Listen to this Post
The vulnerability exists in Sliver C2’s custom WireGuard network stack. All clients connecting to the WireGuard listener, including operator workstations and implant beacons, are placed in the same virtual network without access controls. The `socketWGWriteEnvelope` function handles outbound traffic but contains no logic to filter or restrict communications between connected peers. This allows any client to initiate direct connections to any other client on the network. If an operator’s machine runs services like SSH or RDP bound to all interfaces, these become accessible to other WireGuard peers. An attacker can recover a beacon’s private key from memory, use it to generate a valid client configuration, and connect to the listener. Once connected, they can laterally move to scan and exploit services on the operator’s machine, which has an IP like 100.64.0.3, because the netstack fails to enforce isolation between what should be untrusted implants and trusted operator systems.
Platform: Sliver C2
Version: All Wireguard
Vulnerability: Lateral Movement
Severity: Critical
date: 2024
Prediction: Q4 2024
What Undercode Say:
strings memory_dump.bin | grep -i priv wg setconf wg0 recovered_config.conf nmap -p 22,3389 100.64.0.3
// server\c2\wireguard.go
func socketWGWriteEnvelope(connection net.Conn, envelope sliverpb.Envelope) error {
data, err := proto.Marshal(envelope)
if err != nil {
wgLog.Errorf("Envelope marshaling error: %v", err)
return err
}
dataLengthBuf := new(bytes.Buffer)
binary.Write(dataLengthBuf, binary.LittleEndian, uint32(len(data)))
connection.Write(dataLengthBuf.Bytes())
connection.Write(data)
return nil
}
How Exploit:
Recover beacon private key.
Construct valid Wireguard config.
Connect to listener.
Scan operator services.
Protection from this CVE:
Implement client traffic filtering.
Differentiate operator and beacon roles.
Use host-based firewalls.
Impact:
Operator service compromise.
Lateral movement persistence.
Information disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
