Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike

HelpSystems, the company that developed the Cobalt Strike platform, addressed a critical remote code execution vulnerability in its software.

HelpSystems, the company that developed the commercial post-exploitation toolkit Cobalt Strike, addressed a critical remote code execution vulnerability, tracked as CVE-2022-42948, in its platform.

The company released an out-of-band security update to address the remote code execution issue that can be exploited by an attacker to take control of targeted systems.

“Certain components within Java Swing will automatically interpret any text as HTML content if it starts with <html>. This can be exploited using an object tag, which in turn can load a malicious payload from a webserver, which is then executed by the Cobalt Strike client.” reads the post published by HelpSystems. “Disabling automatic parsing of html tags across the entire client was enough to mitigate this behaviour.”

The vulnerability affects Cobalt Strike version 4.7.1 and results from an incomplete patch released on September 20, 2022, to address cross-site scripting (XSS) vulnerability tracked as CVE-2022-39197.

An attacker can exploit the CVE-2022-39197 by manipulating some client-side UI input fields, by simulating a Cobalt Strike implant check-in or by hooking a Cobalt Strike implant running on a host.

HelpSystems reported that the remote code execution could be triggered in specific cases using the Java Swing framework used by the popular toolkit. The flaw was addressed with the release of Cobalt Strike 4.7.2. The company highlighted that this flaw isn’t specific to Cobalt Strike software and for this reason, it hasn’t assigned it a new CVE. 

“This is an out of band update to fix a remote code execution vulnerability that is rooted in Java Swing but which can be exploited in Cobalt Strike.” reads a post published by the vendor.

Threat actors could exploit the flaw by leveraging an HTML <object> tag to load a malicious payload hosted on a remote server and inject it within the note field or the graphical file explorer menu in the post-exploitation platform UI.

Below is an image that demonstrates IBM researchers successfully triggered the vulnerability and executed /usr/bin/xcalc.

“It should be noted here that this is a very powerful exploitation primitive. Since we can write a payload in Java, this means that we can construct a fully featured cross-platform payload that would be able to execute code on the user’s machine regardless of the operating system flavor or architecture.” wrote IBM researchers that also published a video PoC.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]