From: Ivan Ristic <ivan.ristic@gm...> - 2008-10-17 14:02:55
That's great work! I will give your code a look.
As I am sure you know, the topic of shell-attack evasion is not
covered well. Have you consider writing a paper to document your
On Thu, Oct 2, 2008 at 11:26 AM, Marc Stern <marc.stern@...> wrote:
> When trying go block some shell commands ("command/c", "rm -rf", etc.),
> there are very easy ways to totally evade any rule you wrote, by escaping
> some characters, or by using other separators than traditional spaces.
> Some examples are
> c^ommand /c ...
> "command" /c ...
> command,/c ...
> rm \-rf
> I wrote a ModSecurity filter (I guess this the first published one :-0) that
> normalises a string for check against a command-line pattern.
> It supports all evasion techniques I (and Brian from Breach, thanks) found
> for Windows and Unix shell scripts.
> This filter is used in production from several months, but I had to wait
> until all my customers implemented it before releasing the vulnerability.
> This filter avoids this problem by
> * deleting all backslashes [\]
> * deleting all double quotes ["]
> * deleting all sigle quotes [']
> * deleting all carets [^]
> * deleting spaces before a slash [/]
> * deleting spaces before an open parentesis [(]
> * replacing all commas [,] and semicolon [;] into a space
> * replacing all multiple spaces (including tab, newline, etc.) into one
> * transform all characters to lowercase
> Usage: t:cmdLine
> Ex: SecRule ARGS "(?:command(?:\.com)?|cmd(?:\.exe)?)(?:/.*)?/[ck]"
> It is available for download on
> The package contains source code, binaries for Win32 (compiled with Visual
> C++ 6.0), and documentation.
> Do not hesitate to give any feedback, or send additional escape sequences
> you would find.
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> Grand prize is a trip for two to an Open Source event anywhere in the world
> mod-security-users mailing list