Parallel Reconstruction of Lawful TLS Wiretapping
2 points by bitshift
2 points by bitshift
See also: previous Lobsters discussion, which is more about the incident when it happened in 2023. This blog post is more about the specific vulnerability in the acme.sh shell script—a vuln that the wiretappers could have used, if I'm reading correctly?
In practice, certificates are considered sensitive and the various ACME clients like acme.sh are run with elevated privileges. When the server at “victim.com” attempts to issue a new certificate from “totally-legit-ca.com”, we land a privileged reverse shell.
I kinda like shell scripts, but they don't feel like a good match for security sensitive stuff.
I'm very confused. IIUC, the thesis is that jabber.ru got hacked using the acme.sh RCE, and that's somehow relevant to the lawful interception/MiTM it suffered.
When the server at “victim.com” attempts to issue a new certificate from “totally-legit-ca.com”, we land a privileged reverse shell.
The only remaining piece needed for successful exploitation is to control the routing of the network for the ACME client and CA responses, for which that aspect is thoroughly covered in the valdikss.org blog and is trivial to do in many forms.
But... these two things seem completely orthogonal to each other? If you have already rooted the server (which I think is the implication here), why would you even bother with MiTMing it? You already have everything you want, and you're relatively covert. MiTM, at least the way it was done here, leaves extra evidence. The attacker issued their own certificate for this - but, if they had compromised jabber.ru's ACME setup, they could've just used the real certificate.
I completely fail to see the relation here.
(it's also worth doing that the original forensics found no signs of the server being hacked, but that obviously doesn't mean it wasn't hacked. nothing else matches up with it being hacked either, though...)
It is worth noting that I see IFS tricks most commonly abused by botnet operators, such as Mirai variants. It makes me wonder why someone at HiCA, a company dealing with security, was so well versed in IFS filter bypass tricks, only to use them to do the exact benign expected thing anyway.
This also feels like a reach? I looked up "run shell command without spaces" and I found a bunch of results telling me how to do it. You don't exactly need to be a botnet operator to figure this out.
btw, this is a pretty cool trick - try running IFS=^;cmd=echo^1^2^3;$cmd yourself! This seems to work under dash and bash, but not under zsh.
edit: No, actually, the thing I said in the beginning isn't what they claim:
There was simultaneously a covert remote code execution vulnerability that was readily available and actively being abused by another actor. This would have [emphasis mine, note] allowed the wiretappers to make copies of pre-existing certificates for use in TLS interception and produce no artifacts at all.
It's also worth noting that acme.sh has "does not require root/sudoer access" as one of its features, but lower down in the readme it says that being root is recommended.
If you have the legal ability to MiTM, that's probably cleaner, more stable, and definitely more official than maintaining a persistent root shell on a server you don't own. And if the server is replaced (and the vulnerability has already been patched), then your access is gone. I think you're right to be skeptical.
It's a nasty vulnerability though. If it's purely a coincidence and not surprising that it existed at the time of the wiretap, in some ways that's scarier because it implies our software is typically this broken.
TLS 1.3's Perfect Forward Secrecy would mean knowing the private key of the server is insufficient to decrypt traffic (but sufficient to impersonate the server in a MITM attack), so no better than what they did issuing a fraudulent certificate. It would take injecting a malicious payload into the ejabberd process, e.g. LD_PRELOAD or patching the executable itself, to intercept comms.