Cymmetria has just released honeypots for the detection of two Oracle vulnerabilities that were recently made public:
- CVE-2017-10271 (Score: 7.5)
- Vulnerable: Oracle WebLogic 10.3.6.0.0, 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0
- The honeypot will detect the reported RCE vulnerability by detecting the exploitation attempt, but will not allow commands to run or, as seen in the in-the-wild exploit, to connect home
- CVE-2018-2636 (Score: 8.1)
- Vulnerable: Oracle MICROS PoS 2.7, 2.8, 2.9
- This CVE was released on 01/17/2018
- The honeypot will detect the reported directory traversal vulnerability, and will allow attackers to find files our research shows should be in place
The two honeypots are available on Cymmetria Research’s GitHub, under the open source MIT License:
Over the next few days, we will release patches to MazeRunner Enterprise Edition and Community Edition so that as a user, you will get these new honeypots automatically. If your MazeRunner instance is not connected to the Internet, contact us directly to receive a download link for the patches.
- The Python open source honeypots will run well, but will not actually make your system vulnerable to the CVE, and may need to be modified slightly to include reporting capabilities, etc., as they are running outside of MazeRunner
- The honeypots are based on Python’s built-in HTTP server, plus custom code to detect the specific exploits
Even while developing honeypots, one must be careful with secure development. With the Oracle MICROS PoS, we unintentionally coded a directory traversal vulnerability on our own in the initial coding. Of course, it was caught and fixed in short order, but we wanted to share. It gave us an extra couple minutes of pure joy:
(To be clear: This vulnerability does not exist in the released code).
Credits: The honeypots were researched and developed by Omer Cohen and Imri Goldberg, and reviewed by Nadav Lev and Itamar Sher.