Apache Struts Vulnerability

This month is being fearful with the amount of attacks I'm watching against web applications because attackers have found an easy way to get into systems taking advantage of the last Apache Struts2 vulnerability with CVE-2017-5638. Thanks to the Ethical Hacker course I received two years ago and my knowledge about XML and Web Services, I'm going to highlight some steps to know how to exploit this vulnerability, of course, to know if our web services are vulnerable, and we are also going to see what we can do to protect our organization from this attack.

This is a critical vulnerability due to an error handling issue when we send crafted HTTP request to a web server containing a malicious “Content-Type” or “Content-Disposition” field. The remote attacker can exploit this to execute arbitrary code within the context of the application, via a crafted request. Therefore, systems can be compromised and remote attackers can gain control of vulnerable systems. Actually, the affected products are from Struts 2.3.5 to 2.3.31 and from Struts 2.5 to 2.5.10.

How can we know if our web servers are vulnerable? First, asking to our developers to know the Struts version they are using for developing web applications. If we are not lucky, we can check it by our own. Struts 2 is built with Maven, as a result we can find the pom.xml file from the source tree or in jars under META-INF folder:

Struts version

Another way to know if our web applications are vulnerable is with the Nmap tool which has an script NSE called http-vuln-cve2017-5638 that help us to detect whether the specified URL is vulnerable to the CVE-2017-5638. As we know, this is a useful tool for scanning and enumeration before attacking.

Nmap NSE script http-vuln-cve2017-5638

Nmap request and Server response

As you can see, my lab is vulnerable, this is because I have installed a Windows Server 2012 with Apache Tomcat 6 server + MySQL database 5.5 + Java JRE environment + Struts 2.3.20 Apps. This is an easy laboratory to deploy because after installing Apache, MySQL and Java, we just have to copy the struts2-blank.war file into the Apache Software Foundation → Tomcat 6.0 → webapps folder and restart the Tomcat service.

Struts Hello World Webpage

 

In addition, I have tested this vulnerability with the script published by Hack Players where I have been able to see the “Content-Type” header into HTTP requests while I was executing arbitrary code like “dir”, “whoami” or “ipconfig”.

Python script CVE-2017-5638.py

  

Python request and Server response

Once we know if our web servers are vulnerable, and while developers upgrade or fix applications, we have to take measures. The first and the traditional way is with an IPS engine where we should check if our firewall has the signature to block this kind of attack.

IPS Sensor

 

The second step would be to install or upgrade an IDS system to check if all attacks are being blocked by the firewall. If we have alarms inside our network, maybe the IPS engine is not working properly or it is not well configured.

IDS Rule Detection

Finally, the most professional way is to install and upgrade a Web Application Firewall (WAF) where we'll configure the strings allowed into HTTP headers, even for “Content-Type” and “Content-Disposition”. This is the best way to block Web Application Vulnerabilities, Preventing Web Scraping and implementing Virtual Patching as well.

Regards my friend and remember, open you eyes and protect your web servers.

ISACA Challenge for Young Professionals

ISACA Madrid has launched, for fourth time, a challenge for young professionals with the main goal of encouraging young people to innovate and promote in the Audit, Information Security and Information Security Governance fields. This is the fourth edition where young professionals can demonstrate their skills and knowledge about new threats, risks and tools, and this is a good opportunity to show our last researches and development projects to the security community, and at the end, it's a good opportunity to teach what we know to improve the security world.

The first edition in 2014, I was there with my proposal about “¿estamos vendidos?” but I got the second prize, was for Daniel Echeverry Montoya & Ismael González with their good job about "Tortazo para la recolección de información y auditoría de repetidores en la red de TOR". TORTAZO is an opensource tool to collect information and conduct attacks against exit nodes of TOR network. It also works on "Zombie" mode allowing us to create a botnet on those nodes compromised through SSH. This mode allows the parallel execution of commands against botnet or complete a given set of computers.

