Here is an interesting one.

Basically, the ASPROX SQL Injection attack appears to be quite commonplace at the moment, but also quite serious.
To cut it short, there is a 20,000 strong botnet out there trying these attacks against websites which use .asp.
The tool actually uses google to search for these sites and then attempts to exploit them by inserting an HTML iFrame which downloads a malicious Java Script which then installs a Trojan.

Carry on reading to find out how to block this on a Cisco router!

The config is as follows, please bare in mind that you will probably need a reasonably specced router and IOS for this. IP CEF is a pre-requisite. I have tested this on 7200 series, 1700 series and 2600 series so far, leave a comment if you have sucessfully tried this on another router!

Config:

The below access list and route-map is used to take any packets that have been tagged with a DSCP value of 1 and route them to a non-existant interface. You will learn how to tag them below!

access-list 130 permit ip any any dscp 1

route-map ASPROX_POLICY_ROUTE_BITBUCKET permit 10
match ip address 130
set interface Null0

The below class-map basically tells the router that we want to match when a specific string is seen in a URL. In this case, the string is part of the get request that the attack uses. Note the “\” which are needed before any bracket as a delimiter!

class-map match-any ASPROX_CLASS
match protocol http url “*DECLARE%20@S%20VARCHAR\(4000\);SET*”

The Policy-map below basically tags any packet matching the above class-map with a DSCP value of 1.

policy-map ASPROX_POL
class ASPROX_CLASS
set ip dscp 1

The rest of the config attaches both the route map and the Service policy to the interface.

Interface FastEthernet0/0
ip policy route-map ASPROX_POLICY_ROUTE_BITBUCKET
service-policy input ASPROX_POL

To confirm that this is being hit you can do a “show policy-map interface” on the router. You should see the packets incrementing. This of course assumes that you are actually seeing the traffic
If not, you could craft the URL yourself to confirm. So, taking this site as an example it would be:

www.cisconews.co.uk//?DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST

You should then see the packets increment.

Bare in mind that Microsoft released a tool to audit your source code for these vulnerabilities:

http://support.microsoft.com/kb/954476

Let us know if this was of any use to you in the comments!

This entry was posted on Wednesday, July 9th, 2008 at 9:40 am and is filed under Config. Guides, Security Bulletin. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.