Student: Vakaris Žilius
Mentor: Daniel Goldberg
During GSOC 2018, Vakaris worked with me on the Infection Monkey.
The Infection Monkey is an open source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server.
As part of the project, Vakaris implemented a new framework for web vulnerabilities and added multiple new exploit methods using this framework. This makes it far easier for other contributors to add new exploits and gives the Infection Monkey some serious power in older networks.
A remote exploit for Struts2 jakarta multiparser RCE exploit ( CVE-2017-5638 ) PR #179
A remote exploit for Oracle WebLogic REST API (CVE-2017-10271) PR #180
And Remote code execution on HADOOP server with YARN and default settings PR #182
A new framework that all these exploits use to easily develop new web attacks PR #159
SSH key stealing, allowing the Monkey to propagate in networks that use SSH keys for authentication. PR #138
As part of this work, Vakaris identified and fixed dozens of small bugs spread across multiple features.
From this work we identified issues we’d like to solve in the future like
It’s still really hard to add new exploits, as it requires adding code to multiple ancillary files like the report generation mechanism.
Python 2.7 is going to die and new useful libraries are Python 3 only, so we’ll need to migrate the code
I can’t say that any task was particularly more challenging than the rest, because my competence grew at the same pace as task difficulty did.
Small bugfix and ssh key stealing: Most challenging thing was the codebase. Python, NoSQL database and network communications were topics where I had none real-world experience.
Struts2: The most challenging thing there was setting up exploitable environment.
Web RCE exploit implementation framework: It was challenging to predict and prepare for all possible implementations of these types of exploit. A lot of refactoring and discussions about code happened until the final pull request was merged.
Weblogic: This vulnerability was harder to implement, because it was a blind exploit, meaning no feedback in case of success.
Hadoop: Setting up hadoop on windows was notably harder than any other vulnerable server I’ve done.
What I learned:
Solid introduction to python
Basics of network and web server debugging
Improved my knowledge of git
A bit about web security