[Snort-sigs] Rules DB info for SID 885

Andrew J Boncek andy at ...443...
Sun Mar 17 07:40:04 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$
NOTE: Please consider changing the Classification to "Attempted Shell
Access" or something similar.

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI bash
access";flags: A+; uricontent:"/bash"; nocase; reference:cve,CAN-1999-0509;
classtype:attempted-recon; sid:885; rev:1;)

Sid: 885

Summary: An attempt to start a "bash" shell from a cgi-bin directory has
been detected.  This could be through an insecure Perl, cgi, etc. script or
directly through an attempt at "/bash" itself.

Impact: This is an attempt to initiate a terminal session via the
webserver's cgi-bin directory. It is most likely an attack directly at the
webserver. The existance of a shell interpreter in the cgi-bin directory is
a severe threat.

Detailed Information: A "bash" shell interpreter could be installed in the
cgi-bin directory on a WWW site.  This could allow a remote attacker to
execute arbitrary commands on the system.  Programmers unfortunately put
such commands as "bash" directly in the cgi-bin for "convienience" reasons.
The programmers must reference the intepretor outside of the cgi-bin
directory in their scripts.

Attack Scenarios: An intruder will attempt to access the cgi-bin directory
and attempt to run "bash".

Ease of Attack:

False Positives: It is possible that a legitimate "telnet" (such as
Mindterm, etc.) cgi-bin program is on a webserver and being run that could
trigger.  However, this is obviously an insecure implementation and should
be removed regardless.

False Negatives:

Corrective Action: Verify and that the webserver does not contain any shell
interpretors such as "bash" in the cgi-bin directory and verify that
scripts do not contain references to the program. Delete any shell
interpretors in the directory and delete any references to the program from
cgi-bin scripts.  Change scripts to reference correct path to interpretor.

Contributors: Andy Boncek <andy at ...443...>

Additional References: CERT: CA-96.11 http://www.cert.org/advisories/CA-

More information about the Snort-sigs mailing list