[Snort-sigs] SID 882

Aaron Navratil ANAVRATIL at ...440...
Tue Mar 12 19:29:15 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid: 882

--
Summary: WEB-CGI CALENDAR ACCESS

--
Impact: Potentially harmful execution of binaries through perl open()

--
Detailed Information: An open source calendar perl script by Matt Kruse,
Allows commands to be executed without input verification using the perl
open() function. ie /cgi-bin/calendar_admin.pl place the string "|ping
127.0.0.1|" in the configuration file field, this executes the command "ping
127.0.0.1" 

--
Attack Scenarios: Some one can execute binaries on your machine without user
validation, "/cgi-bin/calendar_admin.pl" then on the resultant page, there
is a prompt for username, password, and configuration file. Ignore the
username and password field and type a command in the configuration file
field escaped with pipe symbols "||" will execute; ie "|mail  /etc/passwd|"
as you can see A HUGE PROBLEM!

--
Ease of Attack: As easy as typing text in a browser

--
False Positives: If your webserver has pages by the name of calendar*

--
False Negatives: not known

--
Corrective Action: Download a newer version of the cgi 

--
Contributors: Aaron Navratil

-- 
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0432
http://online.securityfocus.com/bid/1215




More information about the Snort-sigs mailing list