Detection with GenAI (Part 3): Sonatype (CVE-2024-4956)

Detection with GenAI (Part 3): Sonatype (CVE-2024-4956)
Photograph by Mike Chai (https://www.pexels.com/fr-fr/@mike-chai-285623/)

The third in a series of GenAI experiments, (now) for teaching detection and response.

With the 2025 installment of our annual Hackaton coming up, I've been asked to give a class to students at North-West University (NWU). The topic: An introduction to using GenAI to detect a path traversal vulnerability affecting Sonatype Nexus Repository.

Anyone should be able to do it; even if you have not used ChatGPT; and are new to detection or prompt engineering. The challenge is designed to be accessible to kids.

2024 winners - Team Sudo SPU (picture from https://www.itweb.co.za)

In this post we will cover the following:

  1. Installation;
  2. Exploitation; &
  3. Detection.

Installation

So, one of the things I didn't consider when giving the class at SPU was that the students could not build servers in the class environment (seems so obvious now). Going forward, this series of articles (or most of them), will use Docker for the lab.

I got the install guide for Docker - from Docker - for the Debian operating system.

First, for safety, I uninstalled any conflicting packages:

for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done

Then I added the GPG key:

sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

Thereafter, I added the repository:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

Finally, installed the latest version of Docker:

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Pulled the vulnerable software from DockerHub:

docker pull sonatype/nexus3:3.68.0-java8

Ran the vulnerable Docker instance:

docker run -p 8081:8081 --name nexus sonatype/nexus3:3.68.0-java8

Browsed to the app:

The landing page for Sonatype Nexus Repository

Exploitation

This one (as my son would say) is easy-peezy-lemon-squeezy../../../etc/passwd.

I used CyberChef to URL encode the following (encode special characters too):

///..//.//..///..//.././etc/passwd
CyberChef URL encoding the directory traversal payload.

Then I ran that (rain forest) puppy through curl and viola!

Woot??? My son was right!!!

Can't be that easy,...

Wait,... what does the Shodan say?

I see you were paying attention. Below is a screenshot of (and search parameters for) Shodan - showing us the total of Sonatype Nexus Repository servers on the internet:

Shodan search for Sonatype Nexus Repository servers

We can also check out FOFA (FOresee then Find it All):

FOFA search for vulnerable versions of Sonatype Nexus Repository servers

You may have noticed - there are more than a couple vulnerable servers in the wild!

Detection

Get yourself your LLM of choice - I'm going to use ChatGTP:

You can get the code here:

GitHub - art-of-defence/CVE-2024-4956: Detection and exploitation scripts for CVE-2024-4956
Detection and exploitation scripts for CVE-2024-4956 - art-of-defence/CVE-2024-4956

Ok, what's the challenge?

Students should try to the following exercises after the class:

  1. Code a CVE-2024-4956 exploit with the LLM;
  2. Code a Nmap NSE script using your LMM; &
  3. Build a detective control (no rules, your tool).

Conclusion

I'll revisit this article after the class and provide the solutions - subscribe to be notified.

As always, if I got anything wrong,...

References

Here is the list of resources that were used to perform the exercise.

FOFA Search Engine
FOFA is a Cyberspace search engine. By conducting Cyberspace mapping, it can help researchers or enterprises quickly match network assets, such as vulnerability impact range analysis, application distribution statistics, and application popularity ranking statistics. FOFA is a powerful tool that can effectively improve cybersecurity and attack surface management.
CyberChef
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
GitHub - art-of-defence/CVE-2024-4956: Detection and exploitation scripts for CVE-2024-4956
Detection and exploitation scripts for CVE-2024-4956 - art-of-defence/CVE-2024-4956