WS FTP Remote Code Execution

Try in Splunk Security Cloud

Description

The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Web
• Last Updated: 2023-10-01
• Author: Michael Haag, Splunk
• ID: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

Kill Chain Phase

• Delivery

NIST

• DE.CM

CIS20

• CIS 13

CVE

| ID | Summary | CVSS | | ———– | ———– | ————– | | CVE-2023-40044 | In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.  

None

Search

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ws_ftp_remote_code_execution_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime

ws_ftp_remote_code_execution_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Web.http_user_agent
• Web.status
• Web.http_method
• Web.url
• Web.url_length
• Web.src
• Web.dest
• sourcetype

How To Implement

The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.

Known False Positives

If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL.

Associated Analytic Story

• WS FTP Server Critical Vulnerabilities

RBA

Risk Score	Impact	Confidence	Message
72.0	90	80	Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://github.com/projectdiscovery/nuclei-templates/pull/8296/files
• https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
• https://github.com/rapid7/metasploit-framework/pull/18414

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1