Snort signature for Apache Struts CVE-2017-9805 vulnerability
Good day friends!
On September 7–8, media reports and blogs began to appear about breaking into one of the largest credit bureaus, Equifax. Representatives of the American company said that they “leaked” the data of 143 million people: names, addresses, social security numbers and in some cases credit card numbers. Those who know how many services in the US work with these identifiers may suggest the potential scale of future identity theft.
The leak itself occurred in May 2017, it became known about it only at the end of June. And for more than a month, the fact of the leak has not been made public. Because of this and because of the strange behavior of top management (they may have merged their stakes in the company a few days before the problems were publicized) Equifax shares did this:
')
On September 5, the blog lgtm.com, supported by Semmle Inc., added the entry Using QL to find a remote code . Vulnerability received the identifier CVE-2017-9805 and CVSS Score from 7.5 to 10. That is, everything is very serious and many people may have problems.
Therefore, as last time with WannaCry , we post the Snort signature to detect attempts to exploit this vulnerability:
What else to read to analyze the situation:
On September 7–8, media reports and blogs began to appear about breaking into one of the largest credit bureaus, Equifax. Representatives of the American company said that they “leaked” the data of 143 million people: names, addresses, social security numbers and in some cases credit card numbers. Those who know how many services in the US work with these identifiers may suggest the potential scale of future identity theft.
The leak itself occurred in May 2017, it became known about it only at the end of June. And for more than a month, the fact of the leak has not been made public. Because of this and because of the strange behavior of top management (they may have merged their stakes in the company a few days before the problems were publicized) Equifax shares did this:
')
On September 5, the blog lgtm.com, supported by Semmle Inc., added the entry Using QL to find a remote code . Vulnerability received the identifier CVE-2017-9805 and CVSS Score from 7.5 to 10. That is, everything is very serious and many people may have problems.
Therefore, as last time with WannaCry , we post the Snort signature to detect attempts to exploit this vulnerability:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"AM Exploit Apache Struts 2.5 - REST Plugin XStream Possible Remote Code Execution"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/bin/sh"; nocase; content:"java.lang"; nocase; content:"<command>"; nocase; content:"<opmode>0"; content:"InputStream"; nocase; content:"jdk.nashorn.internal.objects.NativeString"; nocase; content:"ProcessBuilder"; nocase; content:"javax.imageio.ImageIO"; nocase; content:"/struts2-rest-showcase/"; http_uri; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805; reference:url,exploit-db.com/exploits/42627/; classtype:client-side-exploit; sid:5300590; rev:1) What else to read to analyze the situation:
- Vulnerability in Apache Struts allows you to remotely execute code.
- Data leakage of 143 million Equifax clients could be due to a vulnerability in Apache Struts.
- Unknown hacked Equifax credit bureaus and stole data 143 million people.
- The credit bureau Equifax could hack through a bug in Apache Struts.
Source: https://habr.com/ru/post/337734/
All Articles