[Snort-sigs] sid 1652

james jaffeld at ...2058...
Mon Dec 8 07:58:05 EST 2003

Note: there is a typo in the rule for 1652 and 1653.  Insecure.org published 
this as "campus cgi hole" but the exploit uses "campas.cgi" (reference 

sid: 1652
Summary: cgi script found on version 1.2 of NCSA web server allows retrieval 
files outside the web publishing directory structure.
Impact: File retrieval leading to compromise of confidential information, 
potential root exploit.
Detailed Information:
"Francisco Torres" posted information on this one which is repeated on 
After connecting to the vulnerable web server, the command: 
GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a 
results in retrieving /etc/passwd
Affected Systems: web servers running very old (1995) version of NCSA web 
may have this cgi script installed.  
Attack Scenarios:
Attacker connects on tcp port 80 (http default port), issues the command and 
desired file is retrieved.  Attacker must know (or guess) the path to the file 
desired.  It is not known whether wild cards will work with this exploit.
Ease of Attack:
Trivial for known file paths. 
False Positives:
If you have a legitimate cgi script named 'campas.cgi', requests for it will 
trigger this alert.

NOTE: the snort rule replicates a typo at insecure.org.  As the script 
is 'campas.cgi', the rule should not trigger on 'campus.cgi'

False Negatives:
Obfuscated web requests might cause an IDS to miss the request.  
Corrective Action:
Delete all unnecessary cgi scripts! 
Run web server in chroot jail so access to files outside web service file 
is difficult.
For this particular exploit, remove campas.cgi and/or update NCSA web server.


Additional References:

I got a lot of bad ideas in my head.  
	-Travis Bickle

More information about the Snort-sigs mailing list