2014-04-30 19:07 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net
>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
> > Im uploading mi logfiles so it will be available when finished
> > uploading.
>
> Remember to get a thread dump while Runtime.exec() is running.
>
> You should copy the script /tmp/4.sh somewhere else so you have a copy
> in case the attacker tries to clean-up after themselves. That's
> certainly what's doing the evil work.
>
> You could probably set up iptables or something to restrict outgoing
> requests so that the attack can't progress across your network.
>
> > Regarding the configuration, its working in two other sites
> > without problem, and there is no problem putting L4 balancing with
> > haproxy.
> >
> > I have asked developers about that exploit, still without answer.
>
> You appear to be using struts2 2.1.8, which is in the range of
> versions vulnerable to this bug. There is a workaround that you can
> probably apply:
> http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last
> section on this page).

Of course, the vulnerability doesn't allow you to simply inject code
> or anything like that: you can certainly mess-around with code that is
> already available on the site, though.
>
>
I think the S2-021 can be used to inject code. There is a POC circulating
proving it.
That said, this struts version (2.1.8) is also vulnerable to
http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code
execution very easily.



> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN
> kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF
> mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt
> URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p
> yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I
> 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg
> cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV
> ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ
> F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL
> 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO
> A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH
> ob6Km1Clt4KNLKVyQjt+
> =8KFm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to