[Snort-sigs] Sid 1072

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Thu Feb 28 06:43:06 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Lotus Domino
directory traversal"; uricontent:".nsf/"; uricontent:"../"; nocase; flags:A+;
classtype:web-application-attack; sid:1072; rev:2;)
--
Sid:
1072
--
Summary:
A malicious user can gain access, by using a specially crafted URL,  to any file
residing on a sever running Lotus Domino Server, 5.0.6 or earlier.
--
Impact:
An attacker could gain access to important information files, or key password
files, leading to a more serious comprimise of the host.
--
Detailed Information:
Versions affected: Lotus Domino Server 5.0.6 and earlier.
Platforms (from BugTraq)
Lotus Domino 5.0.2
   - HP HP-UX 9.9
   - IBM AIX 4.3
   - IBM OS/2 4.5Warp
   - IBM OS/390 V2R9
   - Linux kernel 2.3
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows NT 4.0
   - Sun Solaris 8.0
Lotus Domino 5.0.3
   - HP HP-UX 9.9
   - IBM AIX 4.3
   - IBM OS/2 4.5Warp
   - IBM OS/390 V2R9
   - Linux kernel 2.3
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows NT 4.0
   - Sun Solaris 8.0
Lotus Domino 5.0.5
   - HP HP-UX 9.9
   - IBM AIX 4.3
   - IBM OS/2 4.5Warp
   - IBM OS/390 V2R9
   - Linux kernel 2.3
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows NT 4.0
   - Sun Solaris 8.0
Lotus Domino 5.0.6
   - HP HP-UX 9.9
   - IBM AIX 4.3
   - IBM OS/2 4.5Warp
   - IBM OS/390 V2R9
   - Linux kernel 2.3
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0SP1
   - Microsoft Windows NT 4.0SP2
   - Microsoft Windows NT 4.0SP3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6
   - Microsoft Windows NT 4.0SP6a
   - Sun Solaris 8.0

This vulnerability follows a similar pattern as other directory traversal
vulnerabilities. The attacker forms a url in a standard web browser such as:

http://lotus.target.com/.nsf/../winnt/lotus.ini


This will grant the attacker read access to that particular file.

Note: According to BugTraq, Internet Explorer removes the ".nsf" part of the
exploit, stopping this exploit. The exploit also does not work across drives, and
provides access only to the drive that holds the domino program files. .

--
Attack Scenarios:

The attacker could use this exploit to gain access to a variety of files on the
host machine. These files could point an attacker to more valuable files, and lead
to comprimise. Examples of this might be plain text configuration files, server
configuration files and other sensitve data.


--
Ease of Attack:

Easy - Moderate

--
False Positives:
This signature has a low false positive rating. This can be lowered further, by
editing the signature to relate to your specific system and directory structure.
Use of "../" and ".nsf/ in any order, in a viable link, will trigger this
signature.

--
False Negatives:


--
Corrective Action:
Leonardo Rodrigues <coelho at ...385...> provided the following fix to BugTraq:

"Adding the following line:

map */../* /something.nsf

at httpd.conf, seems to handle the bug. You should notice that
EVERYTHING using ../ links will stop working too, including the bug !"

Also, since the exploit does not work across drives, placing your information on
different drives, will provide a fix.

A fix for this issue has been added to the Domino Server code starting with
release 5.0.6a



--
Contributors:
Christopher Lubrecht <chris_lubrecht at ...382...>
--
Additional References:
http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=2173

CVE-2001-0009

http://www.lotus.com/developers/itcentral.nsf/F09A97EFEF47030F8525674B00574590/8AB14B289511F75F852569CF0078A512?OpenDocument














_______________________________________________________________________________________________


Disclaimer:

Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.






More information about the Snort-sigs mailing list