Montag, 14. Dezember 2015

Ruleset-Update: Jenkins-Exploits, Joomla 0-Day


added some sigs against known exploits for jenkins and wp,
the rules itself might be found here:
http://spike.nginx-goodies.com/rules/

for the latest joomla-vuln + exploit (see
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html)
you might want to look at 42000343
http://spike.nginx-goodies.com/rules/edit/42000343
that detects generic PHP-Object-Attacks.
i modified this rule to check headers now as well,
updates are pushed to the repo already


MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object
Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343  ;


-----------------------------

http://spike.nginx-goodies.com/rules/


[+] new sigs:
  42000443 :: web_apps.rules       :: WordPress XMLRPC Enumeration
system.listMethods
  42000444 :: web_apps.rules       :: WordPress XMLRPC Enumeration
system.getCapabilities
  42000445 :: app_server.rules     :: Possible Jenkins/Hudson RCE-Exploit
  42000446 :: app_server.rules     :: Jenkins User-Credentials-Access (POST)
  42000447 :: app_server.rules     :: Jenkins User-Credentials-Access (GET)
  42000448 :: app_server.rules     :: Possible Jenkins/Hudson RCE-Exploit
  42000449 :: app_server.rules     :: Possible Jenkins/Hudson
RCE-Exploit (/script)


rules are available here: https://bitbucket.org/lazy_dogtown/doxi-rules

Sonntag, 18. Oktober 2015

Ruleset-Update: 42000442 Wordpress XMLRPC possible Password Brute Forceand some more

just updated the doxi-rules with a rule to detect and block
wp-pw-brute-force via xmlrpc (which shoudl be blocked anyway)

credits goes to sucuri:
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html


MainRule  "str:system.multicall" "msg:Wordpress XMLRPC possible
Password Brute Force" "mz:$URL:/xmlrpc.php|BODY" "s:$ATTACK:8"
id:42000442  ;

there has been a couple of rules added too, mostly JAVA.* - stuff to detect generic attacks against java-based app, inspired by the latest elasticsearch - exploits

Donnerstag, 16. April 2015

Ruleset-Updates: Possible IIS Integer Overflow DoS > (CVE-2015-1635) and some scanner-sigs

[+] new sigs:
  42000428 :: app_server.rules     ::  Possible IIS Integer Overflow DoS > (CVE-2015-1635)
  42000421 :: scanner.rules        :: Joomla Googlemap-Reflection - Scan
  42000422 :: web_server.rules     :: PHP 5.x User-Agent detected in Request, possible flood
  42000423 :: web_server.rules     :: PHP 4.x User-Agent detected in Request, possible flood
  42000424 :: web_server.rules     :: Acunetix PHPSensor-File-Scan
  42000425 :: scanner.rules        :: SQLiteManager - Exploit
  42000426 :: scanner.rules        :: SQLiteManager - Exploit
  42000427 :: scanner.rules        :: JMXConsole-Access

most interesting sig: 41000428  Possible IIS Integer Overflow DoS > (CVE-2015-1635)

MainRule  "str:18446744073709551615" "msg:Possible IIS Integer Overflow DoS > (CVE-2015-1635) " "mz:$HEADERS_VAR:Range" "s:$ATTACK:8" id:42000428  ;

References:
- https://technet.microsoft.com/library/security/ms15-034
- http://pastebin.com/ypURDPc4
- http://pastebin.com/BV2uePxk
- https://lists.emergingthreats.net/pipermail/emerging-sigs/2015-April/025976.html

credit goes to emerging threats ml




Dienstag, 10. März 2015

Protect from ElasticSearch RCE (CVE-2015-1427) & JetLeak with Naxsi

there had been some buzz about the latest
elasticsearch-rce-vuln recently, but all exploits i've seen
so far are getting blocked if you run the naxsi_core.rules
wirth high  XSS/SQL-scores due to many brackets, quotes
and backslashes.

there exists a generic signature in the doxi-rules that was designed to detect
such kinds of attacks against java-based applications: 


MainRule "str:java.lang." "msg:Possible Java.Lang - Injection
(URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348  ;

sig: http://spike.nginx-goodies.com/rules/view/42000348

about the vuln:
http://www.reddit.com/r/netsec/comments/2ycwni/remote_code_execution_in_elasticsearch_cve20151427/

the POC: https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch

btw and IMHO: whoever runs elasticsearch NOT protected by firewalls and/or reverse proxies deserves to get 0wned,  given the elasticsearch-vuln-trackrecord including various RCEs in the last 2 years.


