[Snort-sigs] SID 1250

James Affeld jamesaffeld at ...144...
Tue Aug 19 05:13:10 EDT 2003


Rule:web-misc: alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco I
OS HTTP configuration attempt";
uricontent:"/level/*/exec/"; regex; flags:A+; cl
asstype:web-application-attack;
reference:bugtraq,2936; sid:1250;  rev:6;)
  

--
Sid:1250

--
Summary:
Attack on Cisco router/switch web interface
--
Impact:
Attacker gains administrative access to Cisco devices
running vulnerable versions of IOS (router/switch
operating system)
--
Detailed Information:
Cisco routers and switches running vulnerable IOS
versions can be attacked simply by typing in a URL,
giving the attacker administrative access to the
device.  The device must be running the web
configuration interface, a web server that enables a
user to configure the device via a web browser.

--
Affected Systems:
Cisco routers and switches running affected versions
of IOS and whose web management interface is enabled. 
See
http://www.securityfocus.com/bid/2936 
--
Attack Scenarios:
Attacker identifies http server running on Cisco
switch or router.  Attacker then makes an http
connection with the particular URL required to gain
administrative control.
--
Ease of Attack:
Attacker need only type in URL of vulnerable system.
--
False Positives:
Someone could be legitimately accessing the device
configuration URL.  
--
False Negatives:

--
Corrective Action:
Upgrade IOS; disable web interface.  (You should
disable the web interface in any event.  You can
always enable as needed and disable again when you are
done.)
--
Contributors:

-- 
Additional References:
http://www.securityfocus.com/bid/2936

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




More information about the Snort-sigs mailing list