Spectacularly Bad

Another round of notable WordPress plugin vulnerabilities made the rounds today- nothing particular noteworthy, just a smattering of XSS, SQLi, and form uploads. The Rich Counter upload vulnerability caught my eye as the PoC notes the exploit vector is through the user agent header. Given that unsanitized user input is more often exploited in query string and POST argument vectors, I thought this was worth a quick once over.

Continue reading

Logging Mod_Security in JSON

mod_sec audit logs are atrocious. There have been a few attempts to make parsing audit data more palatable- BitsOfInfo recently wrote up a proof of concept of working through audit logs with logstash, and the AuditConsole project from JWall provides a more comprehensive approach to collecting log data, but neither solutions addresses the inherent problem of how messy native audit log data is.

As part of my Master’s thesis I need a way to efficiently audit, sort and store audit logs; building my own parser, while doable, would be a waste of time, so I’ve forked the ModSecurity project on Github and built a patch that implements JSON logging directly in the application, replacing the old data log structures entirely. There’s still a long way to go, but the initial patch seems stable and produces valid JSON. Continue reading


A new post to the Full Disclosure mailing list today detailed a remote code exploit vulnerability within all available versions of the Nagios Remote Plugin Executor (NRPE), and provided a PoC that included gaining a reverse shell on the target server. Note that this reported exploit relies on a separate (but similar) vulnerability report in CVE-2013-1362. In today’s post, Dawid Golunski properly identifies a weakness within the NRPE argument sanitation that could allow a client to execute arbitrary commands on the remote host within the context of the NRPE user. At first this seems like a pretty serious vulnerability, but further analysis shows that successful exploitation hinges on a series of bad practices not related to NRPE code itself.

Continue reading

Brute Force Uptick

Okay, so just to clarify, am I actually breaking this news? No. Definitely not. But my automated log scanner picked up a jump in malicious activity yesterday on my network, so it’s worth taking a closer look. First, we see the jump in numbers:

Note that addresses have been lazily obfuscated but do not actually belong to the same class C, though some do share common ASNs (and some do indeed share a common class C). Wonderful, so let’s take a look at the log itself (a small sample is presented below for brevity):

Continue reading

Coordinated Spam Effort

Yesterday we saw a large number of infected domains sending a massive spam run in what appeared to be a coordinated effort. Signs of a large-scale targeted effort included:

  • Sharp upticks of outbound spam requests occurring at once across multiple domains
  • The same script being used across disparate victims
  • A large sampling of IPs submitting malicious requests (a sample has been submitted to the ISC)

Continue reading