Freitag, 17. Oktober 2014

Ruleset-Update: Drupal SQLI & RCE-Exploit Attempt (CVE-2014-3704)

please note: the sig is against the exploit/POC and wouldnt hold against fancy urlencoding like "name%5b" 

BUT: the attack WILL be blocked by naxsi because of 3 rules from core-rule-set at least, thus my sig is for the attack, not the vuln. emerging sigs have all possible encodings,

 Emerging Threat Signatures: http://pastebin.com/raw.php?i=NZnfzGCc
 POC: http://pastebin.com/F2Dk9LbX

 References:

  • https://www.drupal.org/SA-CORE-2014-005
  • http://www.reddit.com/r/netsec/comments/2jbu8g/sacore2014005_drupal_core_sql_injection/
  • http://pastebin.com/F2Dk9LbX

MainRule "str:name[0%20" "msg:Drupal SQLI & RCE-Exploit Attempt (CVE-2014-3704)" "mz:BODY" "s:$ATTACK:8" id:42000399  ;



The Rule has been pushed to Doxi-Rules at 2014-10-16 already: 
https://bitbucket.org/lazy_dogtown/doxi-rules

Keine Kommentare:

Kommentar veröffentlichen