[Snort-sigs] sid 1652

james jaffeld at ...2058...
Mon Dec 8 07:58:05 EST 2003


Note: there is a typo in the rule for 1652 and 1653.  Insecure.org published 
this as "campus cgi hole" but the exploit uses "campas.cgi" (reference 
included)


sid: 1652
--
Summary: cgi script found on version 1.2 of NCSA web server allows retrieval 
of 
files outside the web publishing directory structure.
--
Impact: File retrieval leading to compromise of confidential information, 
potential root exploit.
--
Detailed Information:
"Francisco Torres" posted information on this one which is repeated on 
insecure.org.  
After connecting to the vulnerable web server, the command: 
GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a 
results in retrieving /etc/passwd
--
Affected Systems: web servers running very old (1995) version of NCSA web 
server 
may have this cgi script installed.  
--
Attack Scenarios:
Attacker connects on tcp port 80 (http default port), issues the command and 
the 
desired file is retrieved.  Attacker must know (or guess) the path to the file 
desired.  It is not known whether wild cards will work with this exploit.
--
Ease of Attack:
Trivial for known file paths. 
--
False Positives:
If you have a legitimate cgi script named 'campas.cgi', requests for it will 
trigger this alert.

NOTE: the snort rule replicates a typo at insecure.org.  As the script 
retrieved 
is 'campas.cgi', the rule should not trigger on 'campus.cgi'

--
False Negatives:
Obfuscated web requests might cause an IDS to miss the request.  
--
Corrective Action:
Delete all unnecessary cgi scripts! 
Run web server in chroot jail so access to files outside web service file 
system 
is difficult.
For this particular exploit, remove campas.cgi and/or update NCSA web server.

--
Contributors:

-- 
Additional References:
http://www.insecure.org/sploits/campus.cgi.hole.html
-- 


I got a lot of bad ideas in my head.  
	-Travis Bickle





More information about the Snort-sigs mailing list