[Snort-sigs] SID 1362

Anton Chuvakin anton at ...1177...
Thu Apr 17 15:20:14 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-1334.txt,v 1.1 2003/02/18 22:31:30 anton Exp anton $
#
#

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established;
content:"/usr/X11R6/bin/xterm";nocase; sid:1362;
classtype:web-application-attack; rev:4;)

--
Sid: 1362

-- 
Summary: A web command execution attack involving the use of a
"xterm" command

-- 
Impact: attacker might have gained an ability to execute system commands
remotely on the system

-- 
Detailed Information: This signature triggers when a "xterm"
command is used over a plain-text (unencrypted) connection on one of
the specified web ports to the target web server. The "xterm" command
is used to launch a terminal windows on the system with X Window
system and start an interactive session. The signature looks for the
"xterm" command in the client to web server network traffic and does
not indicate whether the command was actually successful. The presence
of the "xterm" command in the URL indicates that an attacker attempted
to trick the web server into executing system in non-interactive mode
i.e. without a valid shell session. Another case when this signature
might trigger is unencrypted HTTP tunneling connection to the server
or a shell connection through an exploit of the web server.

-- 
Attack Scenarios: An attacker launches an "xterm" as the web server
user and then tries different local exploits to gain root.

--
Ease of Attack: very easy, no exploit software required

-- 
False Positives: none known

--
False Negatives: the signature will miss the xterm launched from a different location or using the local path (./)

-- 
Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:





More information about the Snort-sigs mailing list