Proof Of Concept: Connectwise Control Screenconnect Signed Executable to Arbitrary Code Execution via ARP Poisoning / DNS Hijacking / Unsanitized Client Parameters or Host Headers with CVE-2020-3147 (Cisco Sx / SMB Series Switches)

December 6, 2022
CVECyber SecurityForensicsIncident Response

I am providing this simple proof of concept walkthrough to demonstrate weaponization of an Arbitrary Code Execution (HTTP/HTTPS Request) in Connectwise ScreenConnect & Control Client (via CVE-2020-3147.) This walkthrough can be performed / used to man-in-the-middle or poison DNS requests via Responder and trigger the condition.

Step 1: Attacker triggers CVE-2020-3147 via malformed HTTP request to web interface. OR… step 2.

Cisco Small Business Switches Denial of Service Vulnerability – Cisco

Step 2: The attacker poisons DNS via ARP / Known Attacks. Responder provides a spoofed DNS record.

Responder Launch
Poisoned DNS response.

On the victim machine, the DNS record is poisoned:

Pre-Activation copy of ScreenConnect controlled by attacker.

The client is downloaded by the victim and executes the requested code. (http request to vulnerable Cisco switch, exploit embedded in file & HTTP request to 192.168.1.254)

THIS EXECUTABLE, SIGNED BINARY BYPASSES HASH BANNING AND ENDPOINT CONTROLS…. in things like Huntress!

Attack Flow: What has happened?

  1. The trusted executable still runs, triggering an HTTP request to the resolving IP.
  2. This MALFORMED HTTP Request is the exploit for CVE-2020-3147
  3. The client is tampered (via Poisoning of the DNS response or hijacked record.)
  4. The now resolving DNS record is where the request is sent.
  5. The server fails to sanitize these parameters.
  6. Open WinHex and examine the executable.
  7. Look at this client download request.. IT’S VIA HTTP!

Intercepting HTTP traffic with Burp Proxy – PortSwigger

It really is this easy. No social engineering needed.

I have succesfully tampered with a trusted, signed executable in transit. The executable performs an arbitrary HTTP request that will reboot a Cisco Sx series switch and allow the attacker to MITM / ARP / HTTP intercept the entire network.*The switch / network are taken down for 5-10 minutes.. hence a Denial of Service (and high severity problem, ask Cisco!)

Prreeettty basic stuff..

Man in the Middle (MITM) Attacks | Types, Techniques, and Prevention (rapid7.com)

References and Tools for PoC / Exploitation:

Kali Linux ARP Poisoning/Spoofing Attack – YouTube

Man in the Middle Attack: Tutorial & Examples | Veracode

DNS spoofing – The Hacker Recipes

Still a banger of a track and a watermark:

DMX – We Right Here – YouTube