5.2 Web Attacks
5.2.1 Trend of Web Attacks
Of all attacks targeting web servers in 2018, 89% of them still employed common methods such as server information disclosure, resource leech, SQL injection, and cross-site scripting.
Hackers are using an increasing number of web server or plug-in vulnerabilities. In 2018, vulnerability based web attacks accounted for 11% of all web attacks. It is a bit higher than in 2017 and should be taken seriously regardless of the small percentage. The most targeted web frameworks are Struts 2, Microsoft IIS, and WebLogic.
5.2.2 Web Vulnerability Exploitation
5.2.2.1 Struts 2
The struts 2 framework is still the favorite target of web attackers. From July 2007 to March 2019, 57 vulnerabilities were disclosed related to Struts 2, including remote code execution vulnerabilities extensively used by hackers because of their ease of exploitation and high level of threat. In 2018, we observed that the following vulnerabilities in Struts 2 were favored by attackers:
- Struts 2 remote code execution vulnerabilities (S2-045/S2-046): These two vulnerabilities could be exploited to cause arbitrary code execution via an OGNL expression which is included in an error message and passed to the buildErrorMessage method for execution. In 2018, more than half of attacks against Struts 2 exploited these two vulnerabilities.
- Struts 2 remote code execution vulnerabilities (S2-032/S2-033/S2-037): The root of these three vulnerabilities is when the method attribute of ActionProxy in DefaultActionInvocation.java is transferred to ognlUtil.getValue(methodName + “()”, getStack().getContext(), action) by executing an OGNL expression.
- Struts 2 remote code execution vulnerability (S2-016): In Struts 2, the DefaultActionMapper class supports an access prefix being “action:”, “redirect:” or “redirectAction:”, followed by a desired OGNL expression. The information following the prefix is not properly sanitized. As a result, any action could use these prefixes to execute arbitrary OGNL expressions, leading to arbitrary code execution.
- Struts 2 rest plug-in deserialization vulnerability (S2-052): The REST plug-in uses an XStreamHandler call with an instance of XStream for deserialization of XML payloads, without any filtering. This could lead to arbitrary code execution. An attacker could exploit this vulnerability to gain server privileges or business data via crafted XML request. This is a very
high-risk vulnerability.
From the above, we can see that these vulnerability exploits (except S2-052) against Struts 2 are implemented as follows: Struts 2 executes user-supplied OGNL expressions to cause remote code
execution, command execution, server file operations, and dangerous code execution. The only difference lies in the careful crafting of different OGNL code.
5.2.2.2 WebLogic
WebLogic related vulnerability exploits mainly take advantage of deserialization. In 2018, more than 80% of attacks against WebLogic were launched through exploitation of the following vulnerability:
- WebLogic WLS-WSAT component deserialization vulnerability (CVE-2017-10271): This vulnerability is a remote code execution issue in the XMLDecoder library referenced by
WebLogic. This vulnerability allows attackers to directly take over the entire system. This vulnerability can be exploited over the HTTP protocol and therefore is popular among hackers.
Also, this vulnerability is different than the CVE-2017-3506 vulnerability exposed at the beginning of 2017.
In addition, we observed that attacks were launched by exploiting emerging WebLogic vulnerabilities in 2018. The following vulnerabilities deserve attention.
- WebLogic component deserialization vulnerability (CVE-2018-2628): An unauthenticated attacker could remotely attack the vulnerable WebLogic component via the T3 protocol to gain all privileges of the target system.
- WebLogic component deserialization vulnerability (CVE-2018-2893): This vulnerability allows attackers to execute arbitrary deserialized code via the JRMP protocol by taking advantage of a defect in the Remote Method Invocation (RMI) mechanism. An unauthenticated attacker could encapsulate the payload by using the T3 protocol before deserializing it, in a bid to perform a remote attack against the vulnerable WebLogic component, thus executing arbitrary code and gaining all privileges of the target system.
Among web vulnerabilities, deserialization vulnerabilities are popular with hackers because they can be remotely exploited. According to our 2017 Annual Deserialization Vulnerability Report 410, vendors have been trapped in a vicious vulnerability response cycle of evasion, remediation, re-evasion, and reremediation. Deserialization vulnerabilities are popping up again and again. Those easily exploitable vulnerabilities are valuable to attackers because a successful exploit allows them to gain privilege access. It is exploiting vulnerabilities like this as an attack method to spread viruses and cryptomining malware.
5.2.2.3 Drupal
Exploitation of Drupal framework vulnerabilities in 2018 is another commom example of web exploitation. In May 2018, NSFOCUS Threat Intelligence (NTI) released a detailed analysis of the propagation and infection trend of the cryptominers taking advantage of a Drupal vulnerability.11
Drupal kernel remote code execution vulnerability (CVE-2018-7600): On March 28, 2018, Drupal issued a remote code execution vulnerability alert (SA-CORE-2018-002/CVE-2018- 7600), and later released two vulnerabilities, i.e., a cross-site scripting (XSS) vulnerability and a high-risk code execution vulnerability (SA-CORE-2018-004/CVE-2018-7602). Related proof of concepts (PoCs) were not made known to the public until two weeks after the disclosure of these vulnerabilities. Just a few hours after PoCs were released, attacks appeared to target
these vulnerabilities. Then the Internet saw the mushrooming of Drupal-targeted attacks which occurred frequently in the following months.
From the above figure, we can see that the interval between disclosure of a vulnerability and successful exploitation of this vulnerability was shortened to hours, posing a great challenge to security staffs to detect and mitigate this vulnerability.
To be continued.
10 http://www.nsfocus.com.cn/content/details_62_2694.html
11 http://blog.nsfocus.net/drupal-threat-analysis/