ISACA Challenge 2014

 

The second edition in 2015 was for my paper called “Juego de Troyanos” where I analysed how the Zeus malware works and I developed a “similar” trojan malware with Domain Generation Algorithms to bypass black lists and antivirus software. In fact, most of the ransomwares like CryptoLocker or CryptoWall still use the DGA technique to bypass security protections like IP and domain reputation. It was an “easy” way to demonstrate that anyone can develop a trojan malware to bypass common security safeguards.

ISACA Challenge 2015

Last year, Juan Antonio Velasco Gómez and Diego Jurado Pallarés got the first prize with “Deception PI - Análisis de las Tendencias de Ataques de Malware en Sistemas Señuelo para Informática Forense”. The work presented was made to detect, study and analyze certain types of computer attacks, specifically Secure Shell (SSH) attacks, using the technology of decoy systems, commonly known as Honeypots. They configured a small network of sensors, integrated in small dimensions platforms (Raspberrys). This network consisted of two sensors located in different cities (Madrid and Granada) that will allow them to classify and analyze the results and malware samples obtained in the experiment. 

ISACA Challenge 2016

The requirements for the ISACA challenge are the same as always. If we are young people with less than 35 years old and we have something interesting to show and teach about Audit, Information Security or IT governance, this is your challenge. Write a paper and send it to ISACA.

For more information about the challenge, click on here, and if you need any help with your paper, let me know.

Regards my friend and remember, drop me a line with the first thing you're wondering.

IPv4 to IPv6 without going through IPv5

We are talking about IPv6 lately because we are running out of IPv4 and we increasingly need more and more IPs for the new area of Internet of Things (IoT). It's a fact that the IP next generation (IPng) protocol and the IPv5 experimental protocol are not so well known by IT engineers but what we should know is about the IPv6 protocol like addressing and subnetting, stateful and stateless autoconfiguration, IPSec support, the new anycast packets, transition mechanisms, etc.

I want to highlight transition mechanisms used by main technology companies like Akamai, Google or Cisco because, maybe, as a network engineers, we'll have to participate or migrate IPv4 to IPv6 networks in the future.

• Dual Stack: This is the most advisable way to migrate from IPv4 to IPv6 because we can do it periodically and progressively. However, all devices should support both protocols, IPv4 and IPv6.

Dual-Stack transition mechanism

• NAT64: This is a transition mechanism based on Address Family Translation (AFT), which is a NAT technique similar to the traditional NAT for IPv4. In addition, all devices should be behind a NAT64 router.

NAT64 transition mechanism

• 6to4 tunnel: This is another method to connect two IPv6 worlds separated by IPv4, where boundary routers make a 6to4 tunnel against each other. They are going to use the prefix 2002::/16 where the IPv4 tunnel address is identified inside the IPv6 domain.

Tunnel transition mechanism

• ISATAP: or Intra-Site Automatic Tunnel Addressing Protocol is an extension of the dual stack mechanism, because it relies on dual stack nodes to make the migration, and it also uses tunnels. However, the ISATAP mechanism is often criticized because it depends on the DNS protocol to know the Potential Routers List (PRL). As a result, a layer 3 protocol needs a higher layer protocol to work properly, which is a violation of network design principles.

ISATAP transition mechanism

Next, we can see an example of 6to4 tunnel transition mechanism along with the network diagram and the configuration for Alcatel-Lucent Omniswitch:

6to4 transition mechanism diagram

 

VLAN configuration for both switches:

vlan 40 → Backbone

vlan 50 → Acceso

Interface tagging configuration for both switches:

vlan 40 members port 1/1/10 tagged

vlan 50 members port 1/1/41 untagged

IPv4 configuration for SW1:

SW1# ip interface "intf40" address 198.51.100.137 mask 255.255.255.0 vlan 40

IPv4 configuration for SW2:

SW2# ip interface "intf40" address 198.51.100.136 mask 255.255.255.0 vlan 40

IPv6 configuration for SW1:

