death by a thousand struts
play

Death by a Thousand Struts A Defenders Tale Justin Warner (@sixdub) - PowerPoint PPT Presentation

Oct 21, 2023 •187 likes •608 views

Death by a Thousand Struts A Defenders Tale Justin Warner (@sixdub) $Whoami - Justin Warner (@sixdub) Principal Security Engineer @ ICEBRG focusing on detection, network data analysis, and adversary emulation testing Computer Science

  1. Death by a Thousand Struts A Defenders Tale Justin Warner (@sixdub)

  2. $Whoami - Justin Warner (@sixdub) • Principal Security Engineer @ ICEBRG focusing on detection, network data analysis, and adversary emulation testing • Computer Science grad from USAF Academy & former military computer nerd • Former red team lead who worked w/ multi- national Fortune 100 enterprises • BlackHat USA Instructor in 2015 & 2016 for Adaptive Red Team Tactics 2

  3. Red -> Blue My career has been a pretty constant flip flop of roles. I feel as though it has strengthened me technically and professionally. Job #1: Network Analyst, US Air Force Job #2: Red Team Lead, Adaptive Thread Division (ATD) Job #3: Principal Security Engineer, ICEBRG Understanding the ins and outs of operations of your opponent makes you a better prepared opponent.

  4. Let’s Tell A Story

  5. This Thing Called Struts “Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.” https://struts.apache.org/ Apache Struts is a prevalent framework often exposed on internet connected devices. Due to its large sophisticated capability set, it includes a number of external dependencies and legacy code bases.

  6. Is Struts Common? Internet connected Apache devices are everywhere (17 million on Shodan). Struts is also everywhere: “65 percent of the Fortune 100 companies are actively using web applications built with the Struts framework. This includes organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime.” via Shodan.io Additionally, based on experience, internal applications are often built on struts making a juicy target during post-exploitation. https://thenewstack.io/critical-vulnerability-apache-struts-puts- thousands-web-applications-risk/

  7. Are People Still Targeting Struts? Many thanks to Andrew Morris for giving me data! Takeaways: • VPS Providers are common scanning source • People are still looking for struts servers • This is only for external facing looking for default paths from exploit POC https://greynoise.io/

  8. Lots of CVEs CV CVE-20 2017-56 5638: “The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.” https://nvd.nist.gov/vuln/detail/CVE-2017-5638 CV CVE-20 2017-97 9791 91: “The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.” https://nvd.nist.gov/vuln/detail/CVE-2017-9791 CV CVE-20 2017-98 9805: “The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.” https://nvd.nist.gov/vuln/detail/CVE-2017-9805

  9. Lots of Struts IR in 2017 In 2017, I saw many engagements that began with struts exploitation. Throughout these cases, Struts exploitation led to: • Continuous and automated compromise for criminal purposes • Enterprise wide ransomware deployments • Targeted attacks by threat groups with focused objectives Even after signatures were released and people knew what to look for and how to fix, we continued to witness devastating in-the-wild compromise. But why?!

  10. Real World Conversation Common Themes: • Did not know the asset was exposed (lacked visibility). Often a Legacy asset w/ no endpoint protection. • Trusted their security stack and provided detections • Did not have any practice performing response and remediation on the public facing asset. Takeaways: • Visibility is a key first step. • The state of detection within organizations is still Thank you Kaya (my daughter) for maturing. showing how I feel here • Offensive testing and exercises could have helped these particular customers.

  11. What We Will Discuss - Goals Blue teams must better understand the applied detection logic in their environments. Detection authors must strive to better understand root cause/adversary behavior to author robust indicators and analytics. Red teams should focus their actions to be threat representative to further a training objective. This might include noisy actions. This might get you caught or it might identify detection gap. Let’s use Apache Struts as a case study.

  12. Analysis of POC Exploit & Detection

  13. Time For Fun

  14. Is This Signature / Rule Effective? One public signature for CVE-2017-9805 alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder?)"; flow:to_server,established; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"<command"; nocase; distance:0; http_client_body; pcre:"/^[\s>]/RPs"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted- user; sid:2024663; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;) Wh Where did the re red co conten ent m match ch co come f e from?

