Covenant Remote Code Execution Vulnerability via Forged JWT Tokens

A remote code execution vulnerability has been identified in Covenant versions 0.1.3 prior to 0.5. This vulnerability allows attackers to create malicious JSON Web Tokens (JWTs) with administrative privileges. By exploiting this flaw, attackers can upload custom Dynamic Link Library (DLL) payloads that execute arbitrary commands on the target system.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Covenant is running, with the executed code running as the user that hosts the Covenant application. This could potentially be the 'root' user on Linux systems or the 'SYSTEM' user on Windows.

Reproduction

The vulnerability can be reproduced by generating a forged JWT using the known secret key that was accidentally exposed in a previous commit. This forged token must include administrative roles. Once the token is created, it can be used to authenticate with the Covenant API and gain administrative access. Afterward, a malicious profile can be uploaded, which includes a 'MessageTransform' class that decodes a base64-encoded DLL payload, executes it, and then re-encodes the message before sending it back to the server. This process can be automated with a Python script that handles the JWT crafting, profile uploading, and exploitation steps.

Remediation

Users are advised to update to Covenant version 0.6, which addresses this vulnerability. Additionally, ensure that the Covenant admin port is not publicly accessible.