Devon Greene
Senior Security Researcher
Blog

Equation Group Musings: The /s*/?[f]*g Command

August 31, 2016 by Devon Greene

The ShadowBroker’s EquationGroup Leak is undoubtedly one of the most informational artifacts detailing cyber warfare techniques, tactics, and procedures used by a nation-state actor. Inside the dump are many well-thought-out strategies for identifying and exploiting targets. Of the techniques used, one worth shedding light on is the delivery technique identified in the ELIGIBLECONTESTANT (ELCO) exploit.

ELIGIBLECONTESTANT

The ELCO module is designed to target TOPSEC firewalls, affecting versions 3.3.005.057.1 to 3.3.010.024.1. It takes advantage of a command injection vulnerability in the web interface of the device. The ELCO module contained nine functions, the following four were used to interact with the target:

  • touch: Sends a HEAD request to obtain http response headers from the webpage
  • probe: Tests to see if a device is vulnerable by attempting to exploit it and deliver a payload that creates a webpage on the victim with system information
  • exploit: Delivers a payload to the target for execution
  • clean: Removes temporary files left from probe and exploit

Where the ELCO module really shines is how it obfuscates the commands to be run on the target machine. Traditionally, obfuscation over web requests involves a series of URL encoding techniques layered to obfuscate the true meaning of the request.

As shown in the screen shot below, the probe function takes a different approach (string concatenation added for clarity):

Equation1

From here, the string is passed to the _run_cmd method, which essentially takes the string and replaces all spaces with tabs and sends it as a parameter to sh –c for execution.

Equation2

What makes this stand out compared to other command injection techniques? In my opinion, it is the use of wildcards to obfuscate the payload’s intention. More specifically, the use of bash shell expansion – but the idea can be applied to more than just bash itself.

Wildcard Use: Pros vs. Joes

Users of Unix systems are typically no strangers to wildcards or even regular expressions. When you initially think about it as an obfuscation technique, it may not seem clever – until it is put into practice. I think the main advantage outside of obscuring the intent, is that it does not rely heavily on URL encoding to obfuscate its meaning during command injection via the web. The other advantage would be a reduced payload size for tricky rules that may limit input size.

To provide a better perspective, I created the following table. It contains a command, its URL-encoded form, and wildcard obfuscation form. There are definitely a lot of different ways to leverage URL encoding, but for the sake of simplicity, I encoded everything.

Equation3

While playing with the wildcard obfuscation concept, I noticed that the cat command was still visible and could be focused on from a preventative-rule-writing perspective. By identifying the location of the binary you want to run via which, the technique still applies. Here is another table applying wildcard obfuscation to popular Unix commands:

Equation4

Conclusion

It may or may not have been the full intention of the Equation Group to leverage this as a true obfuscation technique, but it certainly could be. Testing in our lab has shown wildcard obfuscation to have the following uses:

  • Evading IDS/IPS or WAF rules
  • Minimizing the size of command injection payloads
  • Obfuscating commands to run on a system

From a threat actor’s perspective, I think you need every advantage you can get. Even though the technique is simple, I’m betting users may get a lot of mileage out of it. I was personally unaware of how effective it could be from an attacker's perspective, but will definitely add this to my bag of tricks.

Hashes (Dangerous):

0c42a0a00e99323809b37c2dc0a3df03f172e5ecf421eb7088f0540e890f8dbf

0e573f4accff0ce2568a80227de8c5952bd26754839b18d2f8878a04fc014e18

11de694d5dfa91d7d741ef51a240c80c23bf156c0150a4a4b0a7e88c46ac67bb

2cf8d298c7af4d031a3ae7d95c361519494cccedacd6955cb1123f6feb263550

3a868988e8ee5cb5861e963d85fda44ffddbdada136005ee3aaccc65fd513c3c

3cea58b0a463a541de810655163515d74cf43aeb737648cd687482ca58ed48e8

4bd23dd40df936014aa2709003e2926350073ba620a70829bdc7a28e61a06264

4da8c8bd7f0f4bd42f240f27d083a625a779a63e1e25e3072349f30993158947

5580360d41f7b35994bbd5d82a7af8b784486499ac514b8aadf689ec09ba8916

585b706045314bd32f77db35d0fb18e4b9bb23137fda8da40c4793ce292538ad

593799ec7e85cac30f7e434d380b40eb53625b5515d40133f4cf26f8aa9f5a88

62344c14026ef83bd7be33e774fef6d7ccf012cd5be394d68a2eb453f8788d31

65cd5120aa5133659bf190cb4d97609435d059b88f9e3a969efbad070d4126bd

69c32b2ee6203bced7e083e4af42df15519ad8dc0f9ccc58e04fbf4ac63a50d5

726ad86a0327963dc9e430a88267721ac1a0eea4110daf10aa10af21f96f842c

79293f3cfa2af27b9d5d2d7afa1d3febb8a02f7480491b0a8afb6eea0d10faab

869457aed2059fb439ba1471fdd29894f165b27b2e333d342a87836c48531d31

961416beb49a8fc38a06fbc6c813a79fa03a67ce34c91f0b348253b958ede8ae

9bb6defb7a6cf4a531be7cd9d7c555f399cea08e83382402c5454bf579ad270c

a443af58dc0ed136cd2f59a18cbe9e5c77313cb76130c81976b504825cef0e58

c2f8eebfa7f82846e0dc33ce8bb531f164815da6c6ff0a907ff8b4a6dbeb423e

c8c4fa067a1de8975ecdb1324ce8c08d34b435ec6b970a33ba99f8822c702093

d6dd986e656c4bbebf19093ba7cfc09f9f8d00896a2f2112e3bf0dc419bdd066

ee4b816f91af7f69c7d698a839c3720c3ecd5ed1d1de870cdb4a7d20d8c082c4

eeab7d8e475fa95e7663af81479b6e41cc9962f8aca016e5ee77d2c3f19e4f56

fa1c74b3e7030419d16099b23fe24980cf01b7f3a67d6b231561904a0a5199ef

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.