Island: add log4shell issue processing and reporting

monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py

@@ -8,6 +8,9 @@ from monkey_island.cc.services.reporting.issue_processing.exploit_processing.pro
 from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import (  # noqa: E501
     ExploitProcessor,
 )
+from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.log4shell import (  # noqa: E501
+    Log4ShellProcessor,
+)
 from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.shellshock_exploit import (  # noqa: E501
     ShellShockExploitProcessor,
 )
@@ -52,6 +55,7 @@ class ExploiterDescriptorEnum(Enum):
     POWERSHELL = ExploiterDescriptor(
         "PowerShellExploiter", "PowerShell Remoting Exploiter", ExploitProcessor
     )
+    LOG4SHELL = ExploiterDescriptor("Log4ShellExploiter", "Log4j Exploiter", Log4ShellProcessor)
 
     @staticmethod
     def get_by_class_name(class_name: str) -> ExploiterDescriptor:

monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py

@@ -21,3 +21,4 @@ class ExploiterReportInfo:
     port: Union[str, None] = None
     paths: Union[List[str], None] = None
     password_restored: Union[bool, None] = None
+    service: Union[str, None] = None

monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/log4shell.py

@@ -0,0 +1,16 @@
+from monkey_island.cc.services.node import NodeService
+from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_report_info import (  # noqa: E501
+    ExploiterReportInfo,
+)
+
+
+class Log4ShellProcessor:
+    @staticmethod
+    def get_exploit_info_by_dict(class_name: str, exploit_dict: dict) -> ExploiterReportInfo:
+        ip_addr = exploit_dict["data"]["machine"]["ip_addr"]
+        machine = NodeService.get_node_hostname(NodeService.get_node_or_monkey_by_ip(ip_addr))
+        port = exploit_dict["data"]["info"]["vulnerable_service"]["port"]
+        service = exploit_dict["data"]["info"]["vulnerable_service"]["service_name"]
+        return ExploiterReportInfo(
+            ip_address=ip_addr, machine=machine, type=class_name, port=port, service=service
+        )

monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js

@@ -31,6 +31,7 @@ import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues
 import {sambacryIssueOverview, sambacryIssueReport} from './security/issues/SambacryIssue';
 import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
 import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue';
+import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
 import {ms08_067IssueOverview, ms08_067IssueReport} from './security/issues/MS08_067Issue';
 import {
   crossSegmentIssueOverview,
@@ -158,6 +159,11 @@ class ReportPageComponent extends AuthComponent {
         [this.issueContentTypes.REPORT]: zerologonIssueReport,
         [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
       },
+      'Log4ShellExploiter': {
+        [this.issueContentTypes.OVERVIEW]: log4shellIssueOverview,
+        [this.issueContentTypes.REPORT]: log4shellIssueReport,
+        [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
+      },
       'zerologon_pass_restore_failed': {
         [this.issueContentTypes.OVERVIEW]: zerologonOverviewWithFailedPassResetWarning
       },

monkey/monkey_island/cc/ui/src/components/report-components/security/issues/Log4ShellIssue.js

@@ -0,0 +1,21 @@
+import React from 'react';
+import CollapsibleWellComponent from '../CollapsibleWell';
+
+export function log4shellIssueOverview() {
+  return (<li>Some servers are vulnerable to log4shell remote code execution exploit.</li>)
+}
+
+export function log4shellIssueReport(issue) {
+  return (
+      <>
+        Upgrade the log4j component to version 2.15.0 or later.
+        <CollapsibleWellComponent>
+          The {issue.service} server <span className="badge badge-primary">{issue.machine}</span> (<span
+          className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}:{issue.port}</span>) is vulnerable to <span
+          className="badge badge-danger">log4shell remote code execution</span> attack.
+          <br/>
+          The attack was made possible due to an old version of log4j component.
+        </CollapsibleWellComponent>
+      </>
+    );
+}

vulture_allowlist.py

@@ -5,6 +5,9 @@ Vulture doesn't mark these as dead again.
 """
 from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory
 from monkey_island.cc.models import Report
+from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_descriptor_enum import (
+    ExploiterDescriptorEnum,
+)
 
 fake_monkey_dir_path  # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37)
 set_os_linux  # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37)
@@ -67,6 +70,7 @@ MSSQL  # unused variable (monkey/monkey_island/cc/services/reporting/issue_proce
 VSFTPD  # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:45)
 DRUPAL  # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:48)
 POWERSHELL  # (\monkey\monkey_island\cc\services\reporting\issue_processing\exploit_processing\exploiter_descriptor_enum.py:52)
+ExploiterDescriptorEnum.LOG4SHELL
 _.do_POST  # unused method (monkey/monkey_island/cc/server_utils/bootloader_server.py:26)
 PbaResults  # unused class (monkey/monkey_island/cc/models/pba_results.py:4)
 internet_access  # unused variable (monkey/monkey_island/cc/models/monkey.py:43)