Skip to content

False positives with 932125 PL1 Remote Command Execution: Windows Powershell Alias Command Injection #3928

New issue
New issue
Closed
#3971
Closed
False positives with 932125 PL1 Remote Command Execution: Windows Powershell Alias Command Injection#3928
#3971
Assignees
franbuehler
Labels
🇬🇧 DEV RetreatIssues to be worked while at the Woburn Forest Retreat➕ False Positive
@dune73

Description

@dune73
dune73
opened on Nov 5, 2024

The quantitative testing project at the CRS dev retreat in Nov 2024 (https://github.com/coreruleset/coreruleset/wiki/Discussion-Quantitative-Testing) revealed some false positives on 932125.

Here is a custom text corpus with the payloads in question: custom-corpus-932125.txt

Here is how to run the corpus against the sandbox:

$ cat custom-corpus-932125.txt | while read LINE; do PAYLOAD=$(echo $LINE | sed -e "s/^[^\t]*\t//"); echo ; echo $LINE; curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d "payload=$PAYLOAD"; done
1 Ihre kleine Schwester ist französisches Esskulturgut; man gönnt sie sich, wenn’s mal kein Croissant sein soll, am liebsten zum Frühstück: mit Butter, Marmelade oder cremegefüllt.
932125 PL1 Remote Command Execution: Windows Powershell Alias Command Injection
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

2 Gröning und seine damaligen Geschäftspartner bezichtigten später einander eines ausschweifenden Lebensstils; man habe „richtige Orgien gefeiert“ (Meckelburg).
932125 PL1 Remote Command Execution: Windows Powershell Alias Command Injection
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

3 La rente d’invalidité s’élève à 80 % du gain assuré en cas d’invalidité totale ; si l’invalidité n’est que partielle, la rente est diminuée en conséquence.
920220 PL1 URL Encoding Abuse Attack Attempt
920221 PL1 URL Encoding Abuse Attack Attempt
932125 PL1 Remote Command Execution: Windows Powershell Alias Command Injection
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 15)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=15, detection=15, per_pl=15-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=15)

4 C’est simple: si les feux sont au vert sur la carrosserie, l’assistance peut intervenir sur un véhicule accidenté; si cela vire au rouge et qu’une alarme résonne, un danger électrique haute tension subsiste.
932125 PL1 Remote Command Execution: Windows Powershell Alias Command Injection
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

...

Metadata

Metadata

Assignees

Labels

🇬🇧 DEV RetreatIssues to be worked while at the Woburn Forest Retreat➕ False Positive

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions