This article can be considered a Cyber-Security article more than a Software Development one for the content and part of the vocabulary that will be used but don’t be scared. I wanted to keep it very practical and to give you a simple example of what type of tools everyone can build or use in certain scenarios like in CyberSec and Incident Response.
Cyber-Security
I always described cybersecurity as a moving target.
Regardless of your role in IT, as a user or simply as a consumer there are a lot of things to be aware of when you use any product or service.
It very important for this subject keeping up to date. So podcasts, blogs, or websites are a good way to access a curated list of information, but I always recommend to go the source whenever possible (nist.gov, mitre.gov or similar organisations).
CVE
One important concept that I give for granted you already are familiar with is the Common Vulnerability and Exposure (CVE).
In this article, I will use a specific scenario I wanted to build a script to find if some servers were already compromised, more than just know if they were affected by this vulnerability (CVE-2019-18935: link 1, link 2).
IoC
These pieces of evidence are frequently called IoC (Indicator of Compromise) from computer forensics and in this example, I wanted to review some IIS logs looking for a pattern matching and specific error entries in the Windows Event logs.
The process could be done even manually for a few log files, but as the number of logs and servers grows it will not be practical.
I was looking for writing something quickly that could be simple to read and tweaked by other colleagues and could be extended and be adapted/scale-out for larger environments.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Review web server request logs Exploitation attempts involve requests to the vulnerable resource. For CVE-2019-18935 these take the form of HTTP POST requests to Telerik.Web.UI.WebResource.axd?type=rau. Malicious exploitation requests will result in a HTTP 500 Internal Server Error which web server logs can be reviewed for. An example is included below: POST /Telerik.Web.UI.WebResource.axd type=rau 443 – 192.0.2.1 - - 500 0 0 457 Organisations should analyse Microsoft IIS web request logs, load balancer logs or other web application logs for suspicious requests. These POST requests may be larger in size than legitimate requests due to the malicious actor uploading malicious files for the purposes of uploading a reverse shell binary. Upon log review it may be identified that requests to Telerik.Web.UI.WebResource.axd?type=rau are not an expected pattern of standard, legitimate web site use and that any requests to the above resource is worth investigating further. Review Windows event logs The ACSC has identified that upon successful exploitation a log entry will be created within the Application.evtx Windows event log. This log entry will have the following characteristics: Event ID: 1309 Source: ASP.NET <version_number> Message: Contains the following strings in addition to other error message content: An unhandled exception has occurred. Unable to cast object of type ‘System.Configuration.Install.AssemblyInstaller’ to type ‘Telerik.Web.UI.IAsyncUploadConfiguration Organisations should review the application event logs on vulnerable or previously vulnerable hosts for indications of Telerik exploitation. This analysis can be combined looking for associated HTTP 500 responses as identified above. |
Check-CVE-2019-18935.ps1
This script is meant to be run locally. The only setting needed is changing the IISLogFolder where your IIS Logs for your websites are stored.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# Paolo Frigo, https://www.scriptinglibrary.com # This scripts search IIS logs and Windows EventLog for # Indicators of compromise (IOC) described in CVE-2019-18935 # https://nvd.nist.gov/vuln/detail/CVE-2019-18935 # https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization $IISLogFolder = "D:\Logs\" Write-Output "ANALISING IIS LOGS [$IISLogFolder] FOR CVE-2019-18935 EXPLOITATION ATTEMPTS." $results = Get-ChildItem $IISLogFolder -Filter "*log" | ForEach-Object {get-content $_.FullName } | Select-String ".*POST \/Telerik\.Web\.UI\.WebResource\.axd.*500.*" -AllMatches Write-Output ">> $($results.count) results found matching the pattern." if ($results.count -gt 0){ $results | ForEach-Object {Write-Output $_} } #https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors Write-Output "ANALYSING WINDOWS EVENT LOG ENTRIES FOR MORE INDICATORS OF SUCCESSFUL EXPLOITATION" $EventLogEntries = Get-EventLog -LogName Application -InstanceId 1309 -ErrorAction Ignore #-ComputerName YourIISserver #In case this script does not run locally on the webserver if ($EventLogEntries){ $EventLogEntries | Write-Output $_ } else { Write-Output "No results found in the Windows EventLog." } |
So running this script against a test file returned this output.
1 2 3 4 5 6 7 8 9 10 11 |
PS> .\Check-CVE-2019-18935.ps1 ANALISING IIS LOGS [D:\Logs\] FOR CVE-2019-18935 EXPLOITATION ATTEMPTS. >> 2 results found matching the pattern. 9999-99-99 99:99:99 POST /Telerik.Web.UI.WebResource.axd type=rau 443 – 192.0.2.1 - - 500 0 0 457 9999-99-99 99:99:99 POST /Telerik.Web.UI.WebResource.axd type=rau 443 – 192.0.2.1 - - 500 0 0 457 ANALYSING WINDOWS EVENT LOG ENTRIES FOR MORE INDICATORS OF SUCCESSFUL EXPLOITATION No results found in the Windows EventLog. Check-CVE-2019-18935.ps1 |
Conclusions
I wanted to share this for giving you a practical example that turning a CVE into a script it is most of the time not that complicated.
Once again, the idea is to read the CVE and extracting the requirements for your script and build your tool as quickly as possible.
Needless to say that these types of scripts will not replace any log aggregation or a good log management tool and platform.
I hope that you’ve found this article useful. This script is available on my GitHub repository.