Comprehensive Technical Analysis of CVE-2020-36911: Covenant JWT Remote Code Execution Vulnerability

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2020-36911 CVSS Score: 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type: Remote Code Execution (RCE) via JWT Token Forgery Exploitability: High (Unauthenticated, network-accessible, low complexity)

Severity Breakdown

• Attack Vector (AV:N): Exploitable remotely over a network without physical access.
• Attack Complexity (AC:L): Low complexity; no special conditions required.
• Privileges Required (PR:N): No authentication required (unauthenticated attacker).
• User Interaction (UI:N): No user interaction needed.
• Scope (S:U): Impact confined to the vulnerable component (Covenant).
• Confidentiality (C:H): Full compromise of sensitive data (e.g., credentials, session tokens).
• Integrity (I:H): Complete control over system modifications (e.g., payload execution).
• Availability (A:H): Full denial of service or persistent backdoor installation.

This vulnerability is critical due to its unauthenticated RCE nature, enabling attackers to gain full control over affected systems with minimal effort.

---

2. Potential Attack Vectors and Exploitation Methods

Root Cause Analysis

Covenant (a .NET-based command-and-control framework) improperly validates JSON Web Tokens (JWT) used for authentication. The flaw allows attackers to:

1. Forge JWT tokens with arbitrary claims (e.g., admin: true).
2. Bypass authentication and gain administrative privileges.
3. Upload malicious DLLs (via Covenant’s "Grunt" implant mechanism) to execute arbitrary code.

Exploitation Workflow

1. JWT Token Forgery

   • Attackers craft a malicious JWT with:
     • A valid signature (if using a known key or none at all).
     • A forged role claim (e.g., "role": "Administrator").
   • Tools like jwt_tool or custom scripts can automate this.

2. Authentication Bypass

   • The forged token is sent to Covenant’s API (e.g., /api/users/login).
   • Covenant fails to validate the token’s integrity, granting admin access.

3. Arbitrary Code Execution

   • Attackers upload a custom DLL payload (e.g., via /api/grunts/upload).
   • The DLL is loaded by Covenant’s Grunt implant, executing attacker-controlled code.
   • Example payloads:
     • Reverse shell (e.g., msfvenom -p windows/x64/meterpreter/reverse_tcp).
     • Persistence mechanisms (e.g., registry modifications, scheduled tasks).

4. Post-Exploitation

   • Lateral movement within the network.
   • Data exfiltration (e.g., credentials, sensitive files).
   • Deployment of ransomware or other malware.

Proof-of-Concept (PoC) Exploits

• Metasploit Module: covenant_jwt_rce.rb (automates JWT forgery and RCE).
• Exploit-DB Entry: #51141 (manual exploitation steps).
• VulnCheck Advisory: Covenant RCE Analysis (detailed technical breakdown).

---

3. Affected Systems and Software Versions

Software	Affected Versions	Fixed Versions	Notes
Covenant	0.1.3 – 0.5	0.6+ (or patched)	Open-source C2 framework
.NET Runtime	Any (if running Covenant)	N/A	Vulnerability is in Covenant, not .NET itself

Deployment Scenarios at Risk

• Red Team Operations: Covenant is widely used in penetration testing; misconfigured instances are prime targets.
• Malicious C2 Servers: Threat actors may deploy vulnerable Covenant instances to evade detection.
• Enterprise Environments: If Covenant is used for internal security testing, unpatched versions pose a severe risk.

---

4. Recommended Mitigation Strategies

Immediate Actions

1. Upgrade Covenant

   • Update to Covenant v0.6 or later (or apply vendor patches).
   • Monitor Covenant’s GitHub for security updates.

2. JWT Hardening

   • Enforce strong JWT signing algorithms (e.g., RS256 instead of HS256 or none).
   • Disable JWT "none" algorithm (common in forgery attacks).
   • Implement short-lived tokens with refresh mechanisms.

3. Network-Level Protections

   • Restrict Covenant API access via firewall rules (e.g., allow only trusted IPs).
   • Deploy WAF rules to detect and block JWT forgery attempts (e.g., OWASP ModSecurity Core Rule Set).

4. Runtime Protections

   • Enable .NET Code Access Security (CAS) to restrict DLL loading.
   • Monitor for suspicious DLL uploads (e.g., via EDR/XDR solutions).

Long-Term Recommendations

• Conduct a Security Audit

  • Review Covenant’s authentication and authorization mechanisms.
  • Test for other JWT-related vulnerabilities (e.g., algorithm confusion, key leakage).

• Implement Zero Trust

  • Assume breach; enforce least privilege for Covenant users.
  • Use multi-factor authentication (MFA) for admin access.

• Threat Hunting

  • Search for indicators of compromise (IoCs):
    • Unusual JWT tokens in logs.
    • Unexpected DLL uploads or process executions.
  • Monitor for lateral movement from Covenant servers.

