Sliver Teamserver Reverse Port Forwarding Vulnerability

A vulnerability in the Sliver teamserver's reverse port forwarding feature allows an implant to establish a reverse tunnel without proper verification from the operator. This issue, present in Sliver teamserver versions 1.5.26 to 1.5.42, has been addressed in version 1.5.43. The vulnerability primarily exposes the server's IP address to third parties, with potential for more significant impacts, such as server-side request forgery, according to the vulnerability reporter.

Impact

Exploitation of this vulnerability leads to server-side request forgery, allowing the attacker to manipulate the server into making requests on their behalf. In the reported proof of concept, this was used to leak the teamserver's origin IP address, but the reporter believes it could be exploited for full read SSRF.

Reproduction

To reproduce this vulnerability, first upload a Sliver C2 server binary to a Linux machine and run it. Then, generate a Sliver implant binary with MTLS enabled and run it on a Windows machine. After the implant connects to the teamserver, create a memory dump of the process. This dump can be used to extract the MTLS certificates needed to authenticate with the teamserver. Once the certificates are obtained, a reverse port forward can be established by sending a specially crafted envelope to the teamserver, which will then create a tunnel without verifying if the request was authorized.

Remediation

Users are advised to upgrade to Sliver teamserver version 1.5.43 or later.