{"id":11673,"date":"2018-03-07T03:20:08","date_gmt":"2018-03-07T11:20:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/07\/news-5443\/"},"modified":"2018-03-07T03:20:08","modified_gmt":"2018-03-07T11:20:08","slug":"news-5443","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/03\/07\/news-5443\/","title":{"rendered":"Chinese, Russian hackers counting on Apache Struts vulnerabilities – a report by Quick Heal Security Labs"},"content":{"rendered":"

Credit to Author: Sameer Patil| Date: Wed, 07 Mar 2018 10:32:57 +0000<\/strong><\/p>\n

Apache Struts is an open-source CMS\u00a0based on MVC framework for developing Java EE Web Applications. Apache Struts\u00a0has been\u00a0widely used by\u00a0many\u00a0Fortune 100\u00a0companies and government agencies over the years for developing web applications. But,\u00a0websites built using a CMS constantly need to upgrade the CMS versions in their web application servers, because vulnerabilities in the CMS framework directly impact\u00a0the\u00a0security of the\u00a0entire\u00a0website. As observed by\u00a0Quick Heal\u00a0Security Labs,\u00a0Apache\u00a0Struts\u00a0has been a target of\u00a0mostly Russian and Chinese hackers since January 2018. Fig 1. Apache Struts exploit attempts blocked in 2 months These constant hits in our IDS\/IPS telemetry for Apache Struts attacks suggest\u00a0that\u00a0hackers will target the framework for a longer time. Some of the prominent Apache Struts remote code execution vulnerabilities blocked by Quick Heal IDS\/IPS are: CVE-2017-5638 CVE-2017-12611 CVE-2017-9791 CVE-2017-9805 Details\u00a0about these vulnerabilities\u00a0 CVE-2017-5638\u00a0was the first critical vulnerability of 2017 fixed by Apache. The vulnerability has a CVSS score of 10 indicating the criticality of the exploit. The vulnerability is present in Jakarta Multipart parser triggered during improper handling of a file upload. Arbitrary commands are sent through a crafted Content-Type HTTP header.\u00a0 Fig 2. Crafted Content-Type Header for exploiting CVE-2017-5638 Just after a few days of release of\u00a0an\u00a0advisory by Apache in March 2017, exploitation attempts were seen in the wild.\u00a0As\u00a0not many were aware about the vulnerability at that time, hackers took advantage and started scanning servers for vulnerable unpatched versions\u00a0of Struts. Equifax, a major credit reporting agency, became a victim of such an attack leading to one of the biggest data breaches in history. Hackers were able to steal confidential data of\u00a0143 million\u00a0users. Failure to deploy patches\u00a0for the same vulnerability itself was the reason behind the breach. Then came the\u00a0CVE-2017-9791\u00a0vulnerability,\u00a0which\u00a0was patched by Apache in July, allows to perform\u00a0an\u00a0RCE attack when an untrusted input is passed as a part of the error message in the\u00a0ActionMessage\u00a0class. Shown below is an example of\u00a0a\u00a0malicious payload sent as POST request to “\/struts-showcase\/integration\/saveGangster.action” URI. Fig 3. Crafted HTTP POST request body for exploiting CVE-2017-9791 The vulnerability exists in the Struts Showcase application and the RCE is achieved by running malicious code using the OGNL expressions in the same way as it was used in CVE-2017-5638. CVE-2017-9805\u00a0is again a remote code execution attack fixed in September\u00a02017.\u00a0The bug triggers when using the Struts REST plugin with\u00a0XStream\u00a0handler to handle XML payloads. The\u00a0XStream\u00a0handler’s\u00a0toObject() method incorrectly deserializes an object sent by the user in the form of XML requests. Fig 4. Crafted XML payload containing injected command in serialized XML object Similarly,\u00a0CVE-2017-12611\u00a0was another Apache Struts vulnerability which can be exploited through a crafted URI containing sequence of commands to be executed on\u00a0the\u00a0Apache server. The exploit uses an unintentional expression in a\u00a0Freemarker\u00a0tag instead of string literals which leads to an\u00a0RCE attack. The exploit payload for this vulnerability appears in the URL string as shown below: Fig 5. Crafted URL string containing payload for exploiting CVE-2017-12611 The OGNL\u00a0(Object Graph Navigation\u00a0Library) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. If an attacker can evaluate arbitrary OGNL expressions, they can execute\u00a0an\u00a0arbitrary code or modify resources stored on the application server. Except CVE-2017-9805,\u00a0the\u00a0remaining three exploits used OGNL expressions for performing RCE. Hence,\u00a0it advised for\u00a0website administrators to keep a watch on requests containing OGNL to avoid getting exploited by any zero day vulnerability. Let\u2019s have a look at the geographical distribution of the attacks we have seen. The\u00a0geomap\u00a0shown below shows the locations of all attacker IPs mentioned. Fig 6. Geomap source of infection (IP address) Approximately 83% of attack source IPs\u00a0are located in Russia and China. The\u00a0following is the\u00a0list of IPs from where we are\u00a0observing\u00a0most of these attacks: 5.188.10.105 222.186.50.75 123.249.27.28 120.203.197.58 115.236.16.26 62.196.180.28 119.249.54.93 58.215.65.231 211.159.187.138 122.112.224.61 On the other hand, the target IP\u00a0location of the attacks is quite well distributed indicating that the attacks are widespread in nature and less targeted over a specific country or region. Europe, USA, India, China and some regions of Africa seem\u00a0to have experienced these attacks in high volume as shown below. Fig 7. Geo heat map of victim IPs location We have mainly seen attackers targeting the servers for installing Linux backdoors and for installing cryptocurrency miner software.\u00a0Cryptocoins\u00a0like\u00a0Monero\u00a0bring in\u00a0huge profits\u00a0which is why attackers are hacking into as many servers as possible to generate maximum number of…
http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Sameer Patil| Date: Wed, 07 Mar 2018 10:32:57 +0000<\/strong><\/p>\n

Apache Struts is an open-source CMS\u00a0based on MVC framework for developing Java EE Web Applications. Apache Struts\u00a0has been\u00a0widely used by\u00a0many\u00a0Fortune 100\u00a0companies and government agencies over the years for developing web applications. But,\u00a0websites built using a CMS constantly need to upgrade the CMS versions in their web application servers, because vulnerabilities…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[14479,11810,11638,11253,714,10596,10752,10467],"class_list":["post-11673","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-apache-struts","tag-cve","tag-exploit","tag-hacker","tag-security","tag-security-patch","tag-vulnerabilities","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11673"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11673\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}