Archive for March, 2017

March 13, 2017

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands  as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.
Exploitation Attempts

In searching through data Talos was able to find ample examples of the vulnerability being targeted and detection was covered by signatures that were released on 3/7/2017 (41818, 41819).


Vulnerability Analysis


Apache uses org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest to upload file.



In the exploit, #nike=’multipart/form-data’ will make the expression as true. Then function getMultiPartRequest() will be executed. It will configure struts.multipart.parser attribute using org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.



The struts.multipart.parser used by the fileUpload interceptor to handle HTTP POST requests, encoded using the MIME-type multipart/form-data, can be changed out. Currently there are two choices, jakarta and pell. The jakarta parser is a standard part of the Struts 2 framework and needs only its required libraries added to a project. The pell parser uses Jason Pell’s multipart parser instead of the Commons-FileUpload library. The pell parser is a Struts 2 plugin, for more details see: pell multipart plugin. There was a third alternative, cos, but it was removed due to licensing incompatibilities.



Finally, Struts2 uses LocalizedTextUtil.findText in function buildErrorMessage to build the error message while the exploit takes advantage of LocalizedTextUtil.findText to execute OGNL commands.



Simple Probing

Below is an example of some simple probing attacks that are ongoing just checking to see if a system is vulnerable by executing a simple Linux based command.



Running the PoC will create a text file in /tmp folder in the target:



Attack Mitigation

One way to mitigate these targeted attacks is via Apache Struts patches. Patching the web server can be a never-ending race. New patches are released much faster than organizations can run them through staging, testing and then push them into production. An alternative solution is virtual patching through an external security tool like a Web Application Firewall (WAF), which provides immediate protection to the web servers and applications maintaining business continuity while the right patch is developed, staged and tested.


Google Dorks for Data Mining

Author: Martin Voelk
March 1, 2017

Who doesn’t know the problem. You have a basic LinkedIn account and you want to do business development. Your searches are limited to X numbers, you don’t get the full search interface like Premium users and all that annoying stuff.

To the rescue once again comes Google and shell scripting. Google indexes like no other search engine.

Simple Google searches reveal the prospects you are looking for: intext:”IT Manager” AND “Singapore” -jobs intext:”IT Director” AND “Singapore” -jobs intext:”CISO” AND “Singapore” -jobs intext:”IT Manager” AND “Singapore” -jobs “Healthcare” intext:”IT Manager” AND “Singapore” -jobs “Banking” intext:”IT Manager” AND “Singapore” -jobs “Finance” intext:”IT Manager” AND “Singapore” -jobs “Retail” intext:”IT Manager” AND “Singapore” -jobs “Utilities”

Job titles can be changed, so can be countries and industries.

Now for everyone with a bit of shell / python experience, these dorks can be fully automated and will then report into an Excel sheet in minutes. Business development with Google 🙂


IoT Teddy Bear Hacked

Author: Martin Voelk
March 1, 2017

Whilst this sounds funny at first, it’s yet another serious data breach of customer data. IoT is becoming hacker’s first choice even before web applications these days. So don’t forget to have your IoT devices Pen Tested.