Hosting Provided By

[Snort-sigs] SID 1333

From: Anton Chuvakin <anton(at)chuvakin.org>
Date: Tue Feb 18 2003 - 22:58:59 EST

# This is a template for submitting snort signature descriptions to

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"\;id";nocase; sid:1333; classtype:web-application-attack; rev:4;)

--
Sid: 1333

--
Summary: A web command execution attack involving the use of a UNIX
"id" command

--
Impact: attacker might have gained an ability to execute system commands
remotely on the system

--
Detailed Information: This signature triggers when a UNIX "id" command
is used over a plain-text (unencrypted) connection on one of the
specified web ports to the target web server. The "id" command is used
to confirm the user name of the currently logged in user. The
signature looks for the "id" command in the client to web server
network traffic and does not indicate whether the command was actually
successful in showing the user information. The presence of the "id"
command web traffic indicates that an attacker attempted to trick the
web server into executing system in non-interactive mode i.e. without
a valid shell session. Another case when this signature might trigger
is unencrypted HTTP tunneling connection to the server.

--
Attack Scenarios: An attacker uses a "id" command via a web server
connection to test what username the web server runs under. He then
looks for all the files writable by this user and find a web server
configuration file with wrong permissions.

--
Ease of Attack: very easy, no exploit software required

--
False Positives: none known

--
False Negatives: none known

--
Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise

--
Contributors: Anton Chuvakin <
http://www.chuvakin.org>

--
Additional References:

-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
www.slickedit.com/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Tue Feb 18 23:34:50 2003

This message: [ Message body ]
Next message: Carl Gibbons: "Re: [Snort-sigs] Snort 1.9 "within:" option broken? (fwd)"
Previous message: Anton Chuvakin: "[Snort-sigs] SID 1334"
In reply to Anton Chuvakin: "[Snort-sigs] SID 1884"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:24 EDT