p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Added discription and details for repot. 

Added discription and details about the exploit vsftpd
This commit is contained in:
Dhayalan 2019-03-11 16:09:09 +01:00
parent 2b47749385
commit 0706bddda5
2 changed files with 39 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
monkey/monkey_island/cc/services/report.py
View File

@ -58,7 +58,8 @@ class ReportService:
WEBLOGIC = 9 WEBLOGIC = 9
HADOOP = 10 HADOOP = 10
PTH_CRIT_SERVICES_ACCESS = 11, PTH_CRIT_SERVICES_ACCESS = 11,
MSSQL = 12 MSSQL = 12,
VSFTPD = 13
class WARNINGS_DICT(Enum): class WARNINGS_DICT(Enum):
CROSS_SEGMENT = 0 CROSS_SEGMENT = 0
@ -293,7 +294,7 @@ class ReportService:
@staticmethod @staticmethod
def process_vsftpd_exploit(exploit): def process_vsftpd_exploit(exploit):
processed_exploit = ReportService.process_general_creds_exploit(exploit) processed_exploit = ReportService.process_general_creds_exploit(exploit)
processed_exploit['type'] = 'ftp' processed_exploit['type'] = 'vsftp'
return processed_exploit return processed_exploit
@staticmethod @staticmethod
@ -652,6 +653,8 @@ class ReportService:
issues_byte_array[ReportService.ISSUES_DICT.ELASTIC.value] = True issues_byte_array[ReportService.ISSUES_DICT.ELASTIC.value] = True
elif issue['type'] == 'sambacry': elif issue['type'] == 'sambacry':
issues_byte_array[ReportService.ISSUES_DICT.SAMBACRY.value] = True issues_byte_array[ReportService.ISSUES_DICT.SAMBACRY.value] = True
elif issue['type'] == 'vsftp':
issues_byte_array[ReportService.ISSUES_DICT.VSFTPD.value] = True
elif issue['type'] == 'shellshock': elif issue['type'] == 'shellshock':
issues_byte_array[ReportService.ISSUES_DICT.SHELLSHOCK.value] = True issues_byte_array[ReportService.ISSUES_DICT.SHELLSHOCK.value] = True
elif issue['type'] == 'conficker': elif issue['type'] == 'conficker':

34
monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
View File

@ -30,7 +30,8 @@ class ReportPageComponent extends AuthComponent {
WEBLOGIC: 9, WEBLOGIC: 9,
HADOOP: 10, HADOOP: 10,
PTH_CRIT_SERVICES_ACCESS: 11, PTH_CRIT_SERVICES_ACCESS: 11,
MSSQL: 12 MSSQL: 12,
VSFTPD: 13
}; };
Warning = Warning =
@ -301,7 +302,7 @@ class ReportPageComponent extends AuthComponent {
className="label label-warning"> className="label label-warning">
{this.state.report.overview.issues.filter(function (x) { {this.state.report.overview.issues.filter(function (x) {
return x === true; return x === true;
}).length} threats</span>: }).length} threats.</span>:
<ul> <ul>
{this.state.report.overview.issues[this.Issue.STOLEN_SSH_KEYS] ? {this.state.report.overview.issues[this.Issue.STOLEN_SSH_KEYS] ?
<li>Stolen SSH keys are used to exploit other machines.</li> : null } <li>Stolen SSH keys are used to exploit other machines.</li> : null }
@ -311,6 +312,10 @@ class ReportPageComponent extends AuthComponent {
<li>Elasticsearch servers are vulnerable to <a <li>Elasticsearch servers are vulnerable to <a
href="https://www.cvedetails.com/cve/cve-2015-1427">CVE-2015-1427</a>. href="https://www.cvedetails.com/cve/cve-2015-1427">CVE-2015-1427</a>.
</li> : null} </li> : null}
{this.state.report.overview.issues[this.Issue.VSFTPD] ?
<li>VSFTPD is vulnerable to <a
href="https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor">CVE-2011-2523</a>.
</li> : null}
{this.state.report.overview.issues[this.Issue.SAMBACRY] ? {this.state.report.overview.issues[this.Issue.SAMBACRY] ?
<li>Samba servers are vulnerable to SambaCry (<a <li>Samba servers are vulnerable to SambaCry (<a
href="https://www.samba.org/samba/security/CVE-2017-7494.html" href="https://www.samba.org/samba/security/CVE-2017-7494.html"
@ -675,6 +680,28 @@ class ReportPageComponent extends AuthComponent {
); );
} }
generateVsftpdBackdoorIssue(issue) {
return (
<li>
Update your VSFTPD server to the latest version vsftpd-3.0.3.
<CollapsibleWellComponent>
The machine <span className="label label-primary">{issue.machine}</span> (<span
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) has a backdoor running at port <span
className="label label-danger">6200</span>.
<br/>
The attack was made possible because the VSFTPD server was not patched against CVE-2011-2523.
<br/><br/>In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised.
Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a command shell on port 6200.
<br/><br/>
The Monkey executed commands by first logging in with ":)" in the username and then sending commands to the backdoor at port 6200.
<br/><br/>Read more about the security issue and remediation <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523"
>here</a>.
</CollapsibleWellComponent>
</li>
);
}
generateElasticIssue(issue) { generateElasticIssue(issue) {
return ( return (
<li> <li>
@ -890,6 +917,9 @@ generateMSSQLIssue(issue) {
generateIssue = (issue) => { generateIssue = (issue) => {
let data; let data;
switch (issue.type) { switch (issue.type) {
case 'vsftp':
data = this.generateVsftpdBackdoorIssue(issue);
break;
case 'smb_password': case 'smb_password':
data = this.generateSmbPasswordIssue(issue); data = this.generateSmbPasswordIssue(issue);
break; break;