Montag, 14. April 2014

Ruleset-Update: Contao & Typo3-Signatures


- some sigs, based on a recent contao-vuln https://github.com/contao/core/issues/6855
- some generic sigs to detect config_option_injection in contao and typo3


fff

[+] new sigs:
  42000356 :: web_apps.rules       :: Contao VAR TL_* - Injection
  42000357 :: web_apps.rules       :: Contao-InstallTool-Access
  42000358 :: web_apps.rules       :: Typo3-Backend-Access
  42000359 :: web_apps.rules       :: TYPO3_CONF_* Value - Injection
  42000360 :: web_apps.rules       :: Contao-Install install.php - Access

#
# sid: 42000360 | date: 2014-04-14 - 21:23
#
# https://github.com/contao/core/issues/6855#issuecomment-39571171
#
MainRule "str:/contao/install.php" "msg:Contao-Install install.php - Access" "mz:URL" "s:$UWA:8" id:42000360  ;
     
       
#
# sid: 42000359 | date: 2014-04-14 - 21:20
#
#
#
MainRule "str:typo3_conf" "msg:TYPO3_CONF_* Value - Injection" "mz:ARGS" "s:$UWA:8" id:42000359  ;
     
       
#
# sid: 42000358 | date: 2014-04-14 - 21:15
#
#
#
MainRule "str:/typo3/" "msg:Typo3-Backend-Access" "mz:URL" "s:$UWA:8" id:42000358  ;
     
       
#
# sid: 42000357 | date: 2014-04-14 - 21:14
#
# https://github.com/contao/check
#
MainRule "str:installer" "msg:Contao-InstallTool-Access" "mz:$ARGS_VAR:c" "s:$UWA:8" id:42000357  ;
     
       
#
# sid: 42000356 | date: 2014-04-14 - 20:43
#
# https://github.com/contao/core/issues/6855
# https://github.com/contao/core/pull/6863/files
#
MainRule "str:tl_" "msg:Contao VAR TL_* - Injection" "mz:ARGS" "s:$UWA:8" id:42000356  ;


Naxsi - Stats

- text-only version: https://gist.github.com/anonymous/10679230

# 30-days - Naxsi-Stats (3 sensors, 10 domains)
# 2014-04-14

count | id       |  message
------+-----------+-----------------------------
1880   1000       sql keywords
1721   1200       double dot
1646   1202       obvious probe
1420   10         10
1332   1310       [, possible js
1332   1311       ], possible js
1229   42000030   DN WEB_SERVER /proc/self - Access in URI
1028   42000316   DN SCAN WinHttpRequest - UA
1000   1100       http:// scheme
773    1001       double quote
746    1002       0x, possible hex encoding
741    1007       mysql comment (--)
739    1013       simple quote
655    1205       backslash
598    1016       mysql comment (#)
582    42000244   DN SCAN PHPMyAdmin - Scanner (2)
431    1303       html close tag
420    42000170   DN SCAN Scanner sqlmap
404    42000062   DN WEB_SERVER Generic JOOMLA-Exploit-Attempt (option=com_)
394    42000309   DN SCAN Misformed Proxy-Scan
379    1302       html open tag
291    42000261   DN WEB_SERVER possible WP-Scan (wp-login)
179    1009       equal in var, probable sql/xss
153    1314       grave accent !
148    42000313   DN SCAN Joomlas Administrator-Login-Attempt
131    42000317   DN SCAN Wordpress-UA, probably Botnet-Attack
112    12         12
97     42000262   DN WEB_SERVER possible WP-Scan (wp-admin)
94     11         11
76     42000310   DN SCAN Abnormal double http:// in HTTP header,
71     42000243   DN SCAN PHPMyAdmin - Scanner
64     1006       mysql keyword (&&)
60     42000047   DN WEB_SERVER PHPMyAdmin - Scripts/Setup-Request
60     42000071   DN WEB_APPS PHPMYADMIN setup.php - Access
56     1312       ~ character
44     42000311   DN SCAN poss. malicious Scanner using Fake UA Apache/Synapse
31     42000254   DN WEB_SERVER possible INI - File - Access
30     42000227   DN SCAN Scanner ZmEu exploit scanner
30     42000285   DN WEB_SERVER Joomla JCE-Exploit-Scan
28     1402       Content is neither mulipart/x-www-form..
26     1003       mysql comment (/*)
26     42000305   DN SCAN Possible HNAP-Exploit-Attempt
25     2            2
22     42000021   DN WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability
22     42000271   DN WEB_SERVER ForumSpammer Access
22     42000319   DN SCAN Possible WHMCS - Scan
21     42000181   DN SCAN Scanner webster pro
20     42000128   DN SCAN Nessus-Scanner detected
19     1315       double encoding !
19     42000048   DN WEB_SERVER PHPINFO - in URL
18     1103       php:// scheme
17     14         14
13     42000203   DN SCAN Scanner Paros Proxy Scanner
13     42000321   DN SCAN probably Malicous UA
12     42000077   DN WEB_SERVER LIBWWW_perl-UA detected
12     42000307   DN SCAN WP-Contents/Plugins Access
8      42000082   DN WEB_SERVER Tomcat - Manager - Access
8      42000253   DN WEB_SERVER possible INC - File - Access
7      42000046   DN SCAN DFind w00tw00t GET-Requests
7      42000052   DN WEB_SERVER SVN_Repo-Access
7      42000070   DN WEB_SERVER possible sql-injection (CAST())
7      42000236   DN WEB_SERVER DoubleDot in URL
7      42000263   DN WEB_SERVER .htaccess - Access
6      1004       mysql comment (*/)
5      1010       parenthesis, probable sql/xss
5      42000002   DN APP_SERVER PHP-file-access
5      42000076   DN SCAN VTI_BIN - Access
4      42000054   DN WEB_SERVER HEX_string found
4      42000068   DN WEB_SERVER JAR - Download Request
4      42000156   DN SCAN Scanner safexplorer
3      42000003   DN APP_SERVER ASP_file access
3      42000043   DN SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected
3      42000073   DN SCAN Python-urllib UA, possible Scanner
3      42000127   DN SCAN Scanner Amiga-Aweb
3      42000151   DN SCAN Scanner whatweb
2      1005       mysql keyword (|)
2      1101       https:// scheme
2      42000053   DN WEB_SERVER GIT_Repo-Access
2      42000079   DN WEB_SERVER VTI_RPC - Access
2      42000080   DN WEB_SERVER Apache ServerStatus - Access
2      42000145   DN SCAN Scanner morfeus
2      42000265   DN WEB_SERVER Plesk Apache Zeroday Remote Exploit - possible scan
2      42000306   DN SCAN Morfeus - F*cking-Scanner
1      1400       utf7/8 encoding
1      42000031   DN SCAN Muieblackcat scanner
1      42000032   DN WEB_SERVER PHP-EVAL - Attempt
1      42000049   DN WEB_SERVER PHP_SYSTEM_CMD
1      42000226   DN SCAN Scanner WITOOL SQL Injection Scan 



