Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Sanity Worm Concepts

from [Paul Laudanski] Network Security [Permanent Link]
Subject: Re: Sanity Worm Concepts
Date: Wed, 29 Dec 2004 20:03:42 -0500 (EST) 
On 29 Dec 2004, Andy Fewtrell wrote:


I have not tested these methods but after discussing them with eth00, we
both think it was better to post this to bugtraq in the hopes it may
help other people prevent future attacks from new variations of this
worm and help development of fixes to prevent future problems. While
this worm currently uses perl it can be obviously re-written to avoid
obvious mod_security (and other) rules. I could write proof of concept
versions of the sanity worm but I feel it would be better to leave this
out of the post.

For those more interested in the mod_security rules:

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "perl "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "nc "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"


Hi Andy, I have a concern with these filters in that they will may 
potentially catch quite a few false positives.

In addition to the first one coming from modsecurity.org, I've added a 
couple more:

    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter ":/"
    SecFilter "'"

Source: http://castlecops.com/article-5642-nested-0-0.html

Your filters I see as good for those who are ultra paranoid.  Because they 
are looking at THE_REQUEST, and if say "wget " is found in it, it'll be 
406'd.

THE_REQUEST: http://modules.apache.org/doc/Intro_API_Prog.html

"the_request - string which just contains the first line of the request. 
(e.g. "GET /index.html HTTP/1.0")"

If that is correct, then filtering on those custom keywords can indeed 
spawn some false positives.  The biggest issues as I see it are the use of 
' and/or :/ in the_request.  Unless a website is doing redirects, aka:

http://example.com/redirect.jsp?http://example.net/index.html

Then I don't see a real need to include the ":/" (or "://").  The other 
aspect to it is the tick mark "'", such an integral component to SQL 
injections, or even escaping shell commands.

Using the mod_security filter I provided above, it has stopped over 
300,000 attacks in a 55 hour period.  I've provided some examples, with 
some analysis of what other alternatives can be used.  But the big one I 
think is the mod_security filters.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Multiple Vulnerabilities in Moodle, Martin Dougiamas
Next by Date:  MDKSA-2004:166 - Updated tetex packages fix multiple vulnerabilities, Mandrake Linux Security Team
Previous by Thread:  Sanity Worm Concepts, Andy Fewtrell
Next by Thread:  php-Calendar File Include Vulnerability [ Command Exec ], GulfTech Security
Indexes:  [Date] [Thread] [Top] [All Lists]