SW1# ipv6 interface "intf50" vlan 50

SW1# ipv6 address 2001:db8:1100:1000::/64 eui-64 "intf50"

SW1# ipv6 address 2002:c633:6489::254/16 "tunnel_6to4"

SW1# ipv6 interface "tunnel_6to4" admin-state enable

IPv6 configuration for SW2:

SW2# ipv6 interface "intf50" vlan 50

SW2# ipv6 address 2001:db8:b000::/64 eui-64 "intf50"

SW2# ipv6 address 2002:c633:6488::253/16 "tunnel_6to4"

SW2# ipv6 interface "tunnel_6to4" admin-state enable

Static route configuration for SW1:

SW1# ipv6 static-route 2001:db8:b000::/64 gateway 2002:c633:6488::253 metric 1 tunnel_6to4

Static route configuration for SW2:

SW2# ipv6 static-route 2001:db8:1100:1000::/64 gateway 2002:c633:6489::254 metric 1 tunnel_6to4

Tests:

PC1# ping6 2001:db8:b000::1

PC2# ping6 2001:db8:1100:1000::1

Once we have tested the 6to4 tunnel, we can analyse network packets to see IPv6 encapsulation through the IPv4 network:

SW1# port-monitoring 6 source 1/1/10 enable timeout 10 capture-type full

6to4 transition mechanism wireshark packet

 

We have heard a lot about there aren't enough IPv4 addresses but it seems that IPv4 is going to stay for a long period of time and, in the meantime, both protocols will have to coexist.

Regards my friends, and keep studying about IPv6 too because it will come.

Bandwidth management is a must

We are used to having fast and reliable networks in our companies where many times bandwidth management is not necessary because we have enough bandwidth for our users and services. However, this is not always possible due to the fact that enterprise bandwidth is expensive and budget is limited. As a result, network engineers have to guarantee bandwidth for some services like VoIP, video conference or mission critical services and manage bandwidth properly. Today, there are Software-Defined WAN appliances like IWAN from Cisco or SteelConnect from Riverbed which allow us to have application visibility, WAN and LAN optimization, traffic control, etc to speed up and control our business network.

If we want to have a good network performance, we should understand what are the enemies of Quality or Services (QoS). First of all, a lack of bandwidth is the main issue when multiple streams of voice and data traffic is competing for a limited amount of bandwidth. Secondly, there are many kind of delays that we should take into account like fixed delays, that we can't change, variable delays, that we can change with queuing and priorities, and delay variations as jitter. By last, packet loss is something that we have to manage too for dropping and discarding those packets less important.

Sources of Delay

 

If we want to have a good network performance, we'll have to apply QoS policies and shaping as well. The first step is to identify traffic and its requirements, which can be done with network analyser tools. The second step is to group traffic into classes. For example, voice traffic into a low latency class, or e-commerce and web browsing into a mission-critical class with guaranteed traffic. The last step is to define QoS policies for each traffic class where we'll set a minimum bandwidth guarantee, a maximum bandwidth limit, we'll assign priorities to each class, we'll use QoS technologies, such as advanced queuing, to manage congestion, etc.

Group traffic into classes

 

We have to take into account that traffic management, congestion management and congestion avoidance is not only for WAN link but LAN as well. Therefore, we don't just have to install SD-WAN appliances on the border of our network but, maybe, we should configure QoS inside our LAN too. Maybe, we should know about CoS for Ethernet frames and DSCP for IPv4 packets to classify and mark our applications if we want to queue them into a Low Latency Queue (LLQ), Weighted Fair Queue (WFQ) or FIFO queue. It's mandatory to know how many queue the devices have and how to use them.

On the other hand, if we have a Metro Ethernet or MAN, or we work for a network service provider, we'll have to guarantee traffic between branches or customers. Then, MPLS with RSVP and RSVP-TE will be mandatory for reservation of resources across the network.

Regards my friends, and remember … network traffic management is a must for big networks.