[Bro] working with MS15-034

Thu Apr 16 10:20:51 PDT 2015

Seems like it would be fine in production. There are multiple ways to
detect this vulnerability (including one not yet mentioned here that
was posted in the Bro IRC channel the other day). Personally I use a
script that looks for inbound connections that have a RANGE header,
save the RANGE value, then checks to see if the internal server
responded with the status code 416 (at which point the notice is fired
with the RANGE value included in it) ... this is vulnerability does a
good job of showing how flexible Bro can be with detection.

On Thu, Apr 16, 2015 at 10:10 AM, Wier, Timothy A.
<tim.wier at cuchicago.edu> wrote:
> This is what I’ve been playing with: http://try.bro.org/#/trybro/saved/3789.
>
>
>
> Not sure how it will run in production.
>
> Tim
>
>
>
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Vlad
> Grigorescu
> Sent: Thursday, April 16, 2015 11:53 AM
> To: Josh Liburdi
> Cc: bro at bro.org
> Subject: Re: [Bro] working with MS15-034
>
>
>
> Well... they're not equal. :-)
>
>
>
> magic is 18446744073709551615,
>
> while d is 18446740000000000000
>
>
>
> See this:
>
>
>
> http://try.bro.org/#/trybro/saved/3786
>
>
>
> On Thu, Apr 16, 2015 at 11:47 AM, Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
>
> Better version here: http://try.bro.org/#/trybro/saved/3782
>
>
> On Thu, Apr 16, 2015 at 9:45 AM, Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
>> I agree, I think double's are the way to go ... but the behavior is
>> odd: http://try.bro.org/#/trybro/saved/3780
>>
>> It doesn't recognize the numbers as being equal.
>>
>> Josh
>>
>> On Thu, Apr 16, 2015 at 9:43 AM, Vlad Grigorescu <vlad at grigorescu.org>
>> wrote:
>>> You can use to_double:
>>>
>>>> $ bro -e 'print to_double("987654321123456789");'
>>>> 9.876543e+17
>>>
>>>   --Vlad
>>>
>>> On Thu, Apr 16, 2015 at 11:19 AM, Aaron Gee-Clough <lists at g-clef.net>
>>> wrote:
>>>>
>>>>
>>>> True, but I was hoping to do more than just detect the magic number. I
>>>> was hoping to be able to say something along the lines of:
>>>>
>>>>         if (name == "RANGE" && value > 2^64 )
>>>>
>>>> My thinking here is that I don't want to play whack-a-mole with magic
>>>> numbers. I would like to flag any request for an offset that big as a
>>>> potential problem.
>>>>
>>>> aaron
>>>>
>>>> On 04/16/2015 12:11 PM, Josh Liburdi wrote:
>>>> >
>>>> > The Range header value in Bro should be a string-- if you're looking
>>>> > to detect a specific magic number in this value, then instead of
>>>> > converting the values to counts, you could match it like this by
>>>> > leaving that magic number as a string:
>>>> >
>>>> > if ( name == "RANGE" && "string" in value )
>>>> >
>>>> > Josh
>>>> >
>>>> > On Thu, Apr 16, 2015 at 4:33 AM, Aaron Gee-Clough <lists at g-clef.net>
>>>> > wrote:
>>>> >>
>>>> >> All,
>>>> >>
>>>> >> I'm working on a bro script to detect attempts for the
>>>> >> recently-announced IIS attack. I've hit an interesting issue: There's
>>>> >> a
>>>> >> magic number that gets sent in the HTTP "RANGE" header to trigger the
>>>> >> vulnerability, and that number is 2^64. This is right at the edge of
>>>> >> what a "count" variable can hold, and it wraps around a regular "int"
>>>> >> variable.
>>>> >>
>>>> >> I'd like to be able to detect anyone sending any number >= 2^64 in a
>>>> >> RANGE header, but I don't see how to do that with count variables in
>>>> >> bro. Does anyone have any ideas of how I can do this? Right now I'm
>>>> >> looking at doing something truly nasty, like comparing the length of
>>>> >> the
>>>> >> strings holding the Range values. I'm *really* not happy with that,
>>>> >> though...it feels like a really ugly hack.
>>>> >>
>>>> >> aaron
>>>> >> _______________________________________________
>>>> >> Bro mailing list
>>>> >> bro at bro-ids.org
>>>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>
>