Freitag, 31. Oktober 2014

Ruleset-Update: Reflected File Download


ruleset-update with a testing-signature for Reflected File Download; beware of False-Positives; this sig is heavily untested and might break existing downloads

for the vuln itself please read the following artikles from Oren Hafif:
- Blog: Reflected File Download - A New Web Attack Vector
- Paper: Reflected File Download a New Web Attack Vector


[+] new sigs:
  42000408 :: Drupal SQLI & RCE-Exploit Attempt #2 (rx)
  42000410 :: Windows-Exe/Command - File download (cmd, bat, exe,...)
MainRule "rx:[\w*]\.(bat|cmd|vbs|wsh|vbe|wsf|hta)[\W]{0,}$" "msg:Reflected File Download / Windows-Command - File download (cmd, bat, exe,...)" "mz:URL" "s:$ATTACK:8" id:42000410  ;


sigs are already pushed and available: https://bitbucket.org/lazy_dogtown/doxi-rules/src/


cheers,


mex

Sonntag, 26. Oktober 2014

Ruleset-Update: Magento/MAGMI-Rules + MongoDB - Bypass


the following sigs are against exploiting MAGMI, a popular Magento-plugin with sever security-problems (or better:  a backdoor with 0 security at all); credits goes to bui from naxsi-team for pointing me onto it and @sonassi for finding and writing about the problemes

additional signature is a mongodb-auth-bypass; please read the referenced blogpost for more information.


the sigs has been pushed to the repo on wednesday last week already
https://bitbucket.org/lazy_dogtown/doxi-rules/



[+] new sigs:
  42000400 :: app_server.rules     :: MongoDB Negated Parameter Server Side JavaScript Injection Attempt
  42000401 :: web_apps.rules       :: Magento - MAGMI-Access (possible Scan)
  42000403 :: web_apps.rules       :: Magento - MAGMI - Plugin-Upload
  42000404 :: web_apps.rules       :: Magento - MAGMI - magmi_*.php - Access
  42000405 :: web_apps.rules       :: Magento - MAGMI - clearcatalog.php
  42000406 :: web_apps.rules       :: Magento - MAGMI - ajax_readlocalxml.php
  42000407 :: web_apps.rules       :: Magento - MAGMI - Access


#
# sid: 42000400 | date: 2014-10-20 - 14:31
#
# # et-inspired
# http://blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html
# https://lists.emergingthreats.net/pipermail/emerging-sigs/2014-October/024974.html
#
MainRule "str:[$ne]" "msg:MongoDB Negated Parameter Server Side JavaScript Injection Attempt" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000400  ;

#
# sid: 42000407 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/magmi/" "msg:Magento - MAGMI - Access" "mz:URL" "s:$ATTACK:8" id:42000407  ;
    
      
#
# sid: 42000406 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/52317634845896704
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/ajax_readlocalxml.php" "msg:Magento - MAGMI - ajax_readlocalxml.php" "mz:URL" "s:$ATTACK:8" id:42000406  ;
    
      
#
# sid: 42000405 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/clearcatalog.php" "msg:Magento - MAGMI - clearcatalog.php" "mz:URL" "s:$ATTACK:8" id:42000405  ;
    
      
#
# sid: 42000404 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "rx:/web/magmi_([a-z]*).php" "msg:Magento - MAGMI - magmi_*.php - Access" "mz:URL" "s:$ATTACK:8" id:42000404  ;
    
      
#
# sid: 42000403 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/plugin_upload.php" "msg:Magento - MAGMI - Plugin-Upload " "mz:URL" "s:$ATTACK:8" id:42000403  ;
    
      
#
# sid: 42000401 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/magmi.php" "msg:Magento - MAGMI-Access (possible Scan)" "mz:URL" "s:$ATTACK:8" id:42000401  ;



Freitag, 17. Oktober 2014

Ruleset-Update: Drupal SQLI & RCE-Exploit Attempt (CVE-2014-3704)

please note: the sig is against the exploit/POC and wouldnt hold against fancy urlencoding like "name%5b" 

BUT: the attack WILL be blocked by naxsi because of 3 rules from core-rule-set at least, thus my sig is for the attack, not the vuln. emerging sigs have all possible encodings,

 Emerging Threat Signatures: http://pastebin.com/raw.php?i=NZnfzGCc
 POC: http://pastebin.com/F2Dk9LbX

 References:

  • https://www.drupal.org/SA-CORE-2014-005
  • http://www.reddit.com/r/netsec/comments/2jbu8g/sacore2014005_drupal_core_sql_injection/
  • http://pastebin.com/F2Dk9LbX

MainRule "str:name[0%20" "msg:Drupal SQLI & RCE-Exploit Attempt (CVE-2014-3704)" "mz:BODY" "s:$ATTACK:8" id:42000399  ;



The Rule has been pushed to Doxi-Rules at 2014-10-16 already: 
https://bitbucket.org/lazy_dogtown/doxi-rules