Monitoring For Struts Exploitation

Google image search for Struts Vulnerability… fun.

After the news of a new Struts vulnerability (CVE-2017–11776) was published, I started keeping an eye on honeypot data from HoneyDB to see if it is being used in the wild. Previous Struts vulnerabilities were quickly used in mass scanning to identify, and in some cases exploit vulnerable applications. Initially, I only observed a few probes for new Struts vulnerability (no payloads were present in the requests) based on the paths in the request. These paths were in published PoC exploit code, hence the association.

/struts2-showcase/showcase.action
/showcase.action
/struts3-showcase/showcase.action
/actionchaining/actionChain1.action

PoC exploit code:

While I have no significant findings to share, I can share data collected thus far. I’ve created a basic report of all requests targeting Struts from HoneyDB data. The criteria for the report was any requests containing the string “.action”. So this will include payloads targeting previous Struts vulnerabilities as well. You can download this report here:

HoneyDB Payload Report-2018–08–27-Struts.pdf

I’ve also updated my Payloads project on Github with the latest unique Struts payload strings. Happy hunting!

Do you want run your own honeypot(s) and collect data like this?

If you are interested in running your own honeypot to capture data and perform your own analysis, I have a few tools for you. HoneyPy is a low to medium interaction honeypot that can be configured to report data into HoneyDB or several other destinations. An alternative to running HoneyPy is the HoneyDB Agent, more details on getting started here.