Complete Takeover
The plugin allows a user to place files in the root path of a Web Server. As a result, a malicious user can upload shell scripts, malwares or executables that can be used to remotely access the server, and completely take over the host. The sheer amount of forks of the plugin’s git repository and popularity of this component, on top of how simple the exploitation is, makes this vulnerability even more critical than the simple risk assessment done based on the technical details alone. Detecting #jQuery File Upload #vulnerability using Falco (#CVE-2018-9206) Click to tweetUsing Falco for detecting jQuery File Upload vulnerability
Patching systems takes time. Finding all vulnerable components in an environment, is even more complex when third party applications may use the plugin behind the scenes, without any clear indication for its existence. This is where Falco, a behavioral detection system, can help. Falco instruments the underlying host OS to get access to a rich stream of data to evaluate rules based on any system event that passes through the kernel. Falco out-of-the-box policies will identify any suspicious activity by an HTTP server. Any attempt to exploit the vulnerability above, by running a shell for example, will be detected by Falco, and generate the following security event:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Debug Shell spawned by untrusted binary (user=<NA> shell=sh parent=apache2 cmdline=sh | |
-c ls pcmdline=apache2 -DFOREGROUND gparent=apache2 ggparent=docker-containe | |
aname[4]=docker-containe aname[5]=dockerd aname[6]=systemd aname[7]=<NA>) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- rule: CVE-2018-9206 | |
desc: > | |
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0 | |
condition: > | |
(proc.name in (http_server_binaries)) and | |
(evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and | |
(fd.name contains ".php") | |
output: > | |
CVE-2018-9206 - Suspicious file write by http server detected (command=%proc.cmdline connection=%fd.name) | |
priority: NOTICE | |
tags: [cve, security] | |