From 9d5ea0f41fb988445ed54775aa554b4be3ce39cf Mon Sep 17 00:00:00 2001 From: vakarisz Date: Thu, 6 Jan 2022 12:26:00 +0200 Subject: [PATCH] Island: add log4shell issue processing and reporting --- .../exploiter_descriptor_enum.py | 4 ++++ .../exploiter_report_info.py | 1 + .../processors/log4shell.py | 16 ++++++++++++++ .../report-components/SecurityReport.js | 6 ++++++ .../security/issues/Log4ShellIssue.js | 21 +++++++++++++++++++ vulture_allowlist.py | 4 ++++ 6 files changed, 52 insertions(+) create mode 100644 monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/log4shell.py create mode 100644 monkey/monkey_island/cc/ui/src/components/report-components/security/issues/Log4ShellIssue.js diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py index 15e1bfef4..bb63e3cb9 100644 --- a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py +++ b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py @@ -8,6 +8,9 @@ from monkey_island.cc.services.reporting.issue_processing.exploit_processing.pro from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import ( # noqa: E501 ExploitProcessor, ) +from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.log4shell import ( # noqa: E501 + Log4ShellProcessor, +) from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.shellshock_exploit import ( # noqa: E501 ShellShockExploitProcessor, ) @@ -52,6 +55,7 @@ class ExploiterDescriptorEnum(Enum): POWERSHELL = ExploiterDescriptor( "PowerShellExploiter", "PowerShell Remoting Exploiter", ExploitProcessor ) + LOG4SHELL = ExploiterDescriptor("Log4ShellExploiter", "Log4j Exploiter", Log4ShellProcessor) @staticmethod def get_by_class_name(class_name: str) -> ExploiterDescriptor: diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py index 087ee6a39..069d93a8d 100644 --- a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py +++ b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py @@ -21,3 +21,4 @@ class ExploiterReportInfo: port: Union[str, None] = None paths: Union[List[str], None] = None password_restored: Union[bool, None] = None + service: Union[str, None] = None diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/log4shell.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/log4shell.py new file mode 100644 index 000000000..62330e424 --- /dev/null +++ b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/log4shell.py @@ -0,0 +1,16 @@ +from monkey_island.cc.services.node import NodeService +from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_report_info import ( # noqa: E501 + ExploiterReportInfo, +) + + +class Log4ShellProcessor: + @staticmethod + def get_exploit_info_by_dict(class_name: str, exploit_dict: dict) -> ExploiterReportInfo: + ip_addr = exploit_dict["data"]["machine"]["ip_addr"] + machine = NodeService.get_node_hostname(NodeService.get_node_or_monkey_by_ip(ip_addr)) + port = exploit_dict["data"]["info"]["vulnerable_service"]["port"] + service = exploit_dict["data"]["info"]["vulnerable_service"]["service_name"] + return ExploiterReportInfo( + ip_address=ip_addr, machine=machine, type=class_name, port=port, service=service + ) diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js index 3dcf94615..5ea202629 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js @@ -31,6 +31,7 @@ import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues import {sambacryIssueOverview, sambacryIssueReport} from './security/issues/SambacryIssue'; import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue'; import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue'; +import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue'; import {ms08_067IssueOverview, ms08_067IssueReport} from './security/issues/MS08_067Issue'; import { crossSegmentIssueOverview, @@ -158,6 +159,11 @@ class ReportPageComponent extends AuthComponent { [this.issueContentTypes.REPORT]: zerologonIssueReport, [this.issueContentTypes.TYPE]: this.issueTypes.DANGER }, + 'Log4ShellExploiter': { + [this.issueContentTypes.OVERVIEW]: log4shellIssueOverview, + [this.issueContentTypes.REPORT]: log4shellIssueReport, + [this.issueContentTypes.TYPE]: this.issueTypes.DANGER + }, 'zerologon_pass_restore_failed': { [this.issueContentTypes.OVERVIEW]: zerologonOverviewWithFailedPassResetWarning }, diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/Log4ShellIssue.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/Log4ShellIssue.js new file mode 100644 index 000000000..e9642d71e --- /dev/null +++ b/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/Log4ShellIssue.js @@ -0,0 +1,21 @@ +import React from 'react'; +import CollapsibleWellComponent from '../CollapsibleWell'; + +export function log4shellIssueOverview() { + return (
  • Some servers are vulnerable to log4shell remote code execution exploit.
    • ) +} + +export function log4shellIssueReport(issue) { + return ( + <> + Upgrade the log4j component to version 2.15.0 or later. + + The {issue.service} server {issue.machine} ({issue.ip_address}:{issue.port}) is vulnerable to log4shell remote code execution attack. +
    + The attack was made possible due to an old version of log4j component. +     + + ); +} diff --git a/vulture_allowlist.py b/vulture_allowlist.py index e8d637285..b8509e6b8 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -5,6 +5,9 @@ Vulture doesn't mark these as dead again. """ from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory from monkey_island.cc.models import Report +from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_descriptor_enum import ( + ExploiterDescriptorEnum, +) fake_monkey_dir_path # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37) set_os_linux # unused variable (monkey/tests/infection_monkey/post_breach/actions/test_users_custom_pba.py:37) @@ -67,6 +70,7 @@ MSSQL # unused variable (monkey/monkey_island/cc/services/reporting/issue_proce VSFTPD # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:45) DRUPAL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:48) POWERSHELL # (\monkey\monkey_island\cc\services\reporting\issue_processing\exploit_processing\exploiter_descriptor_enum.py:52) +ExploiterDescriptorEnum.LOG4SHELL _.do_POST # unused method (monkey/monkey_island/cc/server_utils/bootloader_server.py:26) PbaResults # unused class (monkey/monkey_island/cc/models/pba_results.py:4) internet_access # unused variable (monkey/monkey_island/cc/models/monkey.py:43)