Shulou(Shulou.com)05/31 Report--

This article will explain in detail the case analysis of unsafe decompression GetShell found by tracing the source. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Recently, when we helped a customer trace the source of an intrusion, we found that the hacker uploaded Webshell using the "ZIP decompression feature" of the website before obtaining server permissions. Because the missed delivery mode is representative in "the construction of attack load" and "actual decompression path", and the industry still does not pay enough attention to the loophole of "unsafe decompression". Therefore, we have prepared this report, which explains the process of intrusion traceability and vulnerability discovery, and puts forward some security suggestions from the two dimensions of security development and safety dog product protection scheme, hoping to benefit the industry.

It is worth noting that although the CMS has been defended, it is impossible to write the JSP file directly to the root of the CMS, and a 403 error will be reported. The attacker took advantage of the automatic deployment of the war package and used the idea of "directory traversal" to make the war package jump out of the root directory of the CMS.

I. tracing the source of the invasion

The operation and maintenance staff of a company found some abnormalities in the system when they were on duty late at night. In order to find out the problem, the customer contacted our company and Haiqing laboratory then intervened to trace the source and analyze it, and provide a follow-up solution.

By looking at the Tomcat log file / logs/localhost_access_log.yyyy-MM-dd.txt, you can see that the attacker has broken the login interface of the website (the "POST / cmscp/login.do" interface is accessed frequently), as shown in the figure.

Note: the HTTP status code of successful blasting is 302, while the HTTP status code of blasting failure is 303.

In order to determine whether an attacker uploads a website Trojan, use the Webshell AI detection engine of the website security dog to scan the webapps directory of Tomcat, and you can find that the file named "/ admin/login.jsp" is identified as Webshell (hackers have some confusion about the naming of this Webshell), as shown in the figure.

After further manual confirmation, the jsp file can be judged to be Webshell. And it is related to the automatic deployment of the admin.war file, as shown in the figure.

So how did this war package get uploaded to the server? Continue to analyze log files, focusing on "interfaces that may be file upload functions" when analyzing. It can be preliminarily judged that hackers used ZIP upload and ZIP decompression before using the Webshell, as shown in the figure.

Find the test5.zip file on the server that is called by the file decompression interface, and analyze it to find that the path where admin.war is located is "test5.zip\...". Therefore, the ZIP file is a malicious file carefully constructed by the hacker, which will make the extraction path of the war package is no longer the default "/ uploads/1" directory, but the "webapps" directory of Tomcat, as shown in the figure.

Note: the method of generating malicious zip files in this article

(1) execute the following python script to generate test5.zip:

Import zipfile if _ _ name__ = = "_ main__": try:binary = b'alert ("helloworld") 'zipFile = zipfile.ZipFile ("test5.zip", "a", zipfile.ZIP_DEFLATED) info = zipfile.ZipInfo ("test5.zip") zipFile.writestr (".. / safedog.html", binary) zipFile.close () except IOError as e: raise e

(2) drag the war package containing Webshell to "test5.zip", as shown in the figure.

II. Code audit

After the previous intrusion traceability analysis, it can be concluded that this attack is closely related to the CMS's "ZIP decompression interface" (GET / cmscp/core/web_file_2/unzip.do?ids= {ids} & parentId= {parentId}). This interface corresponds to the unzip method of WebFileUploadsController.java, as shown in the figure.

Following up on the unzip method, it is found that its concrete implementation is in WebFileControllerAbstractor.java. You can see that when you extract the zip file, the unzip method of the AntZipUtil class is called, as shown in the figure.

Following up the unzip method of the AntZipUtil class, we can find that the method writes the file without checking the file name in the ZIP package. Such code writing can lead to directory traversal vulnerabilities, as shown in the figure.

At present, Haiqing Lab has submitted the vulnerability to CNVD and notified the manufacturer to fix it.

III. Summary

Through this example, we can find that the security of the decompression function may cause great harm to the security of the website (take the Spring Integration Zip development component as an example, it has also been exposed the "unsafe decompression vulnerability" of CVE-2018-1261). If the business of the website involves decompression function, it is recommended to pay more attention to the dimension of security development. in addition, the security dog also provides the corresponding product defense plan.

In terms of security development, it is recommended that developers check and restrict themselves from the following aspects when implementing the decompression algorithm:

(1) whether to limit the extension of files in the package

For example: .war, .jsp, jspx, .jsp:: $DATA (only affects Windows hosts)

(2) whether to limit the actual decompression path of files in the package

(3) whether to limit the total size of files in the package (to prevent denial of service attacks caused by the package * *)

(4) whether to grant reasonable permissions to the Web application directory

In addition, we also recommend that users choose reliable and professional security products. For example, users who have installed security dog products will automatically receive alarm messages sent by the system in the event of a security incident, so as to intervene and deal with them as soon as possible to avoid greater losses.

In terms of "security dog product defense", it is recommended that users use the website background protection of "website Security Dog" and "Cloud Dog" as well as the file directory protection function of server dog. The web background path protection function of Cloud Dog and website Security Dog can realize the protection against website background breaking behavior.

The backend protection feature of Cloud Cloud is shown in the figure:

The backend protection feature of the website security dog is shown in the figure:

Server folder directory daemon function:

This is the end of the analysis of unsafe decompression GetShell cases found by tracing back to the source. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.