Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04anhtLXhwNDMtcWgzcc4AAz-e
Silver vulnerable to MitM attack against implants due to a cryptography vulnerability
Summary
The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758)
Details
Please see the PoC repo.
PoC
Please also see the PoC repo.
To setup a simple PoC environment,
- Generate an implant with its C2 set to the PoC server's address and copy the embedded private implant key and public server key into the config json.
- Run the implant on a separate VM and a
notepad.exe
window should pop up on the implanted VM.
Impact
A successful attack grants the attacker permission to execute arbitrary code on the implanted device.
References
https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go
https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go
https://github.com/tangent65536/Slivjacker
Credits
Ting-Wei Hsieh from CHT Security Co. Ltd.
Permalink: https://github.com/advisories/GHSA-8jxm-xp43-qh3qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04anhtLXhwNDMtcWgzcc4AAz-e
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8jxm-xp43-qh3q, CVE-2023-34758
References:
- https://github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q
- https://github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516
- https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go
- https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go
- https://github.com/BishopFox/sliver/releases/tag/v1.5.40
- https://github.com/tangent65536/Slivjacker
- https://nvd.nist.gov/vuln/detail/CVE-2023-35170
- https://nvd.nist.gov/vuln/detail/CVE-2023-34758
- https://github.com/advisories/GHSA-8jxm-xp43-qh3q
- https://www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091
Blast Radius: 0.0
Affected Packages
go:github.com/bishopfox/sliver
Dependent packages: 3Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 1.5.0, < 1.5.40
Fixed in: 1.5.40
All affected versions: 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.5.20, 1.5.21, 1.5.22, 1.5.23, 1.5.24, 1.5.25, 1.5.26, 1.5.27, 1.5.28, 1.5.29, 1.5.30, 1.5.31, 1.5.32, 1.5.33, 1.5.34, 1.5.35, 1.5.36, 1.5.37, 1.5.38, 1.5.39
All unaffected versions: 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.4.22, 1.5.40, 1.5.41, 1.5.42, 1.15.16