Donnerstag, 3. April 2014

Ruleset-Update: 30 critical Java / Oracle _Cloud - Vulns published by Adam Gowdiak

CAUTION: these rules are untested, since we dont run any weblogic-server or oracle-cloud-services and might break stuff. please test carefully before deploying

Adam Gowdiak published 30+ critical vulns and pocs against oracle's java-cloud and weblogic-server; see http://www.security-explorations.com/en/about.html

after short skimming through the exploit-codes i came up with some rules to possibly detect some malicious access-attempts


[+] new sigs:
  42000346 :: app_server.rules     :: Possible Java-Beans-Injection
  42000347 :: web_apps.rules       :: Possible Wordpress-Plugin-Backdoor detected
  42000348 :: app_server.rules     :: Possible Java.Lang - Injection (URL-Args & POST-Body)
  42000349 :: app_server.rules     :: Possible JAR-File Upload
  42000350 :: app_server.rules     :: Possible WAR - File Upload
  42000351 :: app_server.rules     :: Possible JSP - File Upload
  42000352 :: app_server.rules     :: Properties-File Access / Upload
  42000353 :: app_server.rules     :: Content-Type x-java-serialized-object
  42000354 :: app_server.rules     :: WebLogicServer wls_deployment_internal - Access
  42000355 :: app_server.rules     :: WebLogicServer wls_internal - Access



#
# sid: 42000355 | date: 2014-04-03 - 23:00 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_internal/" "msg:WebLogicServer wls_internal - Access" "mz:URL" "s:$UWA:8" id:42000355  ;
      
       
#
# sid: 42000354 | date: 2014-04-03 - 22:59 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_deployment_internal/" "msg:WebLogicServer wls_deployment_internal - Access" "mz:URL" "s:$UWA:8" id:42000354  ;
      
       
#
# sid: 42000353 | date: 2014-04-03 - 22:58 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:x-java-serialized-object" "msg:Content-Type x-java-serialized-object" "mz:$HEADERS_VAR:Content-Type " "s:$UWA:8" id:42000353  ;
      
       
#
# sid: 42000352 | date: 2014-04-03 - 22:54 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.properties" "msg:Properties-File Access / Upload" "mz:URL|FILE_EXT" "s:$UWA:8" id:42000352  ;
      
       
#
# sid: 42000351 | date: 2014-04-03 - 22:51 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.jsp" "msg:Possible JSP - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000351  ;
      
       
#
# sid: 42000350 | date: 2014-04-03 - 22:41 
#
# 
#
MainRule "str:.war" "msg:Possible WAR - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000350  ;
      
       
#
# sid: 42000349 | date: 2014-04-03 - 22:42 
#
# 
#
MainRule "str:.jar" "msg:Possible JAR-File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000349  ;
      
       
#
# sid: 42000348 | date: 2014-04-03 - 21:57 
#
# phew! http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:java.lang." "msg:Possible Java.Lang - Injection (URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348  ;
      
       
#
# sid: 42000346 | date: 2014-03-20 - 19:44 
#
# http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
# ref - sid: 42000286
#
MainRule "str:java.beans.eventhandler" "msg:Possible Java-Beans-Injection" "mz:BODY|ARGS" "s:$UWA:8" id:42000346  ;