoding, but for the sake of simplicity, I encoded everything.
While playing with the wildcard obfuscation concept, I noticed that the cat command was still visible and could be focused on from a preventative-rule-writing perspective. By identifying the location of the binary you want to run via which, the technique still applies. Here is another table applying wildcard obfuscation to popular Unix commands:
It may or may not have been the full intention of the Equation Group to leverage this as a true obfuscation technique, but it certainly could be. Testing in our lab has shown wildcard obfuscation to have the following uses:
- Evading IDS/IPS or WAF rules
- Minimizing the size of command injection payloads
- Obfuscating commands to run on a system
From a threat actor’s perspective, I think you need every advantage you can get. Even though the technique is simple, I’m betting users may get a lot of mileage out of it. I was personally unaware of how effective it could be from an attacker's perspective, but will definitely add this to my bag of tricks.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.