[Emerging-Sigs] StillSecure: 10 New Signatures - Jan-19-2009

Matt Jonkman jonkman at jonkmans.com
Sat Jan 24 16:20:55 EST 2009


Committed all but 2, 3, and 5. The pcre I think we should reconsider.
Don't think we need to pcre for just .., and if we do it out of the http
buffer it may be normalized out. Can we make a straight content match
for those?

Thanks!!

Matt

signatures wrote:
> Hi Matt,
> 
> Please find 10 New Signatures below:
> 
> 1.       *WEB-PHP cfagcms right.php title Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> cfagcms right.php title Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/right.php"; nocase; uricontent:"title="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:bugtraq,32851; reference:url,milw0rm.com/exploits/7483;
> sid:2008222; rev:1;)
> 
> 2.       *WEB-PHP BloofoxCMS dialog.php lang parameter Local File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> BloofoxCMS dialog.php lang parameter Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/dialogs/dialog.php?"; nocase; uricontent:"lang="; nocase;
> pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7580; reference:bugtraq,33013;
> sid:2008020; rev:1;)
> 
> 3.       *WEB-PHP BloofoxCMS dialog.php theme parameter Local File
> Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> BloofoxCMS dialog.php theme parameter Local File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/dialogs/dialog.php?"; nocase; uricontent:"theme="; nocase;
> pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7580; reference:bugtraq,33013;
> sid:2008021; rev:1;)
> 
> 4.       *WEB-ATTACKS Chilkat Socket Activex Remote Arbitrary File
> Overwrite 1*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> Chilkat Socket Activex Remote Arbitrary File Overwrite 1";
> content:"CLSID"; nocase; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054";
> nocase; distance:0; content:"SaveLastError"; nocase;
> classtype:web-application-attack; reference:bugtraq,32333;
> reference:url,milw0rm.com/exploits/7594; sid:2008025; rev:1;)
> 
> 5.       *WEB-PHP eDreamers eDNews lg Parameter Local File Include*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> eDreamers eDNews lg Parameter Local File Include";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/eDNews_archive.php?"; nocase; uricontent:"lg="; nocase;
> pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7603; reference:bugtraq,33027;
> sid:2008026; rev:1;)
> 
> 6.       *WEB-ATTACKS SaschArt SasCam Webcam Server ActiveX Control Get
> Method Buffer Overflow*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer
> Overflow"; flow:to_client,established; content:"CLSID"; nocase;
> content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0;
> content:"Get"; nocase; classtype:web-application-attack;
> reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617;
> sid:2008031; rev:1;)
> 
> 7.       *WEB-PHP Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL
> Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/deptdisplay.asp?"; nocase; uricontent:"ID="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7610; reference:bugtraq,33040;
> sid:2008027; rev:1;)
> 
> 8.       *WEB-PHP RealtyListings type.asp iType Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> RealtyListings type.asp iType Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/type.asp?"; nocase; uricontent:"iType="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,secunia.com/advisories/33167/;
> reference:url,milw0rm.com/exploits/7464; sid:2008559; rev:1;)
> 
> 9.       *WEB-PHP RealtyListings detail.asp iPro Parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> RealtyListings detail.asp iPro Parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,secunia.com/advisories/33167/;
> reference:url,milw0rm.com/exploits/7464; sid:2008560; rev:1;)
> 
> 10.   *WEB-PHP PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter
> Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File
> Inclusion"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/DB_adodb.class.php?"; nocase;
> uricontent:"PHPOF_INCLUDE_PATH="; nocase;
> pcre:"/PHPOF_INCLUDE_PATH=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,25541; sid:2008029;
> rev:1;)
> 
> Looking forward for your comments if any…
> 
> Thanks & Regards,
> 
> StillSecure
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list