Re: [Snort-sigs] ASP.net Auth Bypass Vulnerability

Just put these up on bleedingsnort. They're catching hits if the target 
file is aspx.

alert tcp any any -> $HOME_NET 80 (msg:"BLEEDING-EDGE WEB-IIS ASP.net 
Auth Bypass / Canonicalization"; content:"GET"; nocase; content:"\\";
 nocase; content:"aspx"; nocase; sid:2001342; rev:4;)

alert tcp any any -> $HOME_NET 80 (msg:"BLEEDING-EDGE WEB-IIS ASP.net 
Auth Bypass / Canonicalization % 5 C"; content:"GET"; nocase; content
:"%5C"; content:"aspx"; sid:2001343; rev:4;)

I was thinking we could put a pcre in there to catch other types of file 
names that'd likely be on an IIS server. Might try that later.

Maybe a within statement. Other ideas????

I took out the uricontent's because they appear to have been normalizing 
the \ and %5C, and I couldn't get a hit.

Matt

sam@neuroflux.com wrote:
> I think it is any file, but it has to be served up by the .NET ISAPI
> filter..  Sites running IIS without the .net isapi filter, appear to not
> be vulnerable to this..
>
>
>
>
> > This bugtraq post makes it sound as if you could hit any file:
> >
> > http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2004-09/0068.html
> >
> > But... if we were just looking for a sig to find the initial wave of
> > scripts that'll be probing for this they'll certainly try the default
> > aspx stuff, that could be a good limiter on a sig for just that.
> >
> > I'll make something like that and test it out real quick. Update from
> > bleedingsnort.com in a few if you'd like to try it out as well.
> >
> > Matt
> >
> > sekure wrote:
> >
> > > Sounds to me like you have to be trying to access a .aspx file, so
> > > that could be something to look for.  But I am just speculating
> > > here... Guess we have to wait for more info from MS.
> > >
> > > On Thu, 07 Oct 2004 12:50:01 -0500, Matt Jonkman <matt@infotex.com>
> > > wrote:
> > >
> > >
> > > > http://isc.sans.org/diary.php?date=2004-10-06
> > > >
> > > > This could be a big one. Anyone that understands asp.net better than I
> > > > able to put up a sig?
> > > >
> > > > Not sure on all of the permutations that this could manifest in.
> > > >
> > > > Or could we safely just look for any \ or %5C in a url? How many other
> > > > legitimate places would those arise?
> > > >
> > > > What would be the default directories that the average server would have
> > > > sensitive information in by default that someone might try getting to
> > > > via canonicalization?
> > > >
> > > > alert tcp any any -> $HOME_NET 80 (msg:
> > > > BLEEDING-EDGE WEB-EXPLOIT ASP.net Auth Bypass / Canonicalization";
> > > > uricontent:"\"; sid:; rev:1;)
> > > >
> > > > or
> > > >
> > > > alert tcp any any -> $HOME_NET 80 (msg:
> > > > BLEEDING-EDGE WEB-EXPLOIT ASP.net Auth Bypass / Canonicalization";
> > > > uricontent:"%5C"; sid:; rev:1;)
> > > >
> > > > I think we need another factor to make this more specific though. Any
> > > > ideas?
> > > >
> > > > More discussion on www.bleedingsnort.com as well.
> > > >
> > > > Matt
> > > >
> > > > -------------------------------------------------------
> > > > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> > > > Use IT products in your business? Tell us what you think of them. Give
> > > > us
> > > > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> > > > more
> > > > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > > > _______________________________________________
> > > > Snort-sigs mailing list
> > > > Snort-sigs@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > --
> > --------------------------------------------
> > Matthew Jonkman, CISSP
> > Senior Security Engineer
> > Infotex
> > 765-429-0398 Direct Anytime
> > 765-448-6847 Office
> > 866-679-5177 24x7 NOC
> > my.infotex.com
> > www.offsitefilter.com
> > --------------------------------------------
> >
> >
> > NOTICE: The information contained in this email is confidential
> > and intended solely for the intended recipient. Any use,
> > distribution, transmittal or retransmittal of information
> > contained in this email by persons who are not intended
> > recipients may be a violation of law and is strictly prohibited.
> > If you are not the intended recipient, please contact the sender
> > and delete all copies.
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> > Use IT products in your business? Tell us what you think of them. Give us
> > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> > more
> > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs

--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs