Reverse-Engineering a Botched Lawful TLS Intercept on jabber.ru

A security researcher revisits the 2023 jabber.ru incident, in which a lawful interception operation was exposed because whoever ran it forgot to renew the TLS certificate, throwing a browser warning to users and inviting public scrutiny. The original analysis on valdikss.org pointed to acme.sh, the shell-script ACME client jabber.ru used for automated certificate renewal, as a suspicious thread. The researcher pulls on that thread to ask not just what happened, but how it was likely pulled off in the first place.

The pivot point is CVE-2023-38198, a remote code execution flaw in acme.sh disclosed in June 2023 but quietly abused well before that. The bug stems from a mismatch between how ACME challenge data appears on the wire and how acme.sh parses it, allowing command injection through the Token field. A certificate authority called HiCA was already exploiting it — ostensibly to issue legitimate certs — using IFS-redefinition and base64 tricks reminiscent of Mirai-style payloads to smuggle commands past character filters.

The author tries to reproduce the published payload and fails: the IFS=^ trick refuses to survive acme.sh’s preprocessing in any variation they tested, suggesting HiCA was iterating on payloads in real time rather than shipping a finished exploit. The broader takeaway is that the intercept appears to have leveraged a real RCE in a widely-used certificate automation tool, abused by an entity positioned as a CA — a reminder of how fragile the PKI trust chain is when the tooling around it can be silently weaponized, and how easily a missed renewal cron can burn an entire operation.