04-29-2013 04:29 AM
Hi,
I would like to know how easy or hard it might be to link a vulnerability to an actual successful exploit.
The threat details are provided below and a screenshot of the actual threat incident seen in attached. I am assuming this is just a random attempt at the recent timthumb attack. As I do not see the next stage which would have been , as I understand it , the download of the last.php. This I am guessing is a good example of a threat that was actively attempted but has not succeeded. Could someone give me examples where I can say a certainly exploit was certainly successful ?
Attack Name | TimThumb Attack |
| Description | TimThumb.php is prone to a remote command execution vulnerability while loading and storing remote files. The vulnerability is due to the fact that TimThumb.php allows files to be included from an array of allowed sites and keep copies of such files in the cache directory, located in the same folder as timthumb.php. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to remote code execution with the privileges of the web server. |
| Threat ID | 35466 |
| References | http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ http://code.google.com/p/timthumb/issues/detail?id=212 http://www.malwaredomainlist.com/forums/index.php?topic=4790.0 |
| Severity | high |
| Category | code-execution |
Kind Regards,
Sunil
04-29-2013 06:12 AM
This is one of the things that truly irks me about Palo Alto's IPS/IDS implementation... I have had a lot of experience with Snort/Sourcefire IDS products, and one huge leg up over other implementations I've seen in Sourcefire's Snort is the fact that the rules are easily browsable (except for very specific situations, where "shared object" rules were written to obfuscate the rule so that the rule can't be analyzed and have an exploit written for it - that's a corner case though).
It's very easy to determine if a given rule that fired off is a legitimate event or a false positive, because I can look at the rule that generated the event with a PCAP open along side the rule, and determine if this traffic match was a false positive or not.
Both Check Point and PA should really "get the memo" on this... we as network security folks need to be able to see not just that some proprietary thing determined that there was "bad network traffic," but to see how the rule/signature was actually written.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
