WS FTP Remote Code Execution
Description
The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Web
- Last Updated: 2023-10-01
- Author: Michael Haag, Splunk
- ID: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845
Annotations
Kill Chain Phase
- Delivery
NIST
- DE.CM
CIS20
- CIS 13
CVE
| ID | Summary | CVSS | | ———– | ———– | ————– | | CVE-2023-40044 | In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
None |
Search
1
2
3
4
5
6
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ws_ftp_remote_code_execution_filter`
Macros
The SPL above uses the following Macros:
ws_ftp_remote_code_execution_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- Web.http_user_agent
- Web.status
- Web.http_method
- Web.url
- Web.url_length
- Web.src
- Web.dest
- sourcetype
How To Implement
The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.
Known False Positives
If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
72.0 | 90 | 80 | Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://github.com/projectdiscovery/nuclei-templates/pull/8296/files
- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
- https://github.com/rapid7/metasploit-framework/pull/18414
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1