  15. Abuse Gadget From MSF Is this the only abuse gadget that can be used?

  16. Public Signatures SI SID Ru Rule le M Messag age 2024663 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder) 2024664 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec) 2024668 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1 2024669 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2 2024670 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3 2024671 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4 2024672 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5 2024673 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6 2024674 ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec) 2024675 ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder) https://rules.emergingthreats.net/

  17. Public Signature Analysis SI SID Ru Rule le M Messag age 2024663 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder) 2024664 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec) 2024668 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1 2024669 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2 2024670 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3 2024671 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4 2024672 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5 2024673 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6 2024674 ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec) 2024675 ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder) Black = Targeting very specific abuse gadgets https://rules.emergingthreats.net/ Green = Targeting “ysoserial” Base64 Blob Red = Hardcoded URI of App

  18. Swapping Abuse Gadgets For Fun & Profit

  19. Time For Fun

  20. Too Easy! This evasion took less than an Go Goal hour of development and testing. • https://github.com/mbechler/m arshalsec Just in case you didn’t assume this… bad guys know how to do this research too. *Credit to Casey Smith and Matt Graeber Requirement Re Slide credit: Casey Smith and Matt Graeber https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20D ecks/MattGraeber.CaseySmith.pdf

  21. Back To Basics Of Detection

  22. Getting In a Habit Identify TTP A rough process that can be used to work through Indicator Intel & Behavior Maintenance Analysis authoring an indicator. Let’s further dive in on the Indicator Loose / Strict light blue ones… Deployed Criteria Indicator Durability Creation Testing

  23. Defining Loose & Strict Criteria St Stric ict Crit iteria ia Components of a particular attack chain that are required to be present for the chain to AND Strict Criteria 1 Strict Criteria 2 exist. Loose Criteria Lo Components of a particular attack chain that will commonly be present in the attack chain. Loose Loose Loose OR OR Generally, at least one of these will be Criteria 1 Criteria 3 Criteria 2 present. Also includes attacker behavior choices.

  24. Attacker Behind The Scenes Abuse Gadget Executed Upon (K,V) Access Abuse Gadgets: • System command execution Unmarshal XML Object and • JNDI Populate Map Object • *image from McAffee Labs Remote classloading (plain) • Remote classloading (serviceloader) • Local classloading Unpack XML Nodes into New Structure Returned to Reflection Provider “Object” doUnmarshal Searches For Updates Field with Value Class Where Node Names From Nodes Defined https://securingtomorrow.mcafee.com/mcafee-labs/apache-struts-at-rest- analyzing-remote-code-execution-vulnerability-cve-2017-9805/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pesticides and Chesapeake Bay: Smoking Gun or Death by a Thousand Cuts? Doug Myers Maryland

Pesticides and Chesapeake Bay: Smoking Gun or Death by a Thousand Cuts? Doug Myers Maryland

Pesticides and Chesapeake Bay: Smoking Gun or Death by a Thousand Cuts? Doug Myers Maryland Senior Scientist Home to 17 Million People What do we know about pesticide usage in the CB Watershed? What do we know about land delivery rates of

583 views • 12 slides
SSH SSH ( Struts , Spring and Hibernate Hibernate) ) ( Struts , Spring and Ronghong Li, You

SSH SSH ( Struts , Spring and Hibernate Hibernate) ) ( Struts , Spring and Ronghong Li, You

SSH SSH ( Struts , Spring and Hibernate Hibernate) ) ( Struts , Spring and Ronghong Li, You Li, Miao Xu, Paul Filipow, Chao Rui I ntroduction I ntroduction The Model- - View View - - Controller Pattern Controller Pattern The Model

717 views • 39 slides
Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon Mikhaiel Struts framework rimon@cs.ualberta.ca Example of workflow management. A Hello World Example Web Model 2 Web Model 1 Web MVC

610 views • 4 slides
Die socket .. Die ! eamless Let a thousand systems.. bloom ! a short story in 4 parts PART ONE

Die socket .. Die ! eamless Let a thousand systems.. bloom ! a short story in 4 parts PART ONE

Die socket .. Die ! eamless Let a thousand systems.. bloom ! a short story in 4 parts PART ONE DEATH TO SOCKETS FOR THE OF STOP USING SOCKETS DO NOT ! NO SILLY EXAMPLES YOU CAN EVEN PLAY PING-PONG PROGRAM PART TWO LOCALLY DEPLOY