-------------------------------------------

on JettyLeak: who runs Jetty behind nginx is safe, since nginx itself
blocks any request as malicious, so no naxsi-sig needed.
apachy btw happily forwards the mailicious request.

more info: https://8ack.de/news-der-woche/1425115452




cheers,


mex

Mittwoch, 28. Januar 2015

Ruleset-Update: Signature for GHOST exploit-attempt in ARGS/HEADER/BODY


Credit Goes to Emerging-Threats, this Rule is inspired by ET-Rule 2020327

MainRule "rx:[\d\.]{1023}" "msg:Possible GHOST exploit-attempt in ARGS/HEADER/BODY" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000414  ;

Updates has been pushed to Doxi-Rules already: 

Freitag, 31. Oktober 2014

Ruleset-Update: Reflected File Download


ruleset-update with a testing-signature for Reflected File Download; beware of False-Positives; this sig is heavily untested and might break existing downloads

for the vuln itself please read the following artikles from Oren Hafif:
- Blog: Reflected File Download - A New Web Attack Vector
- Paper: Reflected File Download a New Web Attack Vector


[+] new sigs:
  42000408 :: Drupal SQLI & RCE-Exploit Attempt #2 (rx)
  42000410 :: Windows-Exe/Command - File download (cmd, bat, exe,...)
MainRule "rx:[\w*]\.(bat|cmd|vbs|wsh|vbe|wsf|hta)[\W]{0,}$" "msg:Reflected File Download / Windows-Command - File download (cmd, bat, exe,...)" "mz:URL" "s:$ATTACK:8" id:42000410  ;


sigs are already pushed and available: https://bitbucket.org/lazy_dogtown/doxi-rules/src/


cheers,


mex

Sonntag, 26. Oktober 2014

Ruleset-Update: Magento/MAGMI-Rules + MongoDB - Bypass


the following sigs are against exploiting MAGMI, a popular Magento-plugin with sever security-problems (or better:  a backdoor with 0 security at all); credits goes to bui from naxsi-team for pointing me onto it and @sonassi for finding and writing about the problemes

additional signature is a mongodb-auth-bypass; please read the referenced blogpost for more information.


the sigs has been pushed to the repo on wednesday last week already
https://bitbucket.org/lazy_dogtown/doxi-rules/



[+] new sigs:
  42000400 :: app_server.rules     :: MongoDB Negated Parameter Server Side JavaScript Injection Attempt
  42000401 :: web_apps.rules       :: Magento - MAGMI-Access (possible Scan)
  42000403 :: web_apps.rules       :: Magento - MAGMI - Plugin-Upload
  42000404 :: web_apps.rules       :: Magento - MAGMI - magmi_*.php - Access
  42000405 :: web_apps.rules       :: Magento - MAGMI - clearcatalog.php
  42000406 :: web_apps.rules       :: Magento - MAGMI - ajax_readlocalxml.php
  42000407 :: web_apps.rules       :: Magento - MAGMI - Access


#
# sid: 42000400 | date: 2014-10-20 - 14:31
#
# # et-inspired
# http://blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html
# https://lists.emergingthreats.net/pipermail/emerging-sigs/2014-October/024974.html
#
MainRule "str:[$ne]" "msg:MongoDB Negated Parameter Server Side JavaScript Injection Attempt" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000400  ;

#
# sid: 42000407 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/magmi/" "msg:Magento - MAGMI - Access" "mz:URL" "s:$ATTACK:8" id:42000407  ;
    
      
#
# sid: 42000406 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/52317634845896704
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/ajax_readlocalxml.php" "msg:Magento - MAGMI - ajax_readlocalxml.php" "mz:URL" "s:$ATTACK:8" id:42000406  ;
    
      
#
# sid: 42000405 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/clearcatalog.php" "msg:Magento - MAGMI - clearcatalog.php" "mz:URL" "s:$ATTACK:8" id:42000405  ;
    
      
#
# sid: 42000404 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "rx:/web/magmi_([a-z]*).php" "msg:Magento - MAGMI - magmi_*.php - Access" "mz:URL" "s:$ATTACK:8" id:42000404  ;
    
      
#
# sid: 42000403 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/plugin_upload.php" "msg:Magento - MAGMI - Plugin-Upload " "mz:URL" "s:$ATTACK:8" id:42000403  ;
    
      
#
# sid: 42000401 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/magmi.php" "msg:Magento - MAGMI-Access (possible Scan)" "mz:URL" "s:$ATTACK:8" id:42000401  ;