TrevorC2 v1.1/v1.2 - Fingerprinting Vulnerability #18
Comments
|
All of them are configurable options and should be adjusted including encryption keys when using in an environment you need to leverage evasion. This is by design. |
|
Thanks for the quick reply, I'm finding it hard to believe it is by design that HTTP methods other than GET reply with "Server: TornadoServer/6.0.3" instead of the IIS response normally seen? Or how triggering a 500 error will also display something similar? This clearly isn't intended to be customizable given that the ability to change this is under the "# DO NOT CHANGE BELOW THIS LINE" or am I missing something? |
|
This also goes for interaction with "SITE_PATH_QUERY", incorrect interaction shouldn't provide a response which is fingerprintable... it should be generic, again unless I'm mistaken? None of the options above "# DO NOT CHANGE BELOW THIS LINE" give users the ability to stop this issue. |
|
Devil is in the details, the initial response said that the SITE_PATH_QUERY was predictable which I assumed based on the level of detail was static which it's intended to be and changed. The initial response was that there are hardcoded variables in there that should be changed before deploying. Regarding the server banners, TornadoServer is a Python-based Server used commonly in the wild and not a footprint directly for TrevorC2. It's a web server similar to IIS and Apache, just in Python. |
|
Ahh my bad for not phrasing that better, it is to an incorrect request to "SITE_PATH_QUERY" that replies with a fingerprintable response. As for the banners...true but the differences between HTTP methods are what makes it strange. Why IIS for GET but Tornado for PUT or 500 codes? These two issues together do allow for fingerprinting... I strongly believe. |
|
To mostly fix these issues I'm assuming wouldn't be so difficult, you'd need to make sure all HTTP methods and error codes provide a uniformed banner. Incorrect requests to "SITE_PATH_QUERY" should reply with a generic error message not "CACHE: FILE NOT FOUND" . Again if I am wrong, I'm very happy with that, just trying to improve the product. Thank you for being so quick with this. |
|
Ah that makes sense. Yeah - easy changes. I'll take a peek in adjusting. Thanks for the report and explanation. |
|
Thanks to you :) |
|
Just pushed some changes should address everything mentioned here. Also added a new field to customize the page if you visit the SITE_PATH_QUERY directly. Also added a new redirector option to just redirect to the site itself if someone directly browses. Thanks again! I'll keep this open and if I don't hear anything in a few will close it up as resolved. |
|
I'll check it out but it looks great! Thank you once again and really love your product. |
|
@HackingDave was this issue ever addressed? and if so could you kindly point me to the fixing commit? |
TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via a discrepancy between response headers when responding to different HTTP methods, also via predictible responses when accessing and interacting with the "SITE_PATH_QUERY".
CVE-2019-18850
Gionathan Armando Reale, Deloitte DK
The text was updated successfully, but these errors were encountered: