1 May 14:27
Re: Breach Security Labs Alert: Nihaorr1 Attack(fwd)
From: Ryan Barnett <Ryan.Barnett <at> Breach.com>
Subject: Re: Breach Security Labs Alert: Nihaorr1 Attack(fwd)
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-01 12:27:21 GMT
Subject: Re: Breach Security Labs Alert: Nihaorr1 Attack(fwd)
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-01 12:27:21 GMT
One quick clarification - if you want to use blocking for these rules, use the modsecurity_crs_40_generic_attacks.conf file that is under the "optional_rules" directory as this is the "blocking" version and has the "deny" action applied to them. The name of that directory is a bit misleading as it is really holding 2 different types of rules - some are the blocking versions of rules files and some are truly optional rule sets that may be applicable in some situations (comment spam and directory traversals). Due to the fact that many people call up the Mod rules using Include wild-carding in the httpd.conf file, we thought it best to move the optional rules into a separate directory so that they would need to be explicitly specified. -Ryan > -----Original Message----- > From: Ryan Barnett > Sent: Thursday, May 01, 2008 8:12 AM > To: covici <at> ccs.covici.com; mod-security-users <at> lists.sourceforge.net > Subject: RE: [mod-security-users] Breach Security Labs Alert: Nihaorr1 > Attack(fwd) > > Hello John, > I am guessing that you are using ModSecurity 2.1.4? This recent mass-SQL > Injection attack is essentially an updated version of the attack I > outlined in a past Blog post - http://blog.modsecurity.org/2008/01/sql- > injection-a.html. The only real difference is the actual injected JS > code. > > Fortunately, if you are using the Core Rules, Rule ID 950001 (SQL > Injection) in the modsecurity_crs_40_generic_attacks.conf file) will > identify this attack. When the Breach alert mentions "Customers should > verify their security settings to ensure the appropriate prevention > mechanisms are active." what we mean is that even if you are using Rule ID > 950001, you still need to check your SecRuleEngine setting along with the > disruptive action specified on the rule itself. If you have SecRuleEngine > set to DetectionOnly, then obviously the attack would be alerted on but > not actually blocked. > > Hope this info helps! > > -Ryan > > > -----Original Message----- > > From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod- > > security-users-bounces <at> lists.sourceforge.net] On Behalf Of John covici > > Sent: Wednesday, April 30, 2008 10:52 AM > > To: mod-security-users <at> lists.sourceforge.net > > Subject: [mod-security-users] Breach Security Labs Alert: Nihaorr1 > > Attack(fwd) > > > > Hi. How do I make sure that a site using mod-security 2.4 is not > > vulnerable to the attack mentioned below? > > > > Thanks. > > > > ------- start of forwarded message ------- > > From: "Breach.com" <emarketing <at> breach.com> > > To: "John" <covici <at> ccs.covici.com> > > Subject: Breach Security Labs Alert: Nihaorr1 Attack > > Date: Thu, 01 May 2008 00:43:45 +1000 > > > > --_=aspNetEmail=_cbe4e7c01221481c86ed3828b8d825ad > > Content-Type: text/plain; > > charset="utf-8" > > Content-Transfer-Encoding: quoted-printable > > > > Click here > > [http://www.breach.com/emails/breach-security-labstm-alert.html] > > if you're having trouble viewing this email. > > Please add emarketing <at> breach.com [mailto:emarketing <at> breach.com] t > > o your address book, to ensure proper delivery into your inbox. > > Breach Security Labs=E2=84=A2 Alert > > > > Tuesday, April 29, 2008 > > > > Priority: HIGH > > > > Impact: Potential for malware to be downloaded to website > > visitors. PCI DSS non-compliance. > > > > Resolution: Verify blocking policy in web application firewall > > and remediate code flaws. > > > > Who: As many as 500,000 vulnerable Microsoft=C2=AE IIS web servers > > around the world have been attacked with a generic SQL injection, > > known as "nihaorr1". Some of the affected organizations > > include: > > > > * The United Nations > > * The U.S. Department of Homeland Security > > * The U.K. Government > > * Aeroflot Russian Airlines > > > > What: A SQL injection is a common attack that targets web > > applications through user-supplied input fields, such as web > > forms. The goal of this attack technique is to control the SQL > > database behind the application for the purposes of downloading > > its contents, erasing it or undertaking another malicious > > activity. > > > > How: This recent attack has found a common way to exploit various > > SQL injection vulnerabilities in websites and inject malicious > > JavaScript=E2=84=A2 into different pages on each site. When a potential > > victim visits one of the infected sites, malware is downloaded to > > the visitor's computer. > > > > Impact: The nihaorr1 assault on web applications is the most > > widely propagating application-layer attack to date. Not only has > > it hit hundreds of thousands of web applications around the > > world, but also it has done so using a single, generic attack on > > these custom applications. > > > > Additionally, organizations impacted by nihaorr1 may be > > classified as out of compliance with the Payment Card Industry > > (PCI) Data Security Standard (DSS). Requirement 6.5.6 of the PCI > > DSS states that organizations should: > > > > "...Cover prevention of common coding vulnerabilities in > > software development processes, to include the > > following=E2=80=A6injection flaws (for example, structured query > > language (SQL) injection)." > > > > Prevention: Perhaps the most surprising discovery associated with > > this attack is that it was entirely preventable. Had the > > developers of these web applications created them based on secure > > coding guidelines such as those from the Open Web Application > > Security Project (OWASP), their sites would have been protected. > > In addition, deployment of a Breach Security web application > > firewall prevents the attack. > > > > Resolution: Breach Security's web application firewalls enable > > security organizations to pinpoint security vulnerabilities in > > code for quick remediation and offer continuous protection by > > detecting and blocking hacks before they can reach the web > > application. Breach Security recommends remediation of the > > vulnerable code as a best practice as part of the normal > > development life cycle. > > > > Breach Security WebDefend=E2=84=A2 and ModSecurity Pro=E2=84=A2 M1100 > > customers are already protected against nihaorr1. Customers > > should verify their security settings to ensure the appropriate > > prevention mechanisms are active. > > > > For more information on this alert and other web application > > security news, please visit Breach Security Labs at > > support <at> breach.com [mailto:support <at> breach.com]. > > > > Breach Security, Inc. > > > > 2075 Las Palmas Drive, Carlsbad, CA 92011 > > +1 866 205 7032| +1 760 268 1924 | www.breach.com [http://www.bre > > ach.com/] > > This is a promotional message from Breach Security. > > > > Click here to cease further contact. > > =C2=A9 2008 Breach Security, Inc. All rights reserved. > > > > This email was sent to covici <at> ccs.covici.com. > > You can instantly unsubscribe from these emails by clicking the link > belo= > > w: > > http://breach.cmail5.com/u/399036/z5dillj/ > > > > --_=aspNetEmail=_cbe4e7c01221481c86ed3828b8d825ad > > Content-Type: text/html; > > charset="utf-8" > > Content-Transfer-Encoding: quoted-printable > > > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > "http://www.w3.o= > > rg/TR/xhtml1/DTD/xhtml1-strict.dtd"> > > <html xmlns=3D"http://www.w3.org/1999/xhtml"> > > <head> > > <meta content=3D"text/html; charset=3Dutf-8" http- > > equiv=3D"Content-Type= > > " /> > > <title>Breach Security Labs(tm) Alert :: Breach Security > > Inc.</title> > > =09 > > </head> > > <body style=3D"text-align: center;"> > > <div id=3D"container_outer" style=3D"text-align: center;"><div > > id=3D"co= > > ntainer_inner" style=3D"margin: 0 auto; text-align: left; width: > 600px;">= > > > > <table cellspacing=3D"0" border=3D"0" cellpadding=3D"0" > > width=3D"600">= > > > > <tr> > > <td style=3D"font-size: 13px; line-height: > > 1.3; font-family: Arial, = > > Helvetica, sans-serif; vertical-align: top;"> > > <p class=3D"notice" style=3D"font- > > size: 10px; margin: 10px 0px 18px= > > ; line-height: 1.3; font-family: Arial, Helvetica, sans-serif; color: > #89= > > 8989; text-align: center;"> > > <a > > href=3D"http://breach.cmail5.com/l/399036/z5dillj/www.breach.co= > > m/emails/breach-security-labstm-alert.html" title=3D"Breach Security > Inc.= > > " style=3D"color: #009dd7;">Click here</a> if you're having trouble > viewi= > > ng this email.<br /> > > =09 > > Please add <em><a > > href=3D"mailto:emarketing <at> breach.com" style=3D"c= > > olor: #009dd7;">emarketing <at> breach.com</a></em> to your address book, to > e= > > nsure proper delivery into your inbox. > > =09 > > </p> > > </td> > > </tr> > > </table> > > <table cellspacing=3D"0" class=3D"border" > > cellpadding=3D"0" style=3D"b= > > order: 1px solid #000; text-align: left;" width=3D"600"> > > <tr> > > <td style=3D"font-size: 13px; line-height: > > 1.3; font-family: Arial, = > > Helvetica, sans-serif; vertical-align: top;" colspan=3D"2"> > > <img > > src=3D"http://www.breach.com/assets/images/emails/2008/04/secu= > > re_coding_header.jpg" height=3D"196" alt=3D"Breach: Make every > transactio= > > n a safe one" width=3D"600" /> > > </td> > > </tr> > > <tr> > > <td class=3D"content" style=3D"font-size: 13px; line-height: 1.3; > padding= > > : 0px 25px 15px; font-family: Arial, Helvetica, sans-serif; vertical- > alig= > > n: top;" colspan=3D"2"> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong><span style=3D"color: > #= > > 2A66A2;">Breach Security Labs™ Alert</span></strong><br /> > > Tuesday, April 29, 2008</p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong><span style=3D"color: > r= > > ed;">Priority:</span></strong> <span style=3D"color: red;"><span > class=3D= > > "caps">HIGH</span></span></p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong><span style=3D"color: > r= > > ed;">Impact:</span></strong> <span style=3D"color: red;">Potential for > ma= > > lware to be downloaded to website visitors. <span > class=3D"caps">PCI</spa= > > n> <span class=3D"caps">DSS</span> non-compliance.</span></p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong><span style=3D"color: > r= > > ed;">Resolution:</span></strong> <span style=3D"color: red;">Verify > block= > > ing policy in web application firewall and remediate code > flaws.</span></= > > p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong>Who:</strong> As many > a= > > s 500,000 vulnerable Microsoft® <span class=3D"caps">IIS</span> web > = > > servers around the world have been attacked with a generic <span > class=3D= > > "caps">SQL</span> injection, known as “nihaorr1”. Some of > the= > > affected organizations include:</p> > > <ul style=3D"margin-bottom: 0px; margin-top: 0px;"> > > <li style=3D"font-size: 13px; list-style: square outside; > > margin-bottom= > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial, Helvetica, > = > > sans-serif;">The United Nations</li> > > <li style=3D"font-size: 13px; list-style: square outside; > > margin-bottom= > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial, Helvetica, > = > > sans-serif;">The U.S. Department of Homeland Security</li> > > <li style=3D"font-size: 13px; list-style: square outside; > > margin-bottom= > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial, Helvetica, > = > > sans-serif;">The U.K. Government</li> > > <li style=3D"font-size: 13px; list-style: square outside; > > margin-bottom= > > : 5px; line-height: 1.3; margin-top: 0px; font-family: Arial, Helvetica, > = > > sans-serif;">Aeroflot Russian Airlines</li> > > </ul> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong>What:</strong> A > <span= > > class=3D"caps">SQL</span> injection is a common attack that targets web > = > > applications through user-supplied input fields, such as web forms. The > g= > > oal of this attack technique is to control the <span > class=3D"caps">SQL</= > > span> database behind the application for the purposes of downloading > its= > > contents, erasing it or undertaking another malicious activity.</p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong>How:</strong> This > rece= > > nt attack has found a common way to exploit various <span > class=3D"caps">= > > SQL</span> injection vulnerabilities in websites and inject malicious > Jav= > > aScript™ into different pages on each site. When a potential > victim= > > visits one of the infected sites, malware is downloaded to the > visitor&#= > > 8217;s computer.</p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong>Impact:</strong> The > ni= > > haorr1 assault on web applications is the most widely propagating > applica= > > tion-layer attack to date. Not only has it hit hundreds of thousands of > w= > > eb applications around the world, but also it has done so using a > single= > > , generic attack on these custom applications. </p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;">Additionally, organizations > imp= > > acted by nihaorr1 may be classified as out of compliance with the > Payment= > > Card Industry (<span class=3D"caps">PCI</span>) Data Security Standard > (= > > <span class=3D"caps">DSS</span>). Requirement 6.5.6 of the <span > class=3D= > > "caps">PCI</span> <span class=3D"caps">DSS</span> states that > organizatio= > > ns should: </p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;">“...Cover prevention of > c= > > ommon coding vulnerabilities in software development processes, to > includ= > > e the following…injection flaws (for example, structured query > lang= > > uage (<span class=3D"caps">SQL</span>) injection).”</p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong>Prevention:</strong> > Pe= > > rhaps the most surprising discovery associated with this attack is that > i= > > t was entirely preventable. Had the developers of these web applications > = > > created them based on secure coding guidelines such as those from the > Ope= > > n Web Application Security Project (<span class=3D"caps">OWASP</span>), > t= > > heir sites would have been protected. In addition, deployment of a > Breach= > > Security web application firewall prevents the attack.</p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;"><strong>Resolution:</strong> > Br= > > each Security’s web application firewalls enable security > organizat= > > ions to pinpoint security vulnerabilities in code for quick remediation > a= > > nd offer continuous protection by detecting and blocking hacks before > the= > > y can reach the web application. Breach Security recommends remediation > o= > > f the vulnerable code as a best practice as part of the normal > developmen= > > t life cycle.</p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;">Breach Security > WebDefend™= > > ; and ModSecurity Pro™ M1100 customers are already protected > agains= > > t nihaorr1. Customers should verify their security settings to ensure > the= > > appropriate prevention mechanisms are active.</p> > > <p style=3D"font-size: 13px; margin: 10px 0px 18px; line-height: > > 1.3; fo= > > nt-family: Arial, Helvetica, sans-serif;">For more information on this > al= > > ert and other web application security news, please visit Breach > Security= > > Labs at <a > href=3D"http://breach.cmail5.com/l/399036/z5dillj/www.breach.= > > com/" style=3D"color: #009dd7;">www.breach.com</a> or email <a > href=3D"ma= > > ilto:support <at> breach.com" style=3D"color: > #009dd7;">support <at> breach.com</a>= > > .</p> > > </td> > > </tr> > > <tr> > > <td class=3D"border_top" style=3D"font-size: > > 13px; background: #000;= > > line-height: 1.3; font-family: Arial, Helvetica, sans-serif; vertical- > al= > > ign: top; border-top: 1px solid #000;" colspan=3D"2"> > > <img > > src=3D"http://breach.cmail5.com/email/399036/wwwbreachcom/asse= > > ts/templates/breach/images/flyers/breach_html4_04.gif" height=3D"7" > > alt=3D= > > "---" style=3D"display: block;" width=3D"600" /> > > <table cellspacing=3D"0" > > class=3D"footer" border=3D"0" cellpadding=3D= > > "0" style=3D"font-size: 10px; background: #000; line-height: 1; font- > fami= > > ly: Arial, Helvetica, sans-serif; color: #898989; width: 100%;"> > > <tr> > > <td style=3D"font-size: > > 10px; line-height: 1.3; padding: 10px 15p= > > x; font-family: Arial, Helvetica, sans-serif; vertical-align: top; text- > a= > > lign: left;"> > > Breach Security, > > Inc.<br /> > > 2075 Las Palmas > > Drive, Carlsbad, CA 92011<br /> > > +1 866 205 7032| +1 > > 760 268 1924 | <a href=3D"http://breach.cmai= > > l5.com/l/399036/z5dillj/www.breach.com/" style=3D"color: > #898989;">www.br= > > each.com</a> > > </td> > > <td style=3D"font-size: > > 10px; line-height: 1.3; padding: 10px 15p= > > x; font-family: Arial, Helvetica, sans-serif; vertical-align: top; text- > a= > > lign: right;"> > > This is a > > promotional message from Breach Security.<br /> > > <a > > href=3D"http://breach.cmail5.com/u/399036/z5dillj/" style=3D"= > > color: #ccc;">Click here</a> to cease further contact.<br /> > > © 2008 Breach > > Security, Inc. All rights reserved. > > </td> > > </tr> > > </table> > > </td> > > </tr> > > </table> > > </div></div> > > <img src=3D"http://breach.cmail5.com/o/399036/z5dillj/o.gif" > > width=3D"1"= > > height=3D"1" border=3D"0"></body> > > </html> > > > > > > --_=aspNetEmail=_cbe4e7c01221481c86ed3828b8d825ad-- > > ------- end of forwarded message ------- > > > > -- > > Your life is like a penny. You're going to lose it. The question is: > > How do > > you spend it? > > > > John Covici > > covici <at> ccs.covici.com > > > > ------------------------------------------------------------------------ > - > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save $100. > > Use priority code J8TL2D2. > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/j av > > aone > > _______________________________________________ > > mod-security-users mailing list > > mod-security-users <at> lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed