Hak5 C2 (Cloud Command and Control) Self-hosted Server ClickJacking Vulnerability

Today’s discovery is not a big deal, just another Clickjacking in the world, this time in Hak5’s C2 (Cloud Command and Control) Server

First, let us know what is Hak5’s C2 (Cloud Command and Control) Server?
Hak5 C2 is a cloud self-hosted penetration testing platform lets you perform “Pentest from Anywhere” by connecting and using your Hak5 gear/products (WifiPineapple, Packet Squirrel or Lan Turtle) to a one unified dashboard and control those devices remotely through the cloud server.

What is Clickjacking?

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

 

The Discovery

During our installation and configuration of the cloud server we noticed that the server is lacking “X-Frame-Options” header which is a header to prevent the web page from being framed and manipulated which leaves the C2 server prone to clickjacking attack hence tricking the server owner into changing the username and the password and taking over the server or sending shell commands to the connected Hak5 gear.

 

Advisory Details

[-] Product Description:
First, let us know what is Hak5’s C2 (Cloud Command and Control) Server?
Hak5 C2 is a penetration testing platform lets you perform “Pentests from Anywhere” by connecting your Hak5 gear (WifiPineapple, Packet Squirrel or Lan Turtle) to a one unified dashboard and control those devices remotely through the cloud server.

[-] Vulnerability Type:
ClickJacking – UI Redressing

[-] Impact and more info:
https://www.owasp.org/index.php/Clickjacking

[-] Version affected:
Community, Professional and Business

[-] Test Performed:
Quick Trial Security Assessment (not fully tested)

[-] Vulnerable Request:
http(s)://C2_Installation_IP/*

[-] Vulnerable Module/Parameter/Path:
All visible UI modules

[-] Proof of concept:

[-] Attack Vectors:
– Changing the C2 cloud server username’s and password and takeover the C2 Cloud server hence takeover the connected Hak5 gear.
– Tricking the targeted victim into sending commands via the terminal of each Hak5 gear.
– Controlling anything in the vulnerable UI.

[-] Fix Suggestion:
Adding X-Frame-Options header and set its value to DENY or SAMEORIGIN based on the context of the usage.

[-] Product URL(s):
https://hakshop.com/products/c2

[-] Product Discussion(s):
https://forums.hak5.org/forum/96-hak5-cloud-c%C2%B2/

The vulnerability has been reported to Hak5 development team and “Sebastian” from Hak5 team replied that this will be fixed in the next release.

 

 

[-] Disclaimer:
Any advisories and discoveries by Seekurity SAS de C.V. is subject to Seekurity SAS de C.V. responsible disclosure rules which is a 15-90-day-disclosure-deadline or NON-Responsive vendor after that if no response or a patch has been made broadly available, the bug details will become visible to the public through our official communication channels.

 

 

A minute if you please!

Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!

(Visited 279 times, 1 visits today)
Share