[Snort-sigs] sid 1117

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Thu Feb 28 05:51:03 EST 2002


Ack..I goofed :) Got my sigs confused. Please remove the following line...

(For Attack Scenarios:)

"Often, this attack is used with the Lotus Domino directory traversal attack(SID
1072)"

and replace with:

"Often, this attack is used with the .nsf access attacks. (Sids 1150-1154)"

Sorry :)



----- Forwarded by Christopher Lubrecht/PR Newswire on 02/28/2002 08:45 AM -----
|--------+----------------------------------->
|        |          Christopher_Lubrecht at ...384...|
|        |          wswire.com               |
|        |                                   |
|        |          02/28/2002 08:16 AM      |
|        |                                   |
|--------+----------------------------------->
  >------------------------------------------------------------------------------|
  |                                                                              |
  |      To:     snort-sigs at lists.sourceforge.net                                |
  |      cc:     (bcc: Christopher Lubrecht/PR Newswire)                         |
  |      Subject:     sid 1117                                                   |
  >------------------------------------------------------------------------------|







# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Lotus EditDoc
attempt";flags: A+; content:"?EditDocument"; nocase; classtype:attempted-recon;
sid:1117; rev:1;)

--
Sid:
1117
--
Summary:
Lotus Domino Documents may be edited via a web browser, if the server is
misconfigured, and access rights are not set properly.
--
Impact:
A malicious user can add and edit information to any document in any database,
he/she has access to.
--
Detailed Information:
This exploit is achieved by sending a modified version of the original URL. The
usual URL to open a document appears as:

http://server.somecompany.com/database.nsf/directory/file?OpenDocument

Simply changing the ?OpenDocument to ?EditDocument, will allow the attacker to
write to the file.

If the server and file permissions are set correctly, the attacker would recieve
an authentication window when trying to access ?EditDocument

--
Attack Scenarios:

Data Mining, footprinting, and social engineering are more easilly achieved.

Ultimatly, the attacker could make additions to created databases, inserting
information to aid in further attacks. While the attacker could not create
accounts or enter mail information, he/she might be able to insert false email, or
documents.

Often, this attack is used with the Lotus Domino directory traversal attack(SID
1072)

--
Ease of Attack:

Easy.

--
False Positives:
The signature simply looks for "?EditDocument" in the packet contents. Lotus
Webmail uses  "?EditDocument" to compose and reply to ordinary email. If your
company uses webmail, your users will constantly trip this signature.

--
False Negatives:
To date, I have not encountered any.
--
Corrective Action:

Insure that your databases are configured correctly so that outside users cannot
edit databases.

Response from Domino(as per http://www.securiteam.com/exploits/5NP080A1RE.html)

"This is not a Defect. The arguments passed in the URL are not a security feature.
In this instance the ACL of the database must be configured properly to determine
if a document can be edited or not. Failure to do this is considered poor design
technique. Commands to edit a document are passed via URL whether through a button
or manually typed in. It is up to the designer to properly configure a security
scheme to determine how the command will be acted on."

--
Contributors:
Christopher Lubrecht - chris_lubrecht at ...382...
--
Additional References:
http://www.securiteam.com/exploits/5NP080A1RE.html














_______________________________________________________________________________________________



Disclaimer:

Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

















_______________________________________________________________________________________________


Disclaimer:

Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.






More information about the Snort-sigs mailing list