[Snort-sigs] Re: sid 1653

james jaffeld at ...2058...
Mon Dec 8 07:58:07 EST 2003


On Monday 08 December 2003 01:57 am, james wrote:
> Note: there is a typo in the rule for 1652 and 1653.  Insecure.org
> published this as "campus cgi hole" but the exploit uses "campas.cgi"
> (reference included)
>
>
> sid: 1653
> --
> Summary: cgi script found on version 1.2 of NCSA web server allows
> retrieval of
> files outside the web publishing directory structure.
> --
> Impact: File retrieval leading to compromise of confidential information,
> potential root exploit.
> --
> Detailed Information:
> "Francisco Torres" posted information on this one which is repeated on
> insecure.org.
> After connecting to the vulnerable web server, the command:
> GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
> results in retrieving /etc/passwd
> --
> Affected Systems: web servers running very old (1995) version of NCSA web
> server
> may have this cgi script installed.
> --
> Attack Scenarios:
> Attacker connects on tcp port 80 (http default port), issues the command
> and the
> desired file is retrieved.  Attacker must know (or guess) the path to the
> file desired.  It is not known whether wild cards will work with this
> exploit. --
> Ease of Attack:
> Trivial for known file paths.
> --
> False Positives:
> If you have a legitimate cgi script named 'campas.cgi', requests for it
> will trigger this alert.
>
> NOTE: the snort rule replicates a typo at insecure.org.  As the script
> retrieved
> is 'campas.cgi', the rule should not trigger on 'campus.cgi'
>
> --
> False Negatives:
> Obfuscated web requests might cause an IDS to miss the request.
> --
> Corrective Action:
> Delete all unnecessary cgi scripts!
> Run web server in chroot jail so access to files outside web service file
> system
> is difficult.
> For this particular exploit, remove campas.cgi and/or update NCSA web
> server.
>
> --
> Contributors:
>
> --
> Additional References:
> http://www.insecure.org/sploits/campus.cgi.hole.html

-- 


I got a lot of bad ideas in my head.  
	-Travis Bickle





More information about the Snort-sigs mailing list