716 views • 32 slides
CS 2 9 8 Model-Controller I nterfacing for Struts- Based W eb Applications Presenter: Deepti

CS 2 9 8 Model-Controller I nterfacing for Struts- Based W eb Applications Presenter: Deepti

CS 2 9 8 Model-Controller I nterfacing for Struts- Based W eb Applications Presenter: Deepti Bhardwaj Advisor: Dr. Chris Pollett Committee: Dr. Robert Chun Dr. Agustin Araya Outline Purpose Introduction Background

885 views • 33 slides
Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave

Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave

Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave of Lily and James Potter Death is bad Despite its inevitability, we spend massive amounts of time, money, and effort, trying to fight death

437 views • 17 slides
512 682 1000 robby@cipaustjn.com 9130 Jollyville Rd., Suite 300 Nick Nelson, CCIM Austin, TX

512 682 1000 robby@cipaustjn.com 9130 Jollyville Rd., Suite 300 Nick Nelson, CCIM Austin, TX

FORMER FAMILY DOLLAR FOR LEASE 4455 Thousand Oaks | San Antonio, TX Alamo Blanco St Alamo Blanco St Your Sign Here Your Sign Here 18,518 VPD (2018) Thousand Oaks Thousand Oaks Interior videos: Showroom Storage area Click the

285 views • 6 slides
Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death processes Biarth and death processes Bo Friis Nielsen 1 Limiting behaviour of birth and death processes Next week 1 DTU Informatics Finite state

309 views • 7 slides
CSE 510 Web Data Engineering The MVC Design Pattern &amp; The Struts Framework UB CSE 510 Web

CSE 510 Web Data Engineering The MVC Design Pattern &amp; The Struts Framework UB CSE 510 Web

CSE 510 Web Data Engineering The MVC Design Pattern &amp; The Struts Framework UB CSE 510 Web Data Engineering Previous Attempts: Model 1 Design Pattern for every JSP page p for every type of request r to p insert in p code to implement the

220 views • 18 slides
Talking About Death &amp; Dying existence embraces both life and death, and in a way death

Talking About Death &amp; Dying existence embraces both life and death, and in a way death

Talking About Death &amp; Dying existence embraces both life and death, and in a way death is the test of the meaning of life. If death is devoid of meaning, then life is absurd. Lifes ultimate meaning remains obscure unless it is

321 views • 10 slides
for information such as the birth place, birth date and parents' names of the deceased. What

for information such as the birth place, birth date and parents' names of the deceased. What

Indexes and Sources of Info on Deaths, Obituaries, Burials Death records are primary source records because they are completed at, or close to, the time of the death by someone who was present at the death. Death records are especially helpful,

66 views • 5 slides
CSE 510 Web Data Engineering The Struts Framework Logon Example UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering The Struts Framework Logon Example UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering The Struts Framework Logon Example UB CSE 510 Web Data Engineering Example The example implements a dummy logon functionality Do not consider this example to be the best way to implement authorization and

527 views • 21 slides
Near-Death Experiences: What if anything might they tell us about life after death? Walter L.

Near-Death Experiences: What if anything might they tell us about life after death? Walter L.

Near-Death Experiences: What if anything might they tell us about life after death? Walter L. Bradley, Ph.D., P.E. ASA Annual MeetingGordon College July 29, 2018 If you were to die tonight. Would you cease to exist? Would you no

647 views • 31 slides
1 EMS: Out of Hospital Cardiac Arrest ACC/AHA/HRS: Sudden Cardiac Death ACC/AHA/HRS, 2006:

1 EMS: Out of Hospital Cardiac Arrest ACC/AHA/HRS: Sudden Cardiac Death ACC/AHA/HRS, 2006:

U.S. Mortality by Death Certificates Redefining Sudden Cardiac Death: Insights from the 500,000 San Francisco POstmortem 400,000 Systematic invesTigation of # deaths/year 300,000 Sudden Cardiac Death Study 200,000 100,000 17 December

275 views • 16 slides
T T Traveling Zero to One Traveling Zero to One li li Z Z t t O O Thousand Within a

