Wei Gao, Blog Author
Senior Security Research Engineer
Blog

Supervisord Command Injection Caught in the Wild, Now Tamed

September 13, 2017 by Wei Gao

ATI team discovers new attack patterns by cyber-criminals leveraging command injection vulnerability

This is a joint investigation with fellow Ixia Application and Threat Intelligence (ATI) researcher, Mihai Vasilescu. Ixia’s Application and Threat Intelligence (ATI) recently caught attack behaviors in the wild related with CVE-2017-11610 (Supervisord RPC Command Injection vulnerability). This vulnerability is due to method execve in object self.rpcinterface.supervisor.supervisord.options, which can execute any command injected by an attacker or using supervisor.supervisord.options.warnings.linecache.os.system to execute commands. This vulnerability could allow an unauthorized user to execute arbitrary code on a server and possibly exfiltrate data, deface a website, install a backdoor, etc. Below is one of the real command execution attempts as seen in the wild.

1

 An attacker attempting to execute curl command, possibly for data exfiltration.

Supervisor [1] is a client/server system that allows users to monitor and control a number of processes on UNIX-like operating systems. Supervisor uses XML to pass MethodName and params to the server. In Supervisor 3.1.2 [2], it uses class supervisor_xmlrpc_handler (supervisor/xmlrpc.py) to process RPC requests:

2

In class supervisor_xmlrpc_handler, the traverse function will process a method name and if a name does not start with _, traverse function will get the object’s name (parameter ob in traverse method in the following code) attribute. After calling the traverse function [3], each public method in ob can be executed.

3

Calum Hutton, who reported the vulnerability, provided a proof of concept (PoC) using execve method in supervisor/options.py [4]

4

Phith0n [5] provides another way to use supervisor.supervisord.options.warnings.linecache.os.system in the exploit, and that one matches the attack we captured in the wild.

To provide valuable strikes to our customers, we offer this exploit in our Ixia BreakingPoint system. The strike will try to inject a command by an RPC request to the vulnerable target and write the command execution result into the log file.

5

After the command is successfully executed, the strike can use method readLog in Superviosrd to read the execution result from the log.

6

7

Websites need to be protected from extremely dangerous code execution vulnerabilities. A successful code injection can compromise and damage any website beyond recovery. Present-day web infrastructure, comprised of several independent software systems, has also increased the chance of such code injection vulnerabilities by many folds. At the same time, web infrastructures can’t always be patched as soon as a new vulnerability is found, as applying such patches may involve unplanned downtimes. Hackers, on the other hand, do not have any such restrictions, so can exploit a recently published vulnerability on any of the unpatched websites. 

This is where network and web security perimeter protection becomes handy.  The security tools that front your website should be able to detect and block any such vulnerabilities that can affect an unpatched website without the need of any downtime. BreakingPoint strikes, updated regularly through your ATI subscription, comes into play as a noninvasive test device that can validate individual security tools or your overall network/security infrastructure for its ability to patch, detect, and block any such vulnerabilities and its variants.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

References

[1] http://supervisord.org/

[2] https://pypi.python.org/pypi/supervisor/3.1.2

[3] https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html

[4] https://blogs.securiteam.com/index.php/archives/3348

[5] https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610