Island: add log4shell issue processing and reporting

This commit is contained in:
vakarisz 2022-01-06 12:26:00 +02:00
parent 0b76b9f949
commit 9d5ea0f41f
6 changed files with 52 additions and 0 deletions

View File

@ -8,6 +8,9 @@ from monkey_island.cc.services.reporting.issue_processing.exploit_processing.pro
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import ( # noqa: E501 from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import ( # noqa: E501
ExploitProcessor, ExploitProcessor,
) )
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.log4shell import ( # noqa: E501
Log4ShellProcessor,
)
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.shellshock_exploit import ( # noqa: E501 from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.shellshock_exploit import ( # noqa: E501
ShellShockExploitProcessor, ShellShockExploitProcessor,
) )
@ -52,6 +55,7 @@ class ExploiterDescriptorEnum(Enum):
POWERSHELL = ExploiterDescriptor( POWERSHELL = ExploiterDescriptor(
"PowerShellExploiter", "PowerShell Remoting Exploiter", ExploitProcessor "PowerShellExploiter", "PowerShell Remoting Exploiter", ExploitProcessor
) )
LOG4SHELL = ExploiterDescriptor("Log4ShellExploiter", "Log4j Exploiter", Log4ShellProcessor)
@staticmethod @staticmethod
def get_by_class_name(class_name: str) -> ExploiterDescriptor: def get_by_class_name(class_name: str) -> ExploiterDescriptor:

View File

@ -21,3 +21,4 @@ class ExploiterReportInfo:
port: Union[str, None] = None port: Union[str, None] = None
paths: Union[List[str], None] = None paths: Union[List[str], None] = None
password_restored: Union[bool, None] = None password_restored: Union[bool, None] = None
service: Union[str, None] = None

View File

@ -0,0 +1,16 @@
from monkey_island.cc.services.node import NodeService
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_report_info import ( # noqa: E501
ExploiterReportInfo,
)
class Log4ShellProcessor:
@staticmethod
def get_exploit_info_by_dict(class_name: str, exploit_dict: dict) -> ExploiterReportInfo:
ip_addr = exploit_dict["data"]["machine"]["ip_addr"]
machine = NodeService.get_node_hostname(NodeService.get_node_or_monkey_by_ip(ip_addr))
port = exploit_dict["data"]["info"]["vulnerable_service"]["port"]
service = exploit_dict["data"]["info"]["vulnerable_service"]["service_name"]
return ExploiterReportInfo(
ip_address=ip_addr, machine=machine, type=class_name, port=port, service=service
)

View File

@ -31,6 +31,7 @@ import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues
import {sambacryIssueOverview, sambacryIssueReport} from './security/issues/SambacryIssue'; import {sambacryIssueOverview, sambacryIssueReport} from './security/issues/SambacryIssue';
import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue'; import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue'; import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue';
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
import {ms08_067IssueOverview, ms08_067IssueReport} from './security/issues/MS08_067Issue'; import {ms08_067IssueOverview, ms08_067IssueReport} from './security/issues/MS08_067Issue';
import { import {
crossSegmentIssueOverview, crossSegmentIssueOverview,
@ -158,6 +159,11 @@ class ReportPageComponent extends AuthComponent {
[this.issueContentTypes.REPORT]: zerologonIssueReport, [this.issueContentTypes.REPORT]: zerologonIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
}, },
'Log4ShellExploiter': {
[this.issueContentTypes.OVERVIEW]: log4shellIssueOverview,
[this.issueContentTypes.REPORT]: log4shellIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'zerologon_pass_restore_failed': { 'zerologon_pass_restore_failed': {
[this.issueContentTypes.OVERVIEW]: zerologonOverviewWithFailedPassResetWarning [this.issueContentTypes.OVERVIEW]: zerologonOverviewWithFailedPassResetWarning
}, },

View File

@ -0,0 +1,21 @@
import React from 'react';
import CollapsibleWellComponent from '../CollapsibleWell';
export function log4shellIssueOverview() {
return (<li>Some servers are vulnerable to log4shell remote code execution exploit.</li>)
}
export function log4shellIssueReport(issue) {
return (
<>
Upgrade the log4j component to version 2.15.0 or later.
<CollapsibleWellComponent>
The {issue.service} server <span className="badge badge-primary">{issue.machine}</span> (<span
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}:{issue.port}</span>) is vulnerable to <span
className="badge badge-danger">log4shell remote code execution</span> attack.
<br/>
The attack was made possible due to an old version of log4j component.
</CollapsibleWellComponent>
</>
);
}

View File

@ -5,6 +5,9 @@ Vulture doesn't mark these as dead again.
""" """
from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory
from monkey_island.cc.models import Report from monkey_island.cc.models import Report
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_descriptor_enum import (
ExploiterDescriptorEnum,
)
fake_monkey_dir_path # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37) fake_monkey_dir_path # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37)
set_os_linux # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37) set_os_linux # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37)
@ -67,6 +70,7 @@ MSSQL # unused variable (monkey/monkey_island/cc/services/reporting/issue_proce
VSFTPD # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:45) VSFTPD # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:45)
DRUPAL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:48) DRUPAL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:48)
POWERSHELL # (\monkey\monkey_island\cc\services\reporting\issue_processing\exploit_processing\exploiter_descriptor_enum.py:52) POWERSHELL # (\monkey\monkey_island\cc\services\reporting\issue_processing\exploit_processing\exploiter_descriptor_enum.py:52)
ExploiterDescriptorEnum.LOG4SHELL
_.do_POST # unused method (monkey/monkey_island/cc/server_utils/bootloader_server.py:26) _.do_POST # unused method (monkey/monkey_island/cc/server_utils/bootloader_server.py:26)
PbaResults # unused class (monkey/monkey_island/cc/models/pba_results.py:4) PbaResults # unused class (monkey/monkey_island/cc/models/pba_results.py:4)
internet_access # unused variable (monkey/monkey_island/cc/models/monkey.py:43) internet_access # unused variable (monkey/monkey_island/cc/models/monkey.py:43)