Apache Struts Vulnerability- How we managed to hack into the Servers of Three Major Indian Banks

Apache Struts Vulnerability- How we managed to hack into the Servers of Three                                                Major Indian Banks 




Considering the Impact of this Vulnerability and due to some Security Reasons we are not revealing the Name of those three banks !




Last week a new vulnerability affecting Apache Struts was reported (CVE-2017-5638) that affects the Apache Struts Jakarta Multipart parser. Apache Struts is a free and Open-source framework used to build Java web application. The vulnerability allows an unauthenticated attacker to execute code in the affected system by creating a specially-crafted Content-Type HTTP header.



How is this being exploited?
When an invalid Content-Type header is parsed by the Jakarta Multipart Parser, an exception is raised. The raised exception includes the invalid Content-Type header in the message. Unfortunately, if the header includes OGNL (Object Graph Navigation Language), the OGNL is evaluated before being returned. This allows an attacker to execute arbitrary code in the exception handler. 
Fixing such bugs is not a big deal, they just need to Upgrade to Apache Struts 2.3.32 or Apache Struts 2.5.10.1. But considering the fact that it is a newly discovered bug and many hackers are misusing the exploit we tried to find out if any online Banks or Such websites are vulnerable to this exploit. 
 Banks ?

We tried Banks first as the importance of securing such websites are very important. If misused by hackers it can lead to large financial losses and data breaches !
For exploiting Apache Struts we used a publicly available python script .

How to find out if the website is vulnerable or not ?


To find out if a website is vulnerable or not we can use a Struts Vulnerability scanner or simply we can search such websites using Google Dorks 
'filetype:action' - This one after a little modifications and a google search gave us the URL to one of the TO Indian Bank !!

Lets Call Him www.vulnerablebank.com
Inorder to Confirm the Issues we used the Script to exploit the vulnerability 
AND BANG 

$Shell:whoami  r00t 
Root Access to one of the servers of a TOP INDIAN BANK ! Root access will give us permission to do almost everything to the server . Can Make it Down, Read Data, Delete Entire data etc etc !!
Lets Hunt For More !!
That day itself we managed to find similar bugs in two more Major Indian Banks !

Next One ??

So whats next ?
Need to REPORT n FIX this issues before someone actually hack into it to do bad stuffs 
As we are voluntarily working with Kerala Police Cyberdome, we contacted the Cyberdome officials to report the same to the bank. Cyberdome officials mailed the Technical Details and the fix that we provided to the bank security team. Bank Security team contacted us back and Fixed that Security Vulnerability in few hours ! 
We ?



       ^ Just Kidding :p Thank YOu For Reading :)

Hemanth Joseph

.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.