Donnerstag, 30. Januar 2014

Ruleset-Update:: XXE-Vuln and Websocket-Upgrade-Detection

Ruleset Download



thanx to sensepost.com for a fast support and helping to understand the vulnerability and providing additional information for signature-creation. remarks: we'll probably see more of this later, since the vulnerability will affect a lot more systems that use php + xml-parsing. rce'ing like it's rails-time again; the vuln-description from sensepost.cpom and the blogpost by r.silva is worth a read.
#
#
# sid: 42000341 |  date: 2014-01-31 - 00:21:19 | maker: lazydog
# 
# credits: 
# - sensepost.com for a nice generic vuln- analysis 
#   http://sensepost.com/blog/10178.html
# - Reginaldo Silva for his blogpost about a server facebook-vuln
#   http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
# 
#  
# 
# 
 
MainRule "rx:<!ENTITY(.*)SYSTEM" "msg:DN WEB_SERVER possible XML/XXE-Exploitation atempt" "mz:BODY" "s:$UWA:8" id:42000341 ; 


-----------------------------------------------

tl;dr: after checking out sec-stuff around websockets: DONT WANT (atm)

#
# sid: 42000340 |  date: 2014-01-31 - 00:21:47 | maker: lazydog
# 
# Attempt to connect to a Websocket
 
MainRule "str:upgrade" "msg:DN APP_SERVER Websocket-Connection-Scan" "mz:$HEADERS_VAR:Connection" "s:$UWA:8" id:42000340 ; 


Keine Kommentare:

Kommentar veröffentlichen