---

5. Impact on the Cybersecurity Landscape

Threat Actor Exploitation

• Red Team vs. Blue Team Dynamics:

  • Attackers can hijack legitimate Covenant instances used by security teams, turning defensive tools into offensive weapons.
  • Supply chain risks: Compromised Covenant deployments may lead to broader network breaches.

• Malware and APT Campaigns:

  • Ransomware groups (e.g., LockBit, BlackCat) may exploit this to deploy payloads.
  • State-sponsored actors could leverage it for espionage (e.g., DLL-based implants).

Industry-Wide Implications

• Increased Scrutiny on C2 Frameworks:

  • Similar vulnerabilities may exist in other C2 tools (e.g., Mythic, Sliver, Cobalt Strike).
  • Regulatory pressure on vendors to improve security in offensive security tools.

• Shift in Red Teaming Practices:

  • Organizations may avoid open-source C2 tools in favor of commercial alternatives with better security controls.
  • Enhanced vetting of third-party security tools before deployment.

---

6. Technical Details for Security Professionals

JWT Forgery Exploitation Deep Dive

Vulnerable JWT Validation Logic

Covenant’s authentication relies on the following flawed logic:

// Pseudocode of vulnerable JWT validation
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
    ValidateIssuer = false,
    ValidateAudience = false,
    ValidateLifetime = false,  // No expiration check
    ValidateIssuerSigningKey = false,  // No signature validation
    RequireExpirationTime = false,
    RequireSignedTokens = false  // Allows "none" algorithm
};
var principal = tokenHandler.ValidateToken(token, validationParameters, out _);

Key Issues:

• No signature validation (ValidateIssuerSigningKey = false).
• No algorithm enforcement (RequireSignedTokens = false).
• No expiration checks (ValidateLifetime = false).

Exploit Construction

1. Generate a Forged JWT:

   {
     "alg": "none",
     "typ": "JWT"
   }
   {
     "sub": "admin",
     "role": "Administrator",
     "exp": 9999999999
   }
   

   • Base64-encode the header and payload, then concatenate with a dot (.).
   • Since alg: none, no signature is required.

2. Send the Token to Covenant’s API:

   POST /api/users/login HTTP/1.1
   Host: <covenant-server>
   Content-Type: application/json
   
   {
     "token": "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJBZG1pbmlzdHJhdG9yIiwiZXhwIjo5OTk5OTk5OTk5fQ."
   }
   

   • If successful, the server returns an authenticated session.

3. Upload a Malicious DLL:

   POST /api/grunts/upload HTTP/1.1
   Host: <covenant-server>
   Authorization: Bearer <forged-token>
   Content-Type: multipart/form-data; boundary=----
   
   ------
   Content-Disposition: form-data; name="file"; filename="malicious.dll"
   Content-Type: application/octet-stream
   
   <DLL binary data>
   ------
   

   • The DLL is executed by Covenant’s Grunt implant.

Detection and Forensics

Indicators of Compromise (IoCs)

IoC Type	Example
JWT Tokens	Tokens with alg: none or unexpected role: Administrator claims.
Network Traffic	Unusual POST /api/users/login or /api/grunts/upload requests.
File System	Unexpected DLLs in Covenant’s Grunt directories.
Process Execution	Suspicious child processes spawned by Covenant.exe.

Log Analysis Queries

• Splunk/ELK:

  index=covenant sourcetype=api_logs
  | search "alg=none" OR "role=Administrator"
  | stats count by src_ip, user_agent
  

• Windows Event Logs:
  • Event ID 4688 (Process Creation): Look for Covenant.exe spawning cmd.exe or powershell.exe.
  • Event ID 4663 (File Access): Monitor DLL uploads to C:\Program Files\Covenant\Grunt\.

Defensive Tooling Recommendations

Tool	Use Case
Burp Suite / OWASP ZAP	Test JWT validation logic in Covenant’s API.
YARA Rules	Detect malicious DLLs uploaded to Covenant.
Sigma Rules	Alert on JWT forgery attempts in logs.
Velociraptor	Hunt for Covenant artifacts on endpoints.

---

Conclusion

CVE-2020-36911 represents a critical unauthenticated RCE vulnerability in Covenant, stemming from improper JWT validation. Its high severity (CVSS 9.8) and ease of exploitation make it a prime target for threat actors, including ransomware groups and APTs.

Key Takeaways for Security Teams:

1. Patch immediately to Covenant v0.6+ or apply vendor fixes.
2. Harden JWT implementations (disable none algorithm, enforce signatures).
3. Monitor for exploitation (JWT forgery, DLL uploads, suspicious processes).
4. Assume breach and hunt for post-exploitation activity.

Given the widespread use of Covenant in red teaming, this vulnerability underscores the importance of securing offensive security tools to prevent them from becoming attack vectors.

---

References:

• VulnCheck Advisory
• Exploit-DB #51141
• Covenant GitHub
• JWT Security Best Practices (OWASP)