Monitoring For Struts Exploitation
After the news of a new Struts vulnerability (CVE-2017–11776) was published, I started keeping an eye on honeypot data from HoneyDB to see if it is being used in the wild. Previous Struts vulnerabilities were quickly used in mass scanning to identify, and in some cases exploit vulnerable applications. Initially, I only observed a few probes for new Struts vulnerability (no payloads were present in the requests) based on the paths in the request. These paths were in published PoC exploit code, hence the association.
PoC exploit code:
St2-057 Poc Example. Contribute to jas502n/St2-057 development by creating an account on GitHub.github.com
Yesterday a new vulnerability in certain versions of Apache Struts (2.3 - 2.3.34, 2.5 - 2.5.16)was discovered that…blog.atucom.net
While I have no significant findings to share, I can share data collected thus far. I’ve created a basic report of all requests targeting Struts from HoneyDB data. The criteria for the report was any requests containing the string “.action”. So this will include payloads targeting previous Struts vulnerabilities as well. You can download this report here:
Do you want run your own honeypot(s) and collect data like this?
If you are interested in running your own honeypot to capture data and perform your own analysis, I have a few tools for you. HoneyPy is a low to medium interaction honeypot that can be configured to report data into HoneyDB or several other destinations. An alternative to running HoneyPy is the HoneyDB Agent, more details on getting started here.