ModSecurity Trustwave
This blog has moved! Please update your
bookmarks to http://blog.spiderlabs.com/modsecurity/.

ModSecurity Blog: November 2007

ModSecurity 2.1.4 Now Available

ModSecurity 2.1.4 is the latest stable release of ModSecurity. The 2.1.4 release includes an updated version (1.5) of the Core Rules.  This release also contains some fixes to multi-part form request handling as well as enhancements to allow better integration with other Apache httpd modules that use sub-requests.

Fixes to Multi-part Form Request Handling

The evasion detection built into the multi-part form parser was made more flexible to lessen false positives when used with some browsers to upload files.  Additionally, the parser was enhanced to reduce false positives in detecting evasion attempts within the data portions of the request body.

Enhancements for Integration with Other Modules

ModSecurity no longer inspects sub-requests generated by Apache httpd modules.  Sub-request inspection has proven to introduce some instability when certain combinations of modules and compilers are used and can no longer be supported.

See the CHANGES file within the distribution for a full list of changes.

As always, send questions/comments to the community support mailing list.  You can download the latest releases, view the documentation and subscribe to the mailing list at www.modsecurity.org.

Installling ModSecurity

ModSecurity is a really powerful beast. It can do anything you want, at least when what you want concerns protecting your web applications. But you need to know how to tell it what you want, and this is not trivial at times. This is why I like the Core Rule Set; it is designed to provide as much security as possible without requiring the user to tell ModSecurity exactly what to do.

But many are stuck before they even reach this stage and can’t get ModSecurity running. Luckily since many people run ModSecurity, someone will always know how to make ModSecurity run on your platform, whether it is Solaris on Sparc or a Mac, and you can find most of the on the ModSecurity mailing list. Just recently I found two nice write-ups about installing ModSecurity on different flavors of Linux which I though you will find useful:

If you want to share your ModSecurity installation tips on a specific platform, just drop me a work and I will add it to this blog entry.

WASC Distributed Open Proxy Honeypot: Blind SQL Injection Attempt (Update)

As some of you may know, I am heading up the WASC Distributed Open Proxy Honeypot Project. The project architecture includes having participants deploy VMware images of a specially configured Apache server (functioning as an open proxy) along with ModSecurity. When the honeypot identifies an attack, it blocks it and then sends back the attack data to a central log server. This gives us a pretty unique view of the types of attacks that happening out on the web as most bad guys are using these types of open proxies to funnel their attacks through to try and hide their true origins.

We recently (Oct 2007) deployed phase II of the project and now have many more sensors online. As you might expect, we are getting some interesting traffic :) With this in mind, I am going to be periodically posting attack data that we identify with the honeypots and provide a sort of web attack "Chalk Talk" breakdown of what is happening. For those of you aren't familiar with the "Chalk Talk" term, it is commonly used by sports commentators in the United States when discussing American Football. The sports analysts breakdown the schemes used by offenses and defenses to show spectators the details of what is happening.

With this in mind, here is the 1st installment - Blind SQL Injection.

A client sent the following request (bolded portions are of interest):

GET http://www.mehdiplugins.com/misc/phpbbjoomhack.htm?textfield=Your%20site%20was%20so%20interesting
%20and%20informative%20I%20had%20to%20call%20a%20friend%20to%20tell%20her%20about%20it%2E%20Great
%20work%0D%0A%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap4%2Ehtml%20%3E%20
My%20Best%20Links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2F
map2%2Ehtml%20%3E%20top%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fahsjh%2Efreephpwebhosting
%2Enet%2Fmap8%2Ehtml%20%3E%20favourite%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fahsjh
%2Efreephpwebhosting%2Enet%2Fmap7%2Ehtml%20%3E%20Links%20%3C%2Fa%3E%20%0D%0A%20%5Burl%3Dhttp%3A%2F
%2Fmembers%2Elycos%2Eco%2Euk%2Fdfska%2Fmap3%2Ehtml%5D%20top%20links%20%5B%2Furl%5D%20%20%5Burl%3D
http%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap3%2Ehtml%5D%20best%20links%20%5B%2Furl%5D%20%20%5B
url%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap5%2Ehtml%5D%20My%20Links%20%5B%2Furl%5D%20
%20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap1%2Ehtml%5D%20my%20favourite%20links
%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap6%2Ehtml%5D%20Links
%20%5B%2Furl%5D%20&textfield2=Michalis&textfield3=if%28%20md5%28%24password%29%20%3D%3D%20
%24row%5B%27user%5Fpassword%27%5D%20%26%26%20%24row%5B%27user%5Factive%27%5D%20%29&textfield4
=Your%20site%20was%20so%20interesting%20and%20informative%20I%20had%20to%20call%20a%20friend%20to%20
tell%20her%20about%20it%2E%20Great%20work%0D%0A%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2D
host%2Ecom%2Fmap4%2Ehtml%20%3E%20My%20Best%20Links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl
%2Efree%2Dsite%2Dhost%2Ecom%2Fmap2%2Ehtml%20%3E%20top%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp
%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2Ehtml%20%3E%20favourite%20links%20%3C%2Fa%3E%20%20
%3Ca%20href%3Dhttp%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap7%2Ehtml%20%3E%20Links%20%3C%2Fa%3E
%20%0D%0A%20%5Burl%3Dhttp%3A%2F%2Fmembers%2Elycos%2Eco%2Euk%2Fdfska%2Fmap3%2Ehtml%5D%20top%20links
%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap3%2Ehtml%5D%20best%20
links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap5%2Ehtml%5D%20
My%20Links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap1%2Ehtml
%5D%20my%20favourite%20links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom
%2Fmap6%2Ehtml%5D%20Links%20%5B%2Furl%5D%20&textfield32=if%28%20md5%28%24password%29%20%3D
%3D%20%24row%5B%27user%5Fpassword%27%5D%20%26%26%20%24row%5B%27user%5Factive%27%5D%20%29
&textfield5=Namibia%2C%20Guangzhou&textfield6=http%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2E
html&textfield22=http%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2Ehtml HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Referer: http://www.mehdiplugins.com/misc/phpbbjoomhack.htm
Host: www.mehdiplugins.com

If you URL Decode this text, you will get the following:

GET http://www.mehdiplugins.com/misc/phpbbjoomhack.htm?textfield=Your site was so interesting and informative I had to call a friend to tell her about it. Great work
 <a href=http://nwhjl.free-site-host.com/map4.html > My Best Links   <a href=http://nwhjl.free-site-host.com/map2.html > top links   <a href=http://ahsjh.freephpwebhosting.net/map8.html > favourite links   <a href=http://ahsjh.freephpwebhosting.net/map7.html > Links  
 [url=http://members.lycos.co.uk/dfska/map3.html] top links [/url]  [url=http://kersnm.awesomewebspace.com/map3.html] best links [/url]  [url=http://nwhjl.free-site-host.com/map5.html] My Links [/url]  [url=http://nwhjl.free-site-host.com/map1.html] my favourite links [/url]  [url=http://kersnm.awesomewebspace.com/map6.html] Links [/url] &textfield2=Michalis&textfield3=if( md5($password) == $row['user_password'] && $row['user_active'] )&textfield4=Your site was so interesting and informative I had to call a friend to tell her about it. Great work
 <a href=http://nwhjl.free-site-host.com/map4.html > My Best Links   <a href=http://nwhjl.free-site-host.com/map2.html > top links   <a href=http://ahsjh.freephpwebhosting.net/map8.html > favourite links   <a href=http://ahsjh.freephpwebhosting.net/map7.html > Links  
 [url=http://members.lycos.co.uk/dfska/map3.html] top links [/url]  [url=http://kersnm.awesomewebspace.com/map3.html] best links [/url]  [url=http://nwhjl.free-site-host.com/map5.html] My Links [/url]  [url=http://nwhjl.free-site-host.com/map1.html] my favourite links [/url]  [url=http://kersnm.awesomewebspace.com/map6.html] Links [/url] &textfield32=if( md5($password) == $row['user_password'] && $row['user_active'] )&textfield5=Namibia, Guangzhou&textfield6=http://ahsjh.freephpwebhosting.net/map8.html&textfield22=
http://ahsjh.freephpwebhosting.net/map8.html HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Referer: http://www.mehdiplugins.com/misc/phpbbjoomhack.htm
Host: www.mehdiplugins.com

The URL-decoded data makes it much easier to visually identify what the client was trying to do. This appears to be a SPAMMER show is sending their data to this destination in the hopes that it will be posted to the comment site where user will see it.

The bolded portion of the data triggered a ModSecurity Core Rule for Blind SQL Injection and generated this alert message:

Message: Access denied with code 200 (phase 2). Pattern match "\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c
(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr
(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|
ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)
|object_(?:(?:nam|typ)e|id) ..." at ARGS:textfield3. [id "950904"] [msg "Blind SQL Injection Attack. Matched signature <user_password>"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/4.5"] [tag "OWASP/A6"] [tag "PCI/6.5.6"]

So, the matched portion of the text was this:

if( md5($password) == $row['user_password'] && $row['user_active'] )

What is this attempting to do? It appears that the SPAMMER is attempting to Bypass Authentication for the PHPBB form page. This actually makes sense when you think about it from a spammer's perspective. What is easier and less resource intensive? To either actually register for accounts on these sites to then allow them to post or to include this Blind SQL Injection Authentication Bypass string and not have to worry about authenticating at all? The later it seems is the case.

Update

We had more time to review this specific transaction and it appears to be a False Positive. It is not that the rule triggered on something that it shouldn't have, but rather that this was not an actual Blind SQL Injection attack.

The string that was matched is actually a PHP code snippet that was present in the page. It seems that the SPAMMER's script automatically included all of the hidden arguments in their request. I guess that instead of taking the time to code in the proper intelligence as to what fields are required for their request, it is just easier to "throw the kitchen sink" at it and included everything. Most web apps will not error out with extra parameters, however they will if you are missing require elements.

As a side note, at the same time were were conducting this internal analysis, we did recieve some feedback from the public re-affirming this theory (thanks kuza55 by way of Jeremiah Grossman's Blog). This does raise an important issue - we need help with data analysis! If you are interested in participating in the WASC honeypot project (even if you don't want to deploy an actual honeypot) then please let me know and we will get you signed up for the project mail-list. This way, we can get more eyes on these alerts for validation.

Calendar

November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Feeds

Atom Feed

Search

Categories

Recent Entries

Archives