Re: Sanity Worm Concepts

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Sanity Worm Concepts
From: Paul Laudanski <zx@xxxxxxxxxxxxxx>
Date: Wed, 29 Dec 2004 20:03:42 -0500 (EST)
Cc: Andy Fewtrell <afsec@xxxxxxxxxxxxxxxxxxxxxx>
In-reply-to: <20041229115242.19440.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On 29 Dec 2004, Andy Fewtrell wrote:

> I have not tested these methods but after discussing them with eth00, we
> both think it was better to post this to bugtraq in the hopes it may
> help other people prevent future attacks from new variations of this
> worm and help development of fixes to prevent future problems. While
> this worm currently uses perl it can be obviously re-written to avoid
> obvious mod_security (and other) rules. I could write proof of concept
> versions of the sanity worm but I feel it would be better to leave this
> out of the post.
> 
> For those more interested in the mod_security rules:
> 
> SecFilterSelective THE_REQUEST "wget "
> SecFilterSelective THE_REQUEST "perl "
> SecFilterSelective THE_REQUEST "lynx "
> SecFilterSelective THE_REQUEST "ftp "
> SecFilterSelective THE_REQUEST "scp "
> SecFilterSelective THE_REQUEST "rcp "
> SecFilterSelective THE_REQUEST "cvs "
> SecFilterSelective THE_REQUEST "telnet "
> SecFilterSelective THE_REQUEST "ssh "
> SecFilterSelective THE_REQUEST "echo "
> SecFilterSelective THE_REQUEST "nc "
> SecFilterSelective THE_REQUEST "mkdir "
> SecFilterSelective THE_REQUEST "cd /tmp"
> SecFilterSelective THE_REQUEST "cd /var/tmp"

Hi Andy, I have a concern with these filters in that they will may 
potentially catch quite a few false positives.

In addition to the first one coming from modsecurity.org, I've added a 
couple more:

    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter ":/"
    SecFilter "'"

Source: http://castlecops.com/article-5642-nested-0-0.html

Your filters I see as good for those who are ultra paranoid.  Because they 
are looking at THE_REQUEST, and if say "wget " is found in it, it'll be 
406'd.

THE_REQUEST: http://modules.apache.org/doc/Intro_API_Prog.html

"the_request - string which just contains the first line of the request. 
(e.g. "GET /index.html HTTP/1.0")"

If that is correct, then filtering on those custom keywords can indeed 
spawn some false positives.  The biggest issues as I see it are the use of 
' and/or :/ in the_request.  Unless a website is doing redirects, aka:

http://example.com/redirect.jsp?http://example.net/index.html

Then I don't see a real need to include the ":/" (or "://").  The other 
aspect to it is the tick mark "'", such an integral component to SQL 
injections, or even escaping shell commands.

Using the mod_security filter I provided above, it has stopped over 
300,000 attacks in a 55 hour period.  I've provided some examples, with 
some analysis of what other alternatives can be used.  But the big one I 
think is the mod_security filters.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.

References:
- Sanity Worm Concepts
  - From: Andy Fewtrell

Prev by Date: Re: Multiple Vulnerabilities in Moodle
Next by Date: MDKSA-2004:166 - Updated tetex packages fix multiple vulnerabilities
Previous by thread: Sanity Worm Concepts
Next by thread: php-Calendar File Include Vulnerability [ Command Exec ]
Index(es):
- Date
- Thread