Cobalt Strike RCE (CVE-2022-39197)

Related to JLabel Java object instantiation ## Tweets - https://twitter.com/Y4tacker/status/1574786502768279553 <blockquote class="twitter-tweet">CVE-2022-39197 Cobalt Strike < 4.7.1 RCE，看了我漂亮鼠简单分析文章一瞬间下班三小时分析拿下 <a href="https://t.co/X9iWPSJCBl">pic.twitter.com/X9iWPSJCBl</a>— Lazytom (@Y4tacker) <a href="https://twitter.com/Y4tacker/status/1574786502768279553?ref_src=twsrc%5Etfw">September 27, 2022</a></blockquote> - https://twitter.com/buffaloverflow/status/1572714887608160256 <blockquote class="twitter-tweet">Cobalt Strike CVE-2022-39197. Quite easy to repro from the release notes. Red Teamers, patch your Team Servers 🙂<a href="https://t.co/bpAycCOgQ1">https://t.co/bpAycCOgQ1</a> <a href="https://t.co/3osCNa8uFd">pic.twitter.com/3osCNa8uFd</a>— Rich Warren (@buffaloverflow) <a href="https://twitter.com/buffaloverflow/status/1572714887608160256?ref_src=twsrc%5Etfw">September 21, 2022</a></blockquote> - https://twitter.com/drivertomtt/status/1575339990589927425 <blockquote class="twitter-tweet">CVE-2022-39197 Real RCE 谢谢<a href="https://twitter.com/Y4tacker?ref_src=twsrc%5Etfw">@Y4tacker</a> 手把手教我 PS：考虑到影响程度我们暂时不准备公开POC，请见谅 <a href="https://t.co/bTf25vz07n">pic.twitter.com/bTf25vz07n</a>— drivertom (@drivertomtt) <a href="https://twitter.com/drivertomtt/status/1575339990589927425?ref_src=twsrc%5Etfw">September 29, 2022</a></blockquote> - https://twitter.com/pyn3rd/status/1576104297258840064 <blockquote class="twitter-tweet">Rendering HTML in Java Swing application, Cobalt Strike ,etc., could lead to RCE with some gadgets. It’s absolutely an awesome find. <a href="https://t.co/ASzm1KVeNg">pic.twitter.com/ASzm1KVeNg</a>— pyn3rd (@pyn3rd) <a href="https://twitter.com/pyn3rd/status/1576104297258840064?ref_src=twsrc%5Etfw">October 1, 2022</a></blockquote> - https://twitter.com/burp_heart/status/1574643705767956480 <blockquote class="twitter-tweet">给Cobalt Strike XSS的漏洞写了一个临时补丁 通过 hook javax.swing.plaf.basic.BasicHTML的isHTMLString方法来禁用swing的html支持<a href="https://t.co/7M4Wb1VPH3">https://t.co/7M4Wb1VPH3</a> 漂亮鼠大佬的漏洞分析<a href="https://t.co/pQTBjggZVU">https://t.co/pQTBjggZVU</a>— 橙子酱 (@burp_heart) <a href="https://twitter.com/burp_heart/status/1574643705767956480?ref_src=twsrc%5Etfw">September 27, 2022</a></blockquote> - https://twitter.com/0x09AL/status/1576509338738634752 <blockquote class="twitter-tweet">After an unhealthy amount of hours put into this, I finally managed to get RCE on Cobalt Strike. I would recommend avoiding it for a while as CVE-2022-39197 is not sufficient. <a href="https://t.co/Wpnq5WST67">pic.twitter.com/Wpnq5WST67</a>— Rio (@0x09AL) <a href="https://twitter.com/0x09AL/status/1576509338738634752?ref_src=twsrc%5Etfw">October 2, 2022</a></blockquote> - https://twitter.com/FuzzySec/status/1576565560812269569 <blockquote class="twitter-tweet">Here is an RCE demo for Cobalt Strike CVE-2022-39197. Like <a href="https://twitter.com/0x09AL?ref_src=twsrc%5Etfw">@0x09AL</a> said the patch is not a complete fix, be careful. Also I don't want to see any more java code for a while, holy f. Maybe at some point I will post some patch analysis 🥃<a href="https://t.co/CVZ1ZgwcQ6">https://t.co/CVZ1ZgwcQ6</a>— b33f | 🇺🇦✊ (@FuzzySec) <a href="https://twitter.com/FuzzySec/status/1576565560812269569?ref_src=twsrc%5Etfw">October 2, 2022</a></blockquote> ## Links - CVE disclosure: https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/ - CN vulnerability analysis: https://mp.weixin.qq.com/s/l5e2p_WtYSCYYhYE0lzRdQ ## Data <iframe width="560" height="315" src="https://www.youtube.com/embed/cjg9FJFoezo" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>