Hello and welcome to the Friday, March 10th, 2017 edition of the Sands and Storm Centers.

Stormcast, my name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

The Struts 2 vulnerability I mentioned yesterday is still being exploited.

If you have web applications relying on struts too, then

it is critical that you either patch struts to as soon as possible or that you apply

other countermeasures like a web application firewall. At this point, the exploit I have seen either just tests the system and checks if it's

vulnerable by echoing back a string or it's running a command like Who Am I?

In one case I observed the attacker attempting to install a well-known Linux backdoor.

Of course, these are random attacks against systems that are not vulnerable,

that are not even running Java.

If you have a vulnerable system, then you may see more targeted attacks

in addition to these random ones.

The exploit sticks pretty close to what was released as a meta-sploid module, varying the user

agent and the order of the headers.

And then we got an interesting submission from a reader with an email that was intended to attack the mail server.

Now typically when we're talking about malicious emails, we're talking about things like attachments that are executable.

In this case, the attachment was a zip file. Actually, it wasn't the content of the SIP file. It was a problem. Instead, one of the file names inside the SIP file included shell code.

Heraka is built on top of Node.js, and it is known as a high-performance mail server that's often used

in front of a regular more full-featured mail server in order to speed up mail delivery.

Now, this vulnerability was fixed back in September, an exploit was released end of January. It's a very trivial exploit, really all

you have to do is format that shell command correctly, use it as a file name, and then sip it up.

The problem here is in how Heraka actually analyzes these attachments.

...