Re: Sanity Worm Concepts

[Paul Laudanski <zx () castlecops com>]

On 29 Dec 2004, Andy Fewtrell wrote:

> I have not tested these methods but after discussing them with eth00, we
> both think it was better to post this to bugtraq in the hopes it may
> help other people prevent future attacks from new variations of this
> worm and help development of fixes to prevent future problems. While
> this worm currently uses perl it can be obviously re-written to avoid
> obvious mod_security (and other) rules. I could write proof of concept
> versions of the sanity worm but I feel it would be better to leave this
> out of the post.
>
> For those more interested in the mod_security rules:
>
> SecFilterSelective THE_REQUEST "wget "
> SecFilterSelective THE_REQUEST "perl "
> SecFilterSelective THE_REQUEST "lynx "
> SecFilterSelective THE_REQUEST "ftp "
> SecFilterSelective THE_REQUEST "scp "
> SecFilterSelective THE_REQUEST "rcp "
> SecFilterSelective THE_REQUEST "cvs "
> SecFilterSelective THE_REQUEST "telnet "
> SecFilterSelective THE_REQUEST "ssh "
> SecFilterSelective THE_REQUEST "echo "
> SecFilterSelective THE_REQUEST "nc "
> SecFilterSelective THE_REQUEST "mkdir "
> SecFilterSelective THE_REQUEST "cd /tmp"
> SecFilterSelective THE_REQUEST "cd /var/tmp"

Hi Andy, I have a concern with these filters in that they will may 
potentially catch quite a few false positives.

In addition to the first one coming from modsecurity.org, I've added a 
couple more:

    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter ":/"
    SecFilter "'"

Source: http://castlecops.com/article-5642-nested-0-0.html

Your filters I see as good for those who are ultra paranoid.  Because they 
are looking at THE_REQUEST, and if say "wget " is found in it, it'll be 
406'd.

THE_REQUEST: http://modules.apache.org/doc/Intro_API_Prog.html

"the_request - string which just contains the first line of the request. 
(e.g. "GET /index.html HTTP/1.0")"

If that is correct, then filtering on those custom keywords can indeed 
spawn some false positives.  The biggest issues as I see it are the use of 
' and/or :/ in the_request.  Unless a website is doing redirects, aka:

http://example.com/redirect.jsp?http://example.net/index.html

Then I don't see a real need to include the ":/" (or "://").  The other 
aspect to it is the tick mark "'", such an integral component to SQL 
injections, or even escaping shell commands.

Using the mod_security filter I provided above, it has stopped over 
300,000 attacks in a 55 hour period.  I've provided some examples, with 
some analysis of what other alternatives can be used.  But the big one I 
think is the mod_security filters.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.