Freitag, 31. Oktober 2014

Ruleset-Update: Reflected File Download


ruleset-update with a testing-signature for Reflected File Download; beware of False-Positives; this sig is heavily untested and might break existing downloads

for the vuln itself please read the following artikles from Oren Hafif:
- Blog: Reflected File Download - A New Web Attack Vector
- Paper: Reflected File Download a New Web Attack Vector


[+] new sigs:
  42000408 :: Drupal SQLI & RCE-Exploit Attempt #2 (rx)
  42000410 :: Windows-Exe/Command - File download (cmd, bat, exe,...)
MainRule "rx:[\w*]\.(bat|cmd|vbs|wsh|vbe|wsf|hta)[\W]{0,}$" "msg:Reflected File Download / Windows-Command - File download (cmd, bat, exe,...)" "mz:URL" "s:$ATTACK:8" id:42000410  ;


sigs are already pushed and available: https://bitbucket.org/lazy_dogtown/doxi-rules/src/


cheers,


mex

Keine Kommentare:

Kommentar veröffentlichen