CVE-2019-19781 poor man's ktrace(1) driven analysis

📆
🏷
, , ,

Recently I had the chance to get myself a copy of a malicious httpd executable used by an unknown party while exploiting CVE-2019-19781. Even though I do not have anything else but a layman’s understanding of forensics I still wanted to dig into it. This is my journal about a journey into looking into a malware as a noob. While I hope to encourage others to also try to look behind the curtain I also want to stress that this is all potentially dangerous and you should not do this from within a sensitive network.

As far as I understand the situation, CVE-2019-19781 is a path traversal vulnerability at it’s core. I don’t want to reiterate information that is already readily available via google and such. Especially as the best I can do is to replicate the information without changing even minor details. If you want to learn more about CVE-2019-19781 I have to ask you to use a search engine of your choice.

Lab setup

As mentioned above I wasn’t to eager about drilling into a malicious binary inside a production environment so I started to setup a lab for analysing it.

Lab Setup

The setup itself is pretty basic and is running on an ESXi host. While firewall is a piece of infrastructure in order to give me easy access to my target, freebi is the machine I am running the httpd on. In order to stop the malware from phoning home I setup a blocking rule on firewall which blocks and logs all outgoing traffic coming from freebi. Also I specifically chose 198.51.100.0/24 because it is reserved for documentation and it should not being routed on the internet. So even if the box phones home I am safe as long as I won’t accidentally NAT the traffic of the box. freebi itself is running a stock FreeBSD 8.4-RELEASE which gives me enough an environment to run httpd without fiddling with libraries and extra software:

root@freebi:~ # uname -a
FreeBSD freebi.my.domain 8.4-RELEASE FreeBSD 8.4-RELEASE #0 r251259: Sun Jun  2 21:26:57 UTC 2013 …