Emp3r0r C2 Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Emp3r0r, a stealth-focused command and control (C2) tool for Linux environments. This issue affects versions prior to 3.21.1. The vulnerability arises because untrusted agent metadata, specifically the Transport and Hostname fields, is accepted during agent check-in. This metadata is later interpolated into tmux command strings executed via /bin/sh -c, allowing for command injection and remote code execution on the operator's host.

Impact

Exploitation of this vulnerability allows for remote code execution on the operator's host, with the potential to steal operator secrets and session context. If the C2 server is co-hosted with the operator, this could lead to a compromise of the C2 environment as well.

Reproduction

To reproduce this vulnerability, an attacker must control a malicious or rogue agent session, or reuse a stolen valid UUID and UUID signature. The attacker can then submit crafted metadata during the agent's check-in process, such as injecting shell commands into the Transport or Hostname fields. Once the metadata is processed, the injected commands will be executed on the operator's host via the tmux command interface.

Remediation

Users can update to Emp3r0r version 3.21.1 or later, where this vulnerability has been fixed.