In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability.
Equifax, one of the “big-three” U.S. credit bureaus was most likely, and unfortunately, not watching the bleeding-edge of security to prevent their server from being compromised. When they discovered the “unauthorized access” on July 29, they called in the security team from Mandiant to help them figure out the fallout of having potentially 143 million people’s PII released to the hackers. They released a video on September 7th, urging people to sign up on equifaxsecurity2017.com, which it itself was a shitshow, along with it being a poorly coded site, it was also flagged as a phishing site and didn’t even seem to be looking up the data correctly, with people using false info and still getting the same response from the site as a real account would. I’d be weary to submit my information to that site, along with some reports that the wording in the site gives them a loophole on you not being able to be part of a class action lawsuit if that ever comes to fruition.
. Below is a video from the CEO of Equifax about the incident.
Rick Smith, Chairman and CEO of Equifax Inc., on cybersecurity incident involving consumer information. Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.
There’s been speculation that this Struts vulnerability is how Equifax were owned. Looking into how the exploit can be recreated shows how easy it is for an attacker to take control of a server. The team from Metasploit created a module to trigger the CVE-2017-9805 vulnerability that was released shortly after its disclosure.
For those who would like to try this out at home in your ‘test’ lab, you can quickly test this out against your test server on a linux box, like using the Kali distro.
cp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/ run msfconsole and load the module by running
Someone also anonymously released this gist on github the same day showing how you can simply exploit Struts.
Mazin Ahmed released some python code on his github that allows you to check for a vuln server or list of servers easily
Checking if the vulnerability exists against a single URL.
python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'Exploiting a single URL.
python struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/struts-pwn'
So make sure you patch your server if you’re running Struts, if you dont have a webserver running Struts, then all you have to do is worry about your Identity being stolen if you’re an American.
Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus. Information for how to file a freeze is available here.