Death by a Thousand Struts A Defenders Tale Justin Warner (@sixdub)
$Whoami - Justin Warner (@sixdub) • Principal Security Engineer @ ICEBRG focusing on detection, network data analysis, and adversary emulation testing • Computer Science grad from USAF Academy & former military computer nerd • Former red team lead who worked w/ multi- national Fortune 100 enterprises • BlackHat USA Instructor in 2015 & 2016 for Adaptive Red Team Tactics 2
Red -> Blue My career has been a pretty constant flip flop of roles. I feel as though it has strengthened me technically and professionally. Job #1: Network Analyst, US Air Force Job #2: Red Team Lead, Adaptive Thread Division (ATD) Job #3: Principal Security Engineer, ICEBRG Understanding the ins and outs of operations of your opponent makes you a better prepared opponent.
Let’s Tell A Story
This Thing Called Struts “Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.” https://struts.apache.org/ Apache Struts is a prevalent framework often exposed on internet connected devices. Due to its large sophisticated capability set, it includes a number of external dependencies and legacy code bases.
Is Struts Common? Internet connected Apache devices are everywhere (17 million on Shodan). Struts is also everywhere: “65 percent of the Fortune 100 companies are actively using web applications built with the Struts framework. This includes organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime.” via Shodan.io Additionally, based on experience, internal applications are often built on struts making a juicy target during post-exploitation. https://thenewstack.io/critical-vulnerability-apache-struts-puts- thousands-web-applications-risk/
Are People Still Targeting Struts? Many thanks to Andrew Morris for giving me data! Takeaways: • VPS Providers are common scanning source • People are still looking for struts servers • This is only for external facing looking for default paths from exploit POC https://greynoise.io/
Lots of CVEs CV CVE-20 2017-56 5638: “The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.” https://nvd.nist.gov/vuln/detail/CVE-2017-5638 CV CVE-20 2017-97 9791 91: “The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.” https://nvd.nist.gov/vuln/detail/CVE-2017-9791 CV CVE-20 2017-98 9805: “The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.” https://nvd.nist.gov/vuln/detail/CVE-2017-9805
Lots of Struts IR in 2017 In 2017, I saw many engagements that began with struts exploitation. Throughout these cases, Struts exploitation led to: • Continuous and automated compromise for criminal purposes • Enterprise wide ransomware deployments • Targeted attacks by threat groups with focused objectives Even after signatures were released and people knew what to look for and how to fix, we continued to witness devastating in-the-wild compromise. But why?!
Real World Conversation Common Themes: • Did not know the asset was exposed (lacked visibility). Often a Legacy asset w/ no endpoint protection. • Trusted their security stack and provided detections • Did not have any practice performing response and remediation on the public facing asset. Takeaways: • Visibility is a key first step. • The state of detection within organizations is still Thank you Kaya (my daughter) for maturing. showing how I feel here • Offensive testing and exercises could have helped these particular customers.
What We Will Discuss - Goals Blue teams must better understand the applied detection logic in their environments. Detection authors must strive to better understand root cause/adversary behavior to author robust indicators and analytics. Red teams should focus their actions to be threat representative to further a training objective. This might include noisy actions. This might get you caught or it might identify detection gap. Let’s use Apache Struts as a case study.
Analysis of POC Exploit & Detection
Time For Fun
Is This Signature / Rule Effective? One public signature for CVE-2017-9805 alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder?)"; flow:to_server,established; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"<command"; nocase; distance:0; http_client_body; pcre:"/^[\s>]/RPs"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted- user; sid:2024663; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;) Wh Where did the re red co conten ent m match ch co come f e from?
Abuse Gadget From MSF Is this the only abuse gadget that can be used?
Public Signatures SI SID Ru Rule le M Messag age 2024663 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder) 2024664 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec) 2024668 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1 2024669 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2 2024670 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3 2024671 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4 2024672 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5 2024673 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6 2024674 ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec) 2024675 ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder) https://rules.emergingthreats.net/
Public Signature Analysis SI SID Ru Rule le M Messag age 2024663 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder) 2024664 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec) 2024668 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1 2024669 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2 2024670 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3 2024671 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4 2024672 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5 2024673 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6 2024674 ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec) 2024675 ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder) Black = Targeting very specific abuse gadgets https://rules.emergingthreats.net/ Green = Targeting “ysoserial” Base64 Blob Red = Hardcoded URI of App
Swapping Abuse Gadgets For Fun & Profit
Time For Fun
Too Easy! This evasion took less than an Go Goal hour of development and testing. • https://github.com/mbechler/m arshalsec Just in case you didn’t assume this… bad guys know how to do this research too. *Credit to Casey Smith and Matt Graeber Requirement Re Slide credit: Casey Smith and Matt Graeber https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20D ecks/MattGraeber.CaseySmith.pdf
Back To Basics Of Detection
Getting In a Habit Identify TTP A rough process that can be used to work through Indicator Intel & Behavior Maintenance Analysis authoring an indicator. Let’s further dive in on the Indicator Loose / Strict light blue ones… Deployed Criteria Indicator Durability Creation Testing
Defining Loose & Strict Criteria St Stric ict Crit iteria ia Components of a particular attack chain that are required to be present for the chain to AND Strict Criteria 1 Strict Criteria 2 exist. Loose Criteria Lo Components of a particular attack chain that will commonly be present in the attack chain. Loose Loose Loose OR OR Generally, at least one of these will be Criteria 1 Criteria 3 Criteria 2 present. Also includes attacker behavior choices.
Attacker Behind The Scenes Abuse Gadget Executed Upon (K,V) Access Abuse Gadgets: • System command execution Unmarshal XML Object and • JNDI Populate Map Object • *image from McAffee Labs Remote classloading (plain) • Remote classloading (serviceloader) • Local classloading Unpack XML Nodes into New Structure Returned to Reflection Provider “Object” doUnmarshal Searches For Updates Field with Value Class Where Node Names From Nodes Defined https://securingtomorrow.mcafee.com/mcafee-labs/apache-struts-at-rest- analyzing-remote-code-execution-vulnerability-cve-2017-9805/
Recommend
More recommend