Black hats testing remote code execution zero-day vulnerability Infosec researchers have found a âdireâ zero-day
Black hats testing remote code execution zero-day vulnerability
Infosec researchers have found a âdireâ zero-day in Apache Struts 2, and it’s under active attack.
If you’re a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco’s Talos advises applying the latest upgrade immediately.
CVE-2017-5638 is documented at Rapid7’s Metasploit Framework GitHub site.
Talos’s input adds urgency to getting the upgrade, because the organisation âfound a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof of concept that is being used to run various commandsâ.
It was Amol Sarwate, Qualys’ director of engineering, who told El Reg the bug is dire because it’s a âcomplete controlâ vuln. The company has dropped a tester admins can run against their own systems, described here.
First reported by Chinese developer Nike Zheng, the attack sends an invalid Content-Type value to the uploader, which throws an exception providing remote code execution.
Here’s Talos’ grab of a probe it’s seen against a vulnerable system:
Black hats a-knocking at the door
To see if the system is vulnerable, the probe runs whoami.
The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads: âThe payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnetâ.
Talos says it’s also seen attempts to drop persistent attacks into targets: âThe adversary attempts to copy the file to a benign directory and then ensure that both the executable runs and that the firewall service will be disabled when the system boots.â ®
Sponsored:
Next gen cybersecurity. Visit The Register’s security hub
COMMENTS