Groups
Sign in
Groups
naxsi-discuss
Conversations
About
Send feedback
Help
Ruleset-Update; RosettaFlash + some JAVA-Serialized-Object POST - sigs
7 views
Skip to first unread message
mex
unread,
Jul 17, 2014, 4:06:24 AM
7/17/14
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to naxsi-discuss
Hi guys,
new sigs online; most interesting is probably that
RosettaFlash-Sig; @mikispag helped me getting the regex
right (gracias, senor)
btw, there is also an rails-update available, adressing that
issue (
https://github.com/rails/rails/pull/16109
) but there is no
official note on the railssec-ml.
new signatures are available and pushed to the repo:
https://bitbucket.org/lazy_dogtown/doxi-rules/src
full blogpost:
http://blog.dorvakt.org/2014/07/ruleset-update-rosettaflash-some-java.html
[+] new sigs:
42000385 :: app_server.rules :: RosettaFlash JSONP-Exploit callback=CWS
42000381 :: web_server.rules :: Meterpreter-UA detected
42000382 :: web_server.rules :: local File access via file://
42000383 :: app_server.rules :: JAVA-Serialized-Object POST
42000384 :: app_server.rules :: JAVA-Serialized-Object POST / Class=*
--------------------------------------------------
#
# sid: 42000385 | date: 2014-07-17 - 09:45
#
#
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
#
http://miki.it/RosettaFlash/RosettaFlash.pdf
#
http://quaxio.com/jsonp_handcrafted_flash_files/
#
# credits to @mikispag helped me getting the regex right
#
MainRule "rx:^CWS\w{5}hC\w{50,}" "msg:RosettaFlash JSONP-Exploit
callback=CWS" "mz:$ARGS_VAR:callback" "s:$ATTACK:8" id:42000385 ;
#
# sid: 42000382 | date: 2014-05-21 - 23:38
#
#
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
#
MainRule "str:file://" "msg:local File access via file://"
"mz:BODY|ARGS" "s:$UWA:8" id:42000382 ;
#
# sid: 42000384 | date: 2014-06-22 - 14:57
#
#
http://www.exploit-db.com/exploits/28713/
#
MainRule "str:class=" "msg:JAVA-Serialized-Object POST / Class=*"
"mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000384 ;
#
# sid: 42000383 | date: 2014-06-22 - 14:57
#
#
http://www.exploit-db.com/exploits/28713/
#
MainRule "str:java-serialized-object" "msg:JAVA-Serialized-Object
POST" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000383 ;
Reply all
Reply to author
Forward
0 new messages