T T Traveling Zero to One Traveling Zero to One li li Z Z t t O O Thousand Within a

T T Traveling Zero to One Traveling Zero to One li li Z Z t t O O Thousand Within a Thousand Within a Thousand Within a Thousand Within a School Zone School Zone Visual Learning/Development in a Visual Learning/Development in a

481 views • 24 slides
Aldosterone levels and death in AMI Death according to quartiles Death according to tertiles of

Aldosterone levels and death in AMI Death according to quartiles Death according to tertiles of

A ldosterone L ethal effects B lockade in A cute myocardial infarction T reated with or without R eperfusion to improve O utcome and S urvival at S ix months follow-up F. Beygui, G. Cayla, V. Roule, F. Roubille, N. Delarche, J. Silvain, E. Van

297 views • 10 slides
Linking UNFCCC mechanisms Tomoo Machiba, CTCN Deputy Director Rome, 18 October 2019 CTCN: UNFCCC

Linking UNFCCC mechanisms Tomoo Machiba, CTCN Deputy Director Rome, 18 October 2019 CTCN: UNFCCC

Linking UNFCCC mechanisms Tomoo Machiba, CTCN Deputy Director Rome, 18 October 2019 CTCN: UNFCCC Technology Mechanism UN Climate Technology Centre and Network (CTCN) is the operational arm of the UNFCCC Technology Financial Technology

370 views • 17 slides
WEBINAR WEDNESDAY Miracles after May 1st: A Call to Action to Support 61 Displaced Nepali

WEBINAR WEDNESDAY Miracles after May 1st: A Call to Action to Support 61 Displaced Nepali

WEBINAR WEDNESDAY Miracles after May 1st: A Call to Action to Support 61 Displaced Nepali Students May 10, 2018 Todays Panelists Roman Shrestha - r44.jf3@gmail.com High School Student, SOS Hermann Gmeiner School (Nepal) Joan Liu -

400 views • 13 slides
Lets Just Ask Ground-Truthing in the Elite Network Shifts Project Jacqueline Hicks,

Lets Just Ask Ground-Truthing in the Elite Network Shifts Project Jacqueline Hicks,

Lets Just Ask Ground-Truthing in the Elite Network Shifts Project Jacqueline Hicks, Vincent Traag, Ridho Reinanda, Gerry van Klinken Elite Network Shifts Project IDENTIFYING ELITES 1 US ELITES 2 THAI ELITES 3 INDONESIAN ELITES 4

266 views • 15 slides
Textile Cultural tradition and their Preservation, Promotion and development By: Rosalia M

Textile Cultural tradition and their Preservation, Promotion and development By: Rosalia M

Textile Cultural tradition and their Preservation, Promotion and development By: Rosalia M Soares Facts Many collection of the National collection have been lost, stolen, sold and destroyed during the time of conflict; Tais plays a

484 views • 25 slides
Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The Motivation Teaching / Learning Bibliography Evaluation Lab: problems, personal projects, essays easy Exam: written test /

711 views • 22 slides
1st International Electronic Conference on Geriatric Care Models Disability among the Elderly in

1st International Electronic Conference on Geriatric Care Models Disability among the Elderly in

1st International Electronic Conference on Geriatric Care Models Disability among the Elderly in Indonesia: An Analysis of Spatial and Socio-demographic Correlates Puguh Prasetyoputra 1, * and Ari Purwanto Sarwo Prasojo 1 1 Research Center for

297 views • 15 slides
Timely and Robust Key Establishment under Jamming Attack Eun-Kyu Lee, Soon Y. Oh, and Mario

Timely and Robust Key Establishment under Jamming Attack Eun-Kyu Lee, Soon Y. Oh, and Mario

Timely and Robust Key Establishment under Jamming Attack Eun-Kyu Lee, Soon Y. Oh, and Mario Gerla UCLA Outline Jamming Attacks Quorum System Application to MANETs Frequency Quorum Rendezvous Fast key establishment protocol

602 views • 24 slides
Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service W enyuan Xu,

Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service W enyuan Xu,

Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service W enyuan Xu, Tim othy W ood, W ade Trappe, Yanyong Zhang W I NLAB, Rutgers University I AB 2 0 0 4 Roadmap Motivation and Introduction Detection

486 views • 33 slides

More recommend