Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 410 FortiWeb 5.0 Patch 6 Administration Guide

platform as your production web servers, but contain no valuable data, normally receive no

legitimate traffic, an be open to attacks in order to gather data on automated attacks for your

forensic analysis.

Let’s say your honeypot, like your production web serve

rs, runs Joomla. In either your web

server’s logs, you see requests for URLs such as:

10.0.0.10 

- 

- 

[16/Dec

/2011:09:30:49 +0500] 

"GET

/index.

php?option=com_ckforms&controller=../../../../../../../../win

nt/system32/cmd.exe?/c+ver HTTP/1.1" 

200 

"-" 

"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a2)

Gecko/20111101 Firefox/9.0a2)"

where the long string of repeated ../ ch

arac

ters indicates an attempt at directory traversal: to

go above the web server’s usual content directories.

If Joomla does not properly sanitize the input for the controller parame

ter (highlighted in

bold above), it would be able to use LFI. The attacker’s goal is to reach the cmd.exe file, the

Microsoft Windows command line, and enter the command ver, which displays the web

server’s specific OS version, such as:

Microsoft Windows [Version 6.1.7601]

Since the attacker successfully fingerprinted the specific version of Windows and Joomla, all

virtu

al hosts on that computer would be vulnerable also to any other attacks known to be

successful on that platform.

Luckily, this is happening on yo

ur honeypot, and not your company’s web servers.

To detect similar attacks, you could write your own attack signature to match and block that

and si

milar directory-traversing requests via controller, as well as to notify you when your

production web servers are being targeted by this type of attack:

If packet payload retention and logging were enabled, once this custom signature was applied,

you co

uld analyze requests to locate targeted files. Armed with this knowledge, you could then

apply defenses such as tripwires, strict file permissions, uninstalling unnecessary programs,

and sandboxing in order to minimize the likelihood that this attacker would be able to succeed

and achieve her objectives.

Setting name Value

Direction Signature creation

Expression ^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?

Action Alert & Deny

Severity High

Trigger Action notification-servers1

previous next