Six Stages of Dealing with a Global Security Incident

Süleyman Özarslan, PhD & Evren Yalçın | September 17, 2020
Süleyman Özarslan, PhD & Evren Yalçın | September 17, 2020
Picus is dedicated to collaborating with its technology alliance partners and the cybersecurity community to build better cyber defenses against the adversary attempts. Accordingly, we have a responsible disclosure policy to publish vulnerabilities and bypass/evasion methods of security controls. We first notified the vendor, and after a grace period of 30 days, the new attack signature update was published.
Summary
We have discovered that the “rev” and “printf” commands incorporated with the Bash shell’s command substitution feature bypass certain attack signature checks of F5 Advanced WAF/ASM/NGINX App Protect products. We use this combination of commands in a command execution payload that creates a reverse shell to the target web server.
Affected product versions
Technical Details
Senior red ream analyst and team lead Evren Yalcin of Picus Labs has discovered that certain attack signature checks for command execution can be bypassed by a command that combines rev and printf commands in a command substitution payload to create a reverse shell.
We created a listener on the attacker system to listen for incoming connections from the reverse shell running on the victim system:
|
The following command is our base payload that creates a reverse shell by using the netcat utility, where 127.0.0.1 is the IP of the attacker system.
|
As expected, this command is easily blocked by the WAF. Then we tried to use the rev command to bypass WAF. rev command in Linux reverses the order of characters of a given file or string as shown in the following example:
|
So, we tried to run the following command:
|
However, it gives an error as follows:
|
Then, we used command substitution to run the command successfully. Command substitution is a bash feature that allows a command to be executed and its output to replace the command itself.
The syntax of command substitution is:
|
The command inside the parentheses executes, and the standard output of the command is returned as the value of the expression.
At first, we used the echo command in the command substitution payload as follows:
|
This payload is detected by the WAF as an echo execution attempt. Then, we tried to obfuscate the echo command using different methods, such as the following payload:
|
However, the WAF successfully blocked the payload with the same "echo" execution attempt signature. Then, we looked for alternatives to the echo command in Linux. Consequently, we tried the printf command:
|
It works like a charm without being blocked by the WAF signatures! A get request version of the payload looks like this:
|
Testing Web Application Firewalls
Picus Threat Library includes thousands of web application attack payloads and hundreds of WAF bypass payloads that tests effectiveness of Web Application Firewalls. The above payload is included in the Picus Threat Library as:
Moreover, Picus Threat Library includes the following threats that tests this bypass method:
If you want to know whether your current enterprise security controls can block these types of attacks, please fill out the demo request form.
Mitigations
The F5 SIRT team promptly responded to each mail within one day throughout the entire process and quickly released mitigations.
Fixed Attack Signature Updates:
Fixed Signatures:
F5 published the following advisory and acknowledged our researcher, Evren Yalcin:
Disclosure Timeline: