Our web honeypots picked up more exploit attempts today - 5.9.16.104 - - [19/Jun/2013:00:47:05 +0200] "POST /phppath/php?-d+allow_url_include%3d1+-d+safe_mode%3d0+-d+suhosin.simulation%3d1+-d+disable_functions%3d''+-d+open_basedir%3dnone+-d+auto_prepend_file%3dphp://input+-n HTTP/1.1" 404 314 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/535.1 (KHTML, like Gecko) Safari/535.1"
While the OWASP ModSecurity CRS does pick up the POST payload PHP code, it does not trigger on the various PHP configuration directives - http://www.modsecurity.org/demo/demo-deny.html?test=-d+allow_url_include%3d1+-d+safe_mode%3d0+-d+suhosin.simulation%3d1+-d+disable_functions%3d%27%27+-d+open_basedir%3dnone+-d+auto_prepend_file%3dphp://input+-n We should modify the CRS rules to include these PHP config directives in the PHP code injection rules and also to make sure that these are inspecting ARGS_NAMES. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Date: Monday, June 10, 2013 6:53 PM To: "mod-security-emerging-atta...@lists.sourceforge.net<mailto:mod-security-emerging-atta...@lists.sourceforge.net>" <mod-security-emerging-atta...@lists.sourceforge.net<mailto:mod-security-emerging-atta...@lists.sourceforge.net>> Subject: [Mod-security-emerging-attacks] Fwd: IRC BOTNET LEVERAGING UNPATCHED PLESK VULNERABILITY Begin forwarded message: From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Date: June 10, 2013, 4:59:55 PM EDT To: "mod-security-us...@lists.sourceforge.net<mailto:mod-security-us...@lists.sourceforge.net>" <mod-security-us...@lists.sourceforge.net<mailto:mod-security-us...@lists.sourceforge.net>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: IRC BOTNET LEVERAGING UNPATCHED PLESK VULNERABILITY I wanted to reach out to the community on this issue and ask for some help. An exploit for Plesk was released last week - http://seclists.org/fulldisclosure/2013/Jun/21 and now there are reports of mass exploits from IRC botnets. Reference this link - http://threatpost.com/irc-botnet-leveraging-unpatched-plesk-vulnerability/ Here is an example ModSecurity audit log of running the plesk-simple.pl script against a host - --c0538227-A-- [10/Jun/2013:16:33:13 --0400] UbY4B8CoAWQAAP3TbGsAAAAC 127.0.0.1 56954 127.0.0.1 80 --c0538227-B-- POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Content-Type: application/x-www-form-urlencoded Content-Length: 82 --c0538227-C-- <?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?> For those of you running the OWASP ModSecurity CRS – this attac would already be picked up by a number of rules/signatures. For example - Message: Warning. Pattern match "<\\?(?!xml)" at ARGS_NAMES:<?php echo "Content-Type:text/html\\r\\n\\r\\n";echo "OK\\n";system("uname -a;id;"); ?>. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "230"] [id "959151"] [rev "2"] [msg "PHP Injection Attack"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.2"] [tag "WASCTC/WASC-25"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE4"] [tag "PCI/6.5.2"] I am working on a blog post to highlight this vulnerability and the ModSecurity protections. It would be useful if anyone who has seen these attacks hit their server to send me some example audit log entries as I want to show real-world instances vs only running the PoC. Thanks. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
