[Snort-sigs] Rules DB info for SID 885
Andrew J Boncek
andy at ...443...
Sun Mar 17 07:40:04 EST 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
NOTE: Please consider changing the Classification to "Attempted Shell
Access" or something similar.
Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI bash
access";flags: A+; uricontent:"/bash"; nocase; reference:cve,CAN-1999-0509;
classtype:attempted-recon; sid:885; rev:1;)
Summary: An attempt to start a "bash" shell from a cgi-bin directory has
been detected. This could be through an insecure Perl, cgi, etc. script or
directly through an attempt at "/bash" itself.
Impact: This is an attempt to initiate a terminal session via the
webserver's cgi-bin directory. It is most likely an attack directly at the
webserver. The existance of a shell interpreter in the cgi-bin directory is
a severe threat.
Detailed Information: A "bash" shell interpreter could be installed in the
cgi-bin directory on a WWW site. This could allow a remote attacker to
execute arbitrary commands on the system. Programmers unfortunately put
such commands as "bash" directly in the cgi-bin for "convienience" reasons.
The programmers must reference the intepretor outside of the cgi-bin
directory in their scripts.
Attack Scenarios: An intruder will attempt to access the cgi-bin directory
and attempt to run "bash".
Ease of Attack:
False Positives: It is possible that a legitimate "telnet" (such as
Mindterm, etc.) cgi-bin program is on a webserver and being run that could
trigger. However, this is obviously an insecure implementation and should
be removed regardless.
Corrective Action: Verify and that the webserver does not contain any shell
interpretors such as "bash" in the cgi-bin directory and verify that
scripts do not contain references to the program. Delete any shell
interpretors in the directory and delete any references to the program from
cgi-bin scripts. Change scripts to reference correct path to interpretor.
Contributors: Andy Boncek <andy at ...443...>
Additional References: CERT: CA-96.11 http://www.cert.org/advisories/CA-
More information about the Snort-sigs