https://live.paloaltonetworks.com/t5/general-topics/vulnerability-vs-successful-expolit/m-p/46977#M34528 <HTML><HEAD></HEAD><BODY><P>This is one of the things that truly irks me about Palo Alto's IPS/IDS implementation... I have had a lot of experience with Snort/Sourcefire IDS products, and one huge leg up over other implementations I've seen in Sourcefire's Snort is the fact that the rules are easily browsable (except for very specific situations, where "shared object" rules were written to obfuscate the rule so that the rule can't be analyzed and have an exploit written for it - that's a corner case though). </P><P></P><P>It's very easy to determine if a given rule that fired off is a legitimate event or a false positive, because I can <EM>look at the rule that generated the event </EM>with a PCAP open along side the rule, and determine if this traffic match was a false positive or not.</P><P></P><P>Both Check Point and PA should really "get the memo" on this... we as network security folks need to be able to see not just that some proprietary thing determined that there was "bad network traffic," but to see how the rule/signature was actually written.</P></BODY></HTML> Mon, 29 Apr 2013 13:12:04 GMT ericgearhart 2013-04-29T13:12:04Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-vs-successful-expolit/m-p/46976#M34527 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would like to know how easy or hard it might be to link a vulnerability to an actual successful&nbsp; exploit. </P><P></P><P>The threat details are provided below and a screenshot of the actual threat incident seen in attached. I am assuming this is just a random attempt at the recent timthumb attack. As I do not see the next stage which would have been , as I understand it , the download of the last.php. This I am guessing is a good example of a threat that was actively attempted but has not succeeded. Could someone give me examples where I can say a certainly exploit was certainly successful ?&nbsp; </P><TABLE style="border: 1px solid #aaaaaa; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><TBODY><TR class="spaceunder" style="background-color: #d6e1e7;"><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;"><P></P><P>Attack Name</P></TD><TD class="detail-field" style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">TimThumb Attack</TD></TR><TR class="spaceunder"><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">Description</TD><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">TimThumb.php is prone to a remote command execution vulnerability while loading and storing remote files. The vulnerability is due to the fact that TimThumb.php allows files to be included from an array of allowed sites and keep copies of such files in the cache directory, located in the same folder as timthumb.php. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to remote code execution with the privileges of the web server.</TD></TR><TR class="spaceunder" style="background-color: #d6e1e7;"><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">Threat ID</TD><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">35466</TD></TR><TR class="spaceunder"><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">References</TD><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;"><A href="http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/" style="color: #505abc; text-decoration: underline;" target="_blank">http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/</A><BR /><A href="http://code.google.com/p/timthumb/issues/detail?id=212" style="color: #505abc; text-decoration: underline;" target="_blank">http://code.google.com/p/timthumb/issues/detail?id=212</A><BR /><A href="http://www.malwaredomainlist.com/forums/index.php?topic=4790.0" style="color: #505abc; text-decoration: underline;" target="_blank">http://www.malwaredomainlist.com/forums/index.php?topic=4790.0</A></TD></TR><TR class="spaceunder" style="background-color: #d6e1e7;"><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">Severity</TD><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">high</TD></TR><TR class="spaceunder"><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">Category</TD><TD style="padding-top: 5px; padding-bottom: 5px; border-left-width: 1px; border-left-style: solid; border-left-color: #aaaaaa; border-right-width: 1px; border-right-style: solid; border-right-color: #aaaaaa;">code-execution</TD></TR></TBODY></TABLE><P></P><P>Kind Regards,</P><P></P><P>Sunil</P></BODY></HTML> Mon, 29 Apr 2013 11:29:39 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-vs-successful-expolit/m-p/46976#M34527 sunilsadanandan 2013-04-29T11:29:39Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-vs-successful-expolit/m-p/46977#M34528 <HTML><HEAD></HEAD><BODY><P>This is one of the things that truly irks me about Palo Alto's IPS/IDS implementation... I have had a lot of experience with Snort/Sourcefire IDS products, and one huge leg up over other implementations I've seen in Sourcefire's Snort is the fact that the rules are easily browsable (except for very specific situations, where "shared object" rules were written to obfuscate the rule so that the rule can't be analyzed and have an exploit written for it - that's a corner case though). </P><P></P><P>It's very easy to determine if a given rule that fired off is a legitimate event or a false positive, because I can <EM>look at the rule that generated the event </EM>with a PCAP open along side the rule, and determine if this traffic match was a false positive or not.</P><P></P><P>Both Check Point and PA should really "get the memo" on this... we as network security folks need to be able to see not just that some proprietary thing determined that there was "bad network traffic," but to see how the rule/signature was actually written.</P></BODY></HTML> Mon, 29 Apr 2013 13:12:04 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-vs-successful-expolit/m-p/46977#M34528 ericgearhart 2013-04-29T13:12:04Z