Struts2 is under attack or CVE-2013-2115
I want to write a small post for those who own Struts2 projects. Guys, if you don’t read the CERT mailing list and my Twitter account (well, I can forgive this ...), and don’t pay attention to the Struts2 newsletter about updates - then think again, this story is for you.
')
This story began on the 16th of July. I peacefully rode the subway and read Isaac Asimov, as they say, nothing foreshadowed trouble. In between times, I decided to check the corporate mail, and found a letter from our guys from the Chinese office. The guys said that today there was a message about the vulnerability in Struts2, the vulnerability allowed anyone to get full remote control over the server (arbitrary code execution) with web service rights. Palekhcha guys ... the day of the current has begun. Okay, but besides, our guys found out about it from the hacking Chinese forum, where other funny guys posted a full-fledged exploit, like “hit the button and hacked the Internet”, which means that now, all these funny guys will start breaking this most unhappy Internet. This is not particularly pleasant when you realize that we have several services that are based on this framework. Nervously tugging with my foot, I mentally accelerated the movement of the train. And now I run into the office, turn on the laptop. Yes indeed - advisor from the vendor - http://struts.apache.org/release/2.3.x/docs/s2-016.html . Yes, the guys even slightly cropped example of an exploit in his message added. And ... this is OGNL again ... Struts2 has eternal problems with OGNL:
http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html (2010)
http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html (2011)
https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection (2013, May)
And here again ... Okay. But this time the matter is limited by time - in the Chinese forum, in public is available - “An exploit for all” - http://kuxoo.com/archives/260/ .
An example of a layer to not open a link with hieroglyphs - look in your logs:
What does this mean? And the fact that time went on for seconds. At the same time, I hope you understand that you cannot just take and put an update from Struts2 on production services, without testing and other procedures, besides, there are different time zones in different regions. All these are normal working moments, one way or another, where it was possible - fixes were rolled up, IPS / WAF was adjusted in other places, thirdly service filters — in general, solutions, how to prevent a threat — weight, everything was done in such a way as to protect against possible attacks.
On the 17th, an enemy was found on our borders. Mostly Chinese IP addresses. Unsuccessfully scanned precisely on this vulnerability. It turns out that the reaction time to prevent invasion since the release of the patch was 1 day and was crucial. The Chinese all one and all used the same exploit, which can be determined by the matt variable. Although the options for how to execute code through OGNL expressions are mass - almost all the power of Java in the hands of the attacker.
At this time on the Internet - in the blogosphere, in the news, and even on Twitter it was quiet. This is not very similar to the information security community - too quiet, given the popularity of Struts2, this is strange. I tweeted on this topic, but it was quiet, only a few colleagues said that they were fighting off attacks.
A little later (on the 21st or the 22nd) the news about hacking developer.apple.com thundered. I did not pay attention, only then I suddenly realized that the developer portal was on Struts2. Apparently they got to that way ... Of course there was news that a certain researcher reported vulnerabilities, but I do not believe. Most likely this guy just repeated the Chinese public-exploit, and reported a bug, but before it was already a server hacked. Otherwise, it would not be turned off for such a long time. And then this guy just decided to turn the PR action in honor of his beloved, they say he hacked Apple. Around the 24-25 number, it was interesting to me, AT ALL, at least someone scratched and fixed.
For example, one large Belarusian bank fixed only on the 25th. About QIWI you can read here - http://habrahabr.ru/company/qiwi/blog/187724/#comment_6524512 . The rest of Russia in peace and quiet. The state order system found is vulnerable. One important service of the Ministry of the Russian Federation, with a bunch of personal and more interesting data, is vulnerable. What kind of cyber war can we talk about, Lukatsky didn’t write about it in a blog - and figs with him, and the fact that the Chinese comrades are full of backdoors - who cares, this isn’t PD to discuss. Sadly, the country is not ready either for 0day, but for the known 1day attacks in its most acute time period, even more than a week after the release of the patch! Banks of the CIS and that more quickly appeared. BUT if you think that only in Russia everything is always bad - you are mistaken. I was not lazy and scanned the most interesting resources - the government resources of other countries are still vulnerable. And the attack on some of them will have quite interesting consequences in the physical world.
The second observation is those who knew about the attacks and the bug , and muddied a hot fix. I found two services from major world vendors. Both servers had hotfixes that did not allow the attack to pass. But both vendors made the same mistake. In the advisory and in the public exploit there was only one attack vector - the GET request. But it is worth checking and POST. The guys did not foresee this in the heat of battle, as a result I received shell on both servers, which I immediately informed both companies about. The fixes came out in a few hours. Screenshots c proof of access in the next issue of the magazine] [
Conclusions about what and why, and how to live and fight with this, I also left for the magazine, although this is so obvious. But I decided to write to Habr, which would be trite to warn - I cannot write to each vendor personally, especially to government structures and banks - this is your job not mine, YOU should react to your incidents, for example, since it did QIWI, they did not need wait a week (my im respect). The rest - just know, and take action, because the enemy does not wait for one month from the moment the patch is released, as it is written in the paper standard that you proudly meet ... he started the attack one day after fixing from the vendor.
Start.
')
This story began on the 16th of July. I peacefully rode the subway and read Isaac Asimov, as they say, nothing foreshadowed trouble. In between times, I decided to check the corporate mail, and found a letter from our guys from the Chinese office. The guys said that today there was a message about the vulnerability in Struts2, the vulnerability allowed anyone to get full remote control over the server (arbitrary code execution) with web service rights. Palekhcha guys ... the day of the current has begun. Okay, but besides, our guys found out about it from the hacking Chinese forum, where other funny guys posted a full-fledged exploit, like “hit the button and hacked the Internet”, which means that now, all these funny guys will start breaking this most unhappy Internet. This is not particularly pleasant when you realize that we have several services that are based on this framework. Nervously tugging with my foot, I mentally accelerated the movement of the train. And now I run into the office, turn on the laptop. Yes indeed - advisor from the vendor - http://struts.apache.org/release/2.3.x/docs/s2-016.html . Yes, the guys even slightly cropped example of an exploit in his message added. And ... this is OGNL again ... Struts2 has eternal problems with OGNL:
http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html (2010)
http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html (2011)
https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection (2013, May)
And here again ... Okay. But this time the matter is limited by time - in the Chinese forum, in public is available - “An exploit for all” - http://kuxoo.com/archives/260/ .
An example of a layer to not open a link with hieroglyphs - look in your logs:
localhost/Struts2/test.action?redirect:${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'netstat'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}What does this mean? And the fact that time went on for seconds. At the same time, I hope you understand that you cannot just take and put an update from Struts2 on production services, without testing and other procedures, besides, there are different time zones in different regions. All these are normal working moments, one way or another, where it was possible - fixes were rolled up, IPS / WAF was adjusted in other places, thirdly service filters — in general, solutions, how to prevent a threat — weight, everything was done in such a way as to protect against possible attacks.
On the 17th, an enemy was found on our borders. Mostly Chinese IP addresses. Unsuccessfully scanned precisely on this vulnerability. It turns out that the reaction time to prevent invasion since the release of the patch was 1 day and was crucial. The Chinese all one and all used the same exploit, which can be determined by the matt variable. Although the options for how to execute code through OGNL expressions are mass - almost all the power of Java in the hands of the attacker.
Internet reaction
At this time on the Internet - in the blogosphere, in the news, and even on Twitter it was quiet. This is not very similar to the information security community - too quiet, given the popularity of Struts2, this is strange. I tweeted on this topic, but it was quiet, only a few colleagues said that they were fighting off attacks.
A little later (on the 21st or the 22nd) the news about hacking developer.apple.com thundered. I did not pay attention, only then I suddenly realized that the developer portal was on Struts2. Apparently they got to that way ... Of course there was news that a certain researcher reported vulnerabilities, but I do not believe. Most likely this guy just repeated the Chinese public-exploit, and reported a bug, but before it was already a server hacked. Otherwise, it would not be turned off for such a long time. And then this guy just decided to turn the PR action in honor of his beloved, they say he hacked Apple. Around the 24-25 number, it was interesting to me, AT ALL, at least someone scratched and fixed.
For example, one large Belarusian bank fixed only on the 25th. About QIWI you can read here - http://habrahabr.ru/company/qiwi/blog/187724/#comment_6524512 . The rest of Russia in peace and quiet. The state order system found is vulnerable. One important service of the Ministry of the Russian Federation, with a bunch of personal and more interesting data, is vulnerable. What kind of cyber war can we talk about, Lukatsky didn’t write about it in a blog - and figs with him, and the fact that the Chinese comrades are full of backdoors - who cares, this isn’t PD to discuss. Sadly, the country is not ready either for 0day, but for the known 1day attacks in its most acute time period, even more than a week after the release of the patch! Banks of the CIS and that more quickly appeared. BUT if you think that only in Russia everything is always bad - you are mistaken. I was not lazy and scanned the most interesting resources - the government resources of other countries are still vulnerable. And the attack on some of them will have quite interesting consequences in the physical world.
Not every workaround is good
The second observation is those who knew about the attacks and the bug , and muddied a hot fix. I found two services from major world vendors. Both servers had hotfixes that did not allow the attack to pass. But both vendors made the same mistake. In the advisory and in the public exploit there was only one attack vector - the GET request. But it is worth checking and POST. The guys did not foresee this in the heat of battle, as a result I received shell on both servers, which I immediately informed both companies about. The fixes came out in a few hours. Screenshots c proof of access in the next issue of the magazine] [
Instead of conclusion
Conclusions about what and why, and how to live and fight with this, I also left for the magazine, although this is so obvious. But I decided to write to Habr, which would be trite to warn - I cannot write to each vendor personally, especially to government structures and banks - this is your job not mine, YOU should react to your incidents, for example, since it did QIWI, they did not need wait a week (my im respect). The rest - just know, and take action, because the enemy does not wait for one month from the moment the patch is released, as it is written in the paper standard that you proudly meet ... he started the attack one day after fixing from the vendor.
Source: https://habr.com/ru/post/188222/
All Articles