A C2 framework is an architecture that controls and maintains access to compromised systems. Its purpose is to allow you to run commands on other people’s computers, but many C2 frameworks are vulnerable to illegal command execution.
Some cases may be exposed to remote code execution (RCE), such as when you run these frameworks on a public network using the default options.
Generally, the term “post-exploitation” is frequently used in relation to C2 frameworks: these frameworks are intended to support attackers who have already had some degree of control over a target’s computer, either through supply chain attacks, phishing, or web vulnerabilities.
Researchers discovered that open-source C2 frameworks used in red-teaming assessments are vulnerable to RCE attacks.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free
Threats Of C2 Framework
According to the Include Security Research team, operators utilize C2 frameworks to simplify the management of complex campaigns.
C2 frameworks offer a way for several operators to collaborate during target post-exploitation.
However, security concerns against the campaigns and the red team operators themselves may result from bugs and design vulnerabilities in the C2 frameworks.
For instance, an XSS (Cross-Site Scripting) vulnerability, CVE-2022-39197, was tracked and found in HelpSystems Cobalt Strike through 4.7. This vulnerability allowed a remote attacker to execute HTML on the Cobalt Strike team server.
An agent provides untrusted input to the teamserver, which, when viewed by an operator in the teamserver UI, results in cross-site scripting or remote code execution.
Another low-privileged “operator” users can utilize Sliver version 1.6.0 (prerelease) to perform Remote Code Execution (RCE) on the teamserver identified as CVE-2024-41111. Here, the root user of the system is the RCE.
Typically, Sliver is an open-source, cross-platform framework for red teams and adversary simulation that is useful for security testing in many kinds of businesses.
By taking advantage of this vulnerability, an operator would be able to see all console logs, kick other operators, access and change any files on the server, and eventually erase the server.
The Sliver team has addressed the vulnerability after being made aware of it. Similar to Sliver, Havoc has an authenticated RCE vulnerability in the teamserver.
This RCE vulnerability can be exploited right away by anyone careless enough to run Havoc with default settings on an untrusted network, since the default configuration of Havoc generates two users with the password “password1234”.
Even with firewalls turned off, teamservers can still be compromised by a SSRF vulnerability that Chebuya just found.
The report says the Ninja web server is vulnerable to arbitrary file downloads without authentication via path traversal. This results in immediate RCE against the teamserver when operating as root, or RCE upon the teamserver’s next restart.
SHAD0W is vulnerable to unauthenticated RCE, which occurs when agents supply untrusted input that is inserted into teamserver instructions.
SHAD0W is a C2 framework with a Python backend and agents written in C. In this case, a new agent, referred to as a “beacon” in SHAD0W terminology, reports the architecture, domain, operating system, and other details about the compromised system when it logs in to the teamserver.
The research team contacted the SHAD0W developer multiple times, but they never heard back.
Frameworks have the best chance of preventing such vulnerabilities by maintaining strict data boundaries between the agent, teamserver, and client.
The default transport and beacon behaviors of Cobalt Strike are so strongly fingerprinted that they need significant patching and customisation to function in contexts with reasonable defenses.
Agents and transport protocols of open source C2 frameworks begin to suffer from the same fate as soon as they are made available. The least exposed parts of the system are the client and the client-facing portion of the teamserver.
So, it is a sensible design choice to make these unexposed components dependable, safe, and feature-rich with the understanding that the operators will create their own closed source evasive agents and transports.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial