Ruleset-Update: Drupal SQLI & RCE-Exploit Attempt (CVE-2014-3704)
15 views
Skip to first unread message
mex
Oct 17, 2014, 6:30:21 AM10/17/14
to naxsi-discuss
http://blog.dorvakt.org/2014/10/ruleset-update-drupal-sqli-rce-exploit.html
please note: the sig is against the exploit/POC and wouldnt hold
against fancy urlencoding like "name%5b"
BUT: the attack WILL be blocked by naxsi because of 3 rules from
core-rule-set at least, thus my sig is for the attack, not the vuln.
emerging sigs have all possible encodings,
Emerging Threat Signatures: http://pastebin.com/raw.php?i=NZnfzGCc
POC: http://pastebin.com/F2Dk9LbX
---------------------------------
MainRule "str:name[0%20" "msg:Drupal SQLI & RCE-Exploit Attempt
(CVE-2014-3704)" "mz:BODY" "s:$ATTACK:8" id:42000399 ;
---------------------------------
References:
- https://www.drupal.org/SA-CORE-2014-005
- http://www.reddit.com/r/netsec/comments/2jbu8g/sacore2014005_drupal_core_sql_injection/
- http://pastebin.com/F2Dk9LbX
please note: the sig is against the exploit/POC and wouldnt hold
against fancy urlencoding like "name%5b"
BUT: the attack WILL be blocked by naxsi because of 3 rules from
core-rule-set at least, thus my sig is for the attack, not the vuln.
emerging sigs have all possible encodings,
Emerging Threat Signatures: http://pastebin.com/raw.php?i=NZnfzGCc
POC: http://pastebin.com/F2Dk9LbX
---------------------------------
MainRule "str:name[0%20" "msg:Drupal SQLI & RCE-Exploit Attempt
(CVE-2014-3704)" "mz:BODY" "s:$ATTACK:8" id:42000399 ;
---------------------------------
References:
- https://www.drupal.org/SA-CORE-2014-005
- http://www.reddit.com/r/netsec/comments/2jbu8g/sacore2014005_drupal_core_sql_injection/
- http://pastebin.com/F2Dk9LbX
Reply all
Reply to author
Forward
0 new messages