lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0412291953230.14307-100000@bugsbunny.castlecops.com>
Date: Wed, 29 Dec 2004 20:03:42 -0500 (EST)
From: Paul Laudanski <zx@...tlecops.com>
To: bugtraq@...urityfocus.com
Cc: Andy Fewtrell <afsec@...owaway.coldfyre.net>
Subject: Re: Sanity Worm Concepts


On 29 Dec 2004, Andy Fewtrell wrote:

> I have not tested these methods but after discussing them with eth00, we
> both think it was better to post this to bugtraq in the hopes it may
> help other people prevent future attacks from new variations of this
> worm and help development of fixes to prevent future problems. While
> this worm currently uses perl it can be obviously re-written to avoid
> obvious mod_security (and other) rules. I could write proof of concept
> versions of the sanity worm but I feel it would be better to leave this
> out of the post.
> 
> For those more interested in the mod_security rules:
> 
> SecFilterSelective THE_REQUEST "wget "
> SecFilterSelective THE_REQUEST "perl "
> SecFilterSelective THE_REQUEST "lynx "
> SecFilterSelective THE_REQUEST "ftp "
> SecFilterSelective THE_REQUEST "scp "
> SecFilterSelective THE_REQUEST "rcp "
> SecFilterSelective THE_REQUEST "cvs "
> SecFilterSelective THE_REQUEST "telnet "
> SecFilterSelective THE_REQUEST "ssh "
> SecFilterSelective THE_REQUEST "echo "
> SecFilterSelective THE_REQUEST "nc "
> SecFilterSelective THE_REQUEST "mkdir "
> SecFilterSelective THE_REQUEST "cd /tmp"
> SecFilterSelective THE_REQUEST "cd /var/tmp"

Hi Andy, I have a concern with these filters in that they will may 
potentially catch quite a few false positives.

In addition to the first one coming from modsecurity.org, I've added a 
couple more:

    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter ":/"
    SecFilter "'"

Source: http://castlecops.com/article-5642-nested-0-0.html

Your filters I see as good for those who are ultra paranoid.  Because they 
are looking at THE_REQUEST, and if say "wget " is found in it, it'll be 
406'd.

THE_REQUEST: http://modules.apache.org/doc/Intro_API_Prog.html

"the_request - string which just contains the first line of the request. 
(e.g. "GET /index.html HTTP/1.0")"

If that is correct, then filtering on those custom keywords can indeed 
spawn some false positives.  The biggest issues as I see it are the use of 
' and/or :/ in the_request.  Unless a website is doing redirects, aka:

http://example.com/redirect.jsp?http://example.net/index.html

Then I don't see a real need to include the ":/" (or "://").  The other 
aspect to it is the tick mark "'", such an integral component to SQL 
injections, or even escaping shell commands.

Using the mod_security filter I provided above, it has stopped over 
300,000 attacks in a 55 hour period.  I've provided some examples, with 
some analysis of what other alternatives can be used.  But the big one I 
think is the mod_security filters.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