HPE Software Blog: Security Research
Share |

Detecting Struts2-045 and 046 using DAST techniquesOpen in a New Window

March 2017 witnessed two security advisories from Apache Struts2 – both involving a similar problem with the Jakarta-based file upload Multipart parsers (CVE-2017-5638). S2-045 addresses an issue with parsing the Content-type header on an erroneous multipart request, while S2-046 discusses the possibility of exploiting a multi-part file upload request’s content-disposition section. In both cases, it is possible to inject malicious OGNL expressions using the described attack vectors.

Our previous post explored the techniques involved in static analysis to detect these issues. In this post, we will dive into the dynamic analysis techniques to achieve the same goal.

 

 

Auditing and Bypassing Security Manager policiesOpen in a New Window

exploit.jpeg

During our BlackHat talk last summer, we presented a subset of the exploits we identified, based upon hundreds (200+) of identified Remote Code Execution (RCE from now on) deserialization gadgets, related to CORBA stubs. 

 

HPE Security Fortify Software Security Content 2017 Update 1Open in a New Window

small logo.PNG

HPE Security Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to HPE Security Fortify Secure Coding Rulepacks (English language, version 2017.1.0), HPE Security Fortify WebInspect SecureBase (available via SmartUpdate), HPE Security Fortify Application Defender, and HPE Security Fortify Premium Content. 

 

Struts2-046: A new vectorOpen in a New Window

Last week a new Remote Code Execution (RCE) vulnerability affecting Struts2 was published. We already blogged about it so we will not get into the details of how Struts2 was vulnerable via the Content-Type header. Today's blog will focus on how important it is to analyze and understand bugs when they are made public. In this case, we wanted to verify that Fortify SCA was able to detect this vulnerability when scanning the involved source code (Struts2 + Apache Commons-FileUpload) but we were surprised to find out that in addition to the known attack vector via the Content-Type header, SCA also reported a different dataflow originating from the file name in the multipart request.

 

Apache Struts 2 Multipart parser vulnerability (CVE-2017-5638)Open in a New Window

An OGNL Expression Injection vulnerability in the Jakarta Multipart parser has recently been garnering a lot of attention. The parser is used in Apache Struts 2, versions 2.3.x (2.3.5 - 2.3.32) and 2.5.x (below 2.5.10.1). The vulnerability allows a remote attacker to inject OGNL expressions using a malformed multipart request and is assigned CVE-2017-5638. This article provides a quick assessment of the vulnerability.

 

Analytics in securityOpen in a New Window

type.jpg

Analytics—it’s a hot topic in a variety of industries, not just in security. The new form of currency is data; and with that, we can garner a plethora of information. The only things we need are time, the right set of skills, and a robust path to follow. When these traits combine, it creates a perfect triad—constructing a data analytics program that can assist existing security teams in their day-to-day activities. But is it really that easy?

 

Where's wald0: Sniffing out the BloodhoundOpen in a New Window

 

r10.png

Detecting Active Directory enumeration will help you find malicious activity during the early phases, allowing the SOC to respond before the attackers get too far in the network. Focusing on the method of enumeration instead of the tools itself, allows the defenders to deal with changes in tools and code without changing the detection mechanism.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – November 4, 2016Open in a New Window

OSINT.jpg

Welcome to the November 4 edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – October 28, 2016Open in a New Window

OSINT.jpg

Welcome to the October 28th edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

Virus Bulletin 2016 presentation on GPS spoofing and countermeasuresOpen in a New Window

gps.jpg

On October the 7th, I gave a presentation at the Virus Bulletin 2016 conference held in Denver, CO about GPS spoofing attacks which can be carried out on a short-string budget. The time for the presentation was limited and allowed me to only briefly touch on many interesting topics. One of the topics I wasn't able to talk about at the conference is advanced GPS signal overpowering methods, which is discussed in this blog.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – October 21, 2016Open in a New Window

OSINT.jpg

Welcome to the October 21st edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

Advanced Persistent Threats debunked: Pay attention to the man behind the curtainOpen in a New Window

lifecycle.jpg

The term Advanced Persistent Threat--more commonly referred to by its abbreviation, APT--has become one of the most misused terms in the information security community. Those who do not work in this realm tend to take the term at face value, usually in the context of explaining how a company’s tools are able to detect new “advanced” techniques that may be used by any type of attacker. In fact, these attackers are the “threat” referred to in the term APT. Read more...

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – October 14, 2016Open in a New Window

OSINT.jpg

Welcome to the October 14th edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – October 7, 2016Open in a New Window

OSINT.jpg

Welcome to the October 7th edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – September 30, 2016Open in a New Window

OSINT.jpg

Welcome to the September 30th edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – September 23, 2016Open in a New Window

 

OSINT.jpg

Welcome to the September 23rd edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – September 16, 2016Open in a New Window

OSINT.jpg

Welcome to the September 16th edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

CryptoDrop: No Ransomware PanaceaOpen in a New Window

HPE20160526001.jpgRansomware malware has gained rapid notoriety as the cybercrime groups codify the successful "hold-for-ransom" business model by encrypting data files of unsuspecting users.

 

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – September 9, 2016Open in a New Window

OSINT.jpg

Welcome to the September 9th edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

 

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – September 2, 2016Open in a New Window

OSINT.jpg

Welcome to the September 2nd edition of the HPE Security Research OSINT articles of interest. This is a list of publicly available articles that we find relevant in today's security news.

Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org

Mission

Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.