Donnerstag, 17. Juli 2014

Ruleset-Update; RosettaFlash + some JAVA-Serialized-Object POST - sigs

most interesting is probably that RosettaFlash-Sig; @mikispag helped me getting the regex right

btw, there is also an rails-update available, adressing that issue (https://github.com/rails/rails/pull/16109) but there is no  official note yet on the railssec-ml.


new signatures are available and pushed to the repo: https://bitbucket.org/lazy_dogtown/doxi-rules/src




[+] new sigs:
  42000385 :: app_server.rules     :: RosettaFlash JSONP-Exploit callback=CWS
  42000381 :: web_server.rules     :: Meterpreter-UA detected
  42000382 :: web_server.rules     :: local File access via file://
  42000383 :: app_server.rules     :: JAVA-Serialized-Object POST
  42000384 :: app_server.rules     :: JAVA-Serialized-Object POST / Class=*

--------------------------------------------------


#
# sid: 42000385 | date: 2014-07-17 - 09:45 
#
# http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
# http://miki.it/RosettaFlash/RosettaFlash.pdf
# http://quaxio.com/jsonp_handcrafted_flash_files/
# 
# credits to @mikispag helped me getting the regex right
#
MainRule "rx:^CWS\w{5}hC\w{50,}" "msg:RosettaFlash JSONP-Exploit callback=CWS" "mz:$ARGS_VAR:callback" "s:$ATTACK:8" id:42000385  ;
      
#
# sid: 42000382 | date: 2014-05-21 - 23:38 
#
# http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
#
MainRule "str:file://" "msg:local File access via file://" "mz:BODY|ARGS" "s:$UWA:8" id:42000382  ;
      
#
# sid: 42000384 | date: 2014-06-22 - 14:57 
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:class=" "msg:JAVA-Serialized-Object POST / Class=*" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000384  ;
      
       
#
# sid: 42000383 | date: 2014-06-22 - 14:57 
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:java-serialized-object" "msg:JAVA-Serialized-Object POST" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000383  ;


------------------------------------------------

# the following is a snort-sig for rosetta-flash, 
# totally untested, for your leisure

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"RosettaFlash Exploit-Attempt"; flow:established,to_server; 
uricontent:"?callback=CWS"; nocase; uricontent="hC", within:9; 
pcre:"/callback=CWS\w{5}hC\w{50,}/i"; 
reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/;
reference:url, miki.it/RosettaFlash/RosettaFlash.pdf;
reference:quaxio.com/jsonp_handcrafted_flash_files/;
classtype:web-application-attack;  sid:42010101023; rev:2;)