[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[stalk:00423] Re: IIS CGI Filename Decode Error Vulnerability
- To: <security-talk@xxxxxxxxxxxxxxxxxxxx>
- Subject: [stalk:00423] Re: IIS CGI Filename Decode Error Vulnerability
- From: Shikap <shikap@xxxxxxxxxxxx>
- Date: Fri, 18 May 2001 16:37:09 +0900
しかPです。
on 01.5.15 8:42 PM, MICKY at micky@xxxxxxxxx wrote:
> 犬なりに手抜きsnortルール書きました。
>
> alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
> DETECTED"; content:"/scripts/..%255c..%255cwinnt/system32/cmd.exe"; nocase ;)
みっきーさんのを受けて、いくぞ、手抜きsnortルール大作戦(^^;
めちゃめちゃ大量になってしまいましたが、誤検知して欲しくないので、
似たパターンもまとめてしまわず、きちんと書いてみました。
まずは"¥"からいきます。
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255c"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255C"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35c"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35C"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35%43"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35%63"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35c"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35C"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35%43"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35%63"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255%43"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255%63"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%5%43"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%5%63"; content:"winnt/system32/cmd.exe"; nocase;)
ここまでで"¥"を使ったパターン。全部あり、のはず。
2×2×4−2で14パターン。
次に"/"と"."のパターン。
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%252f"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%252F"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%32f"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%32F"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35%46"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35%66"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%32f"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%32F"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35%46"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35%66"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255%46"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255%66"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%5%46"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%5%66"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%252e"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%252E"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%32e"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%32E"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35%45"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%25%35%65"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%32e"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%32E"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35%45"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%%35%65"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255%45"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%255%65"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%5%45"; content:"winnt/system32/cmd.exe"; nocase;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS UNICODE ATTACK
DETECTED"; content:"%5%65"; content:"winnt/system32/cmd.exe"; nocase;)
・・・・・疲れた。(苦笑)
#間違い見つけたら教えて下さい>All
でもって、https経由やproxy経由、それにメール経由、ってパターンも
ありますから、上記ルールの"80"を443や8080、110に変更したルールも
併せて使ってやればすべて捕獲可能、ってことになります。
つーことで、snortユーザさん、使ってみて下さい。
なお、攻撃の際、cmd.exeを使わない場合もありそうですが、
それは勘弁して下さい。考えたくもないです。(^^;;;
しかし、やっぱルールだけで検知しようとするのは無理がありそうな
気がします。負荷がとっても高くなりそうな感じですね。
では。
--
============================
鹿田 幸治 Koji.Shikata
E-Mail:koji.shikata@xxxxxxxxxxxx
:shikap@xxxxxxxxxxxx
snortパッチ公開中:http://www.yk.rim.or.jp/‾shikap/patch/
============================
--
- このメイリングリストに関する質問・問い合せ等は
- <security-talk@xxxxxxxxxx>までお知らせください
--
------------------------------------------------------------------------
「あれっなんだっけ?」そんなあなたに→英和・和英・国語辞典はじまめした
http://jiten.infoseek.co.jp/?svx=971122