Friday, December 2, 2022

RCE Demo

 

Setup

1git clone https://github.com/sn-ravance/struts2-rce 2cd struts2-rce 3./mvnw clean package 4docker build -t hackme \. 5docker run -d -p 8080:8080 hackme

Validate

Verify the site is up and running by opening a browser and go to http://localhost:8080

Introduction

I going to take you through a hack that could potentially be carried out by a moderately skilled hacker attacking an intentionally vulnerable application.

The purpose of this tutorial is to show you how weaknesses such as cross-site scripting, remote code execution, directory transversal, SQL injection, etc. could be carried out against a live production application.

One particular risk we will be focusing on is remote code execution or RCE for short.

Remote code execution (RCE) is the term used to describe the execution of arbitrary code on a system where the attacker does not have direct access to the terminal but is able to execute code or commands on the remote systems.

I will also show you how Snyk can be used to identify and remediate these vulnerabilities.

Agenda

I have already set up our demo environment - a Docker container with the same vulnerability that exposed 350 million records experienced by Equifax back in 2017.

I will demonstrate the attack against that running Docker Container.

I also set up Snyk to scan the Docker container in the GitHub code repository.

And I will show you how the developer will be able to scan their code, patch, and fix that vulnerability.

Then demonstrate how the container is no longer susceptible to that vulnerability.

Vulnerable

In this demo, I’ll be showing the SCA or Source Composition Analysis capabilities of Snyk to look for vulnerabilities in open source code.

Open source is freeware code created by someone and given out to anyone to use as a part of their software application. The majority of code of any single application will contain 80% to 90% open-source code.

Our vulnerable application in this instance is based on Apache Struts 2.

Apache Struts is a 20-year-old open-source Java framework that uses the Model, View, Controller (MVC) architecture to help developers create enterprise-ready web applications. The purpose of Struts is to separate the application logic from the presentation and database layers.

Apache Struts 2 is the second generation of the framework and it's still being used today.

However, in 2017 Equifax was breached because a patch that was made available 2 months prior was never applied.

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

 


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)