Bishop Fox Sliver Unrestricted Wireguard Client Traffic Vulnerability

A vulnerability exists in the Sliver command and control framework, specifically in versions through 1.5.43 and the development version 1.6.0-dev. The issue arises because the framework's custom Wireguard netstack does not restrict traffic between Wireguard clients. This lack of restriction can lead to several potential problems: leaked or recovered Wireguard keypairs from a beacon could be used to attack operators, and port forwardings could be accessed from other implants.

Impact

This vulnerability could allow an operator's services to be accessed by an attacker, potentially leading to exploitation and remote code execution, especially if the services have known vulnerabilities. If no vulnerabilities are present, the access could still be used for information gathering, such as collecting hostnames or SSH signatures.

Reproduction

To reproduce this vulnerability, connect two Wireguard clients to the same Wireguard listener. Once both clients are connected, they can freely communicate with each other and access each other's services. Alternatively, after connecting a Wireguard client to the listener, a beacon can be run to recover the Wireguard private key from a process dump. This key can then be used to connect to the Wireguard network and access services as described.

Remediation

Users can update to Sliver version 1.5.44, where this vulnerability has been patched.