Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Sanity Worm Concepts
From: Paul Laudanski <zx () castlecops com>
Date: Wed, 29 Dec 2004 20:03:42 -0500 (EST)

On 29 Dec 2004, Andy Fewtrell wrote:

I have not tested these methods but after discussing them with eth00, we
both think it was better to post this to bugtraq in the hopes it may
help other people prevent future attacks from new variations of this
worm and help development of fixes to prevent future problems. While
this worm currently uses perl it can be obviously re-written to avoid
obvious mod_security (and other) rules. I could write proof of concept
versions of the sanity worm but I feel it would be better to leave this
out of the post.

For those more interested in the mod_security rules:

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "perl "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "nc "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"

Hi Andy, I have a concern with these filters in that they will may 
potentially catch quite a few false positives.

In addition to the first one coming from modsecurity.org, I've added a 
couple more:

    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter ":/"
    SecFilter "'"

Source: http://castlecops.com/article-5642-nested-0-0.html

Your filters I see as good for those who are ultra paranoid.  Because they 
are looking at THE_REQUEST, and if say "wget " is found in it, it'll be 
406'd.

THE_REQUEST: http://modules.apache.org/doc/Intro_API_Prog.html

"the_request - string which just contains the first line of the request. 
(e.g. "GET /index.html HTTP/1.0")"

If that is correct, then filtering on those custom keywords can indeed 
spawn some false positives.  The biggest issues as I see it are the use of 
' and/or :/ in the_request.  Unless a website is doing redirects, aka:

http://example.com/redirect.jsp?http://example.net/index.html

Then I don't see a real need to include the ":/" (or "://").  The other 
aspect to it is the tick mark "'", such an integral component to SQL 
injections, or even escaping shell commands.

Using the mod_security filter I provided above, it has stopped over 
300,000 attacks in a 55 hour period.  I've provided some examples, with 
some analysis of what other alternatives can be used.  But the big one I 
think is the mod_security filters.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault