On August 22, 2018, the Apache Foundation released Security Bulletin S2-057 warning of a remote execution vulnerability in Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. This vulnerability is designated CVE-2018-11776 in the National Vulnerability Database. Within 36 hours of the warning, Verodin's Behavior Research Team (BRT) published content demonstrating the exploitation of a 2.5.16 Struts server using CVE-2018-11776.
The vectors disclosed require commands to be passed through Java in order to properly execute. This is illustrated with the presence of Runtime.exec, followed by the command the attacker runs. The key here is that Java has to process the command, which limits the possibilities for obfuscation.
Let’s think about what happens if the attacker is successful. If they were to issue a whoami command, the username “tomcat” would be returned. What can the attacker do with this access? Well, hopefully, not much: if properly configured, an attacker should be forced to escalate privilege out of a very limited account. How are they going to do that? Probably by downloading privesc tools onto the server. So, make sure to inspect your server’s outbound requests!
At the end of the day, there are a lot of ways an attacker could accomplish their goal but it pays to think about defending past initial compromise. Hardening your systems and defenses in this way will help you get a leg up defending against a 0-day attack and increase your chances of detecting a breach before it’s too late.
Like many of our customers, when a major vulnerability is disclosed, the Verodin Behavior Research Team (BRT) goes into overdrive. I am very proud of my team for successfully operationalizing content to help our customers within 36 hours of disclosure.
The release includes five Actions:
A100-334: Malicious File Transfer - cURL Download PythonScript Download
Following A100-333, the Struts server downloads a python script which will connect back to the attacker when executed.
A100-335: Web Application Vulnerability - Apache StrutsCVE-2018-11776, Python Shell Reverse Shell
The third action demonstrates the Struts server establishing the shell connection back to the attacker.
A100-336: Web Application Vulnerability - Apache StrutsCVE-2018-11776, Privesc-Check-1.4 Retrieval
An action that shows a Struts server being exploited with a request that takes advantage ofCVE-2018-11776. The exploit is used to issue a cURL command for the victim server to download a Privilege Escalation checking script. Verodin recommends pairing this action with A100-337.
A100-337: Malicious File Transfer - cURL DownloadPrivesc-Check-1.4
Lastly, this action shows a victim server performing a download of Privesc-Check1.4 via cURL.
As always, customers with active Verodin subscriptions receive content updates at no additional charge. To access the content update that includes the Apache Struts S2-057 update, please navigate to the customer portal and login HERE.