Donnerstag, 17. Juli 2014

Ruleset-Update; RosettaFlash + some JAVA-Serialized-Object POST - sigs

most interesting is probably that RosettaFlash-Sig; @mikispag helped me getting the regex right

btw, there is also an rails-update available, adressing that issue (https://github.com/rails/rails/pull/16109) but there is no  official note yet on the railssec-ml.


new signatures are available and pushed to the repo: https://bitbucket.org/lazy_dogtown/doxi-rules/src




[+] new sigs:
  42000385 :: app_server.rules     :: RosettaFlash JSONP-Exploit callback=CWS
  42000381 :: web_server.rules     :: Meterpreter-UA detected
  42000382 :: web_server.rules     :: local File access via file://
  42000383 :: app_server.rules     :: JAVA-Serialized-Object POST
  42000384 :: app_server.rules     :: JAVA-Serialized-Object POST / Class=*

--------------------------------------------------


#
# sid: 42000385 | date: 2014-07-17 - 09:45 
#
# http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
# http://miki.it/RosettaFlash/RosettaFlash.pdf
# http://quaxio.com/jsonp_handcrafted_flash_files/
# 
# credits to @mikispag helped me getting the regex right
#
MainRule "rx:^CWS\w{5}hC\w{50,}" "msg:RosettaFlash JSONP-Exploit callback=CWS" "mz:$ARGS_VAR:callback" "s:$ATTACK:8" id:42000385  ;
      
#
# sid: 42000382 | date: 2014-05-21 - 23:38 
#
# http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
#
MainRule "str:file://" "msg:local File access via file://" "mz:BODY|ARGS" "s:$UWA:8" id:42000382  ;
      
#
# sid: 42000384 | date: 2014-06-22 - 14:57 
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:class=" "msg:JAVA-Serialized-Object POST / Class=*" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000384  ;
      
       
#
# sid: 42000383 | date: 2014-06-22 - 14:57 
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:java-serialized-object" "msg:JAVA-Serialized-Object POST" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000383  ;


------------------------------------------------

# the following is a snort-sig for rosetta-flash, 
# totally untested, for your leisure

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"RosettaFlash Exploit-Attempt"; flow:established,to_server; 
uricontent:"?callback=CWS"; nocase; uricontent="hC", within:9; 
pcre:"/callback=CWS\w{5}hC\w{50,}/i"; 
reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/;
reference:url, miki.it/RosettaFlash/RosettaFlash.pdf;
reference:quaxio.com/jsonp_handcrafted_flash_files/;
classtype:web-application-attack;  sid:42010101023; rev:2;)  






1 Kommentar:

  1. interesting piece of information, I had come to know about your web-page from my friend pramod, jaipur,i have read atleast eight posts of yours by now, and let me tell you, your blog gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a million once again, Regards Guidewire training in hyderabad

    AntwortenLöschen