Donnerstag, 3. April 2014

Ruleset-Update: 30 critical Java / Oracle _Cloud - Vulns published by Adam Gowdiak

CAUTION: these rules are untested, since we dont run any weblogic-server or oracle-cloud-services and might break stuff. please test carefully before deploying

Adam Gowdiak published 30+ critical vulns and pocs against oracle's java-cloud and weblogic-server; see http://www.security-explorations.com/en/about.html

after short skimming through the exploit-codes i came up with some rules to possibly detect some malicious access-attempts


[+] new sigs:
  42000346 :: app_server.rules     :: Possible Java-Beans-Injection
  42000347 :: web_apps.rules       :: Possible Wordpress-Plugin-Backdoor detected
  42000348 :: app_server.rules     :: Possible Java.Lang - Injection (URL-Args & POST-Body)
  42000349 :: app_server.rules     :: Possible JAR-File Upload
  42000350 :: app_server.rules     :: Possible WAR - File Upload
  42000351 :: app_server.rules     :: Possible JSP - File Upload
  42000352 :: app_server.rules     :: Properties-File Access / Upload
  42000353 :: app_server.rules     :: Content-Type x-java-serialized-object
  42000354 :: app_server.rules     :: WebLogicServer wls_deployment_internal - Access
  42000355 :: app_server.rules     :: WebLogicServer wls_internal - Access



#
# sid: 42000355 | date: 2014-04-03 - 23:00 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_internal/" "msg:WebLogicServer wls_internal - Access" "mz:URL" "s:$UWA:8" id:42000355  ;
      
       
#
# sid: 42000354 | date: 2014-04-03 - 22:59 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_deployment_internal/" "msg:WebLogicServer wls_deployment_internal - Access" "mz:URL" "s:$UWA:8" id:42000354  ;
      
       
#
# sid: 42000353 | date: 2014-04-03 - 22:58 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:x-java-serialized-object" "msg:Content-Type x-java-serialized-object" "mz:$HEADERS_VAR:Content-Type " "s:$UWA:8" id:42000353  ;
      
       
#
# sid: 42000352 | date: 2014-04-03 - 22:54 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.properties" "msg:Properties-File Access / Upload" "mz:URL|FILE_EXT" "s:$UWA:8" id:42000352  ;
      
       
#
# sid: 42000351 | date: 2014-04-03 - 22:51 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.jsp" "msg:Possible JSP - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000351  ;
      
       
#
# sid: 42000350 | date: 2014-04-03 - 22:41 
#
# 
#
MainRule "str:.war" "msg:Possible WAR - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000350  ;
      
       
#
# sid: 42000349 | date: 2014-04-03 - 22:42 
#
# 
#
MainRule "str:.jar" "msg:Possible JAR-File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000349  ;
      
       
#
# sid: 42000348 | date: 2014-04-03 - 21:57 
#
# phew! http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:java.lang." "msg:Possible Java.Lang - Injection (URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348  ;
      
       
#
# sid: 42000346 | date: 2014-03-20 - 19:44 
#
# http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
# ref - sid: 42000286
#
MainRule "str:java.beans.eventhandler" "msg:Possible Java-Beans-Injection" "mz:BODY|ARGS" "s:$UWA:8" id:42000346  ;
      

Kommentare:

  1. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Online Training Core Java 8 Training in Chennai Core java 8 online training JavaEE Training in Chennai Java EE Training in Chennai

    AntwortenLöschen