[Snort-sigs] Re: sid 1653
jaffeld at ...2058...
Mon Dec 8 07:58:07 EST 2003
On Monday 08 December 2003 01:57 am, james wrote:
> Note: there is a typo in the rule for 1652 and 1653. Insecure.org
> published this as "campus cgi hole" but the exploit uses "campas.cgi"
> (reference included)
> sid: 1653
> Summary: cgi script found on version 1.2 of NCSA web server allows
> retrieval of
> files outside the web publishing directory structure.
> Impact: File retrieval leading to compromise of confidential information,
> potential root exploit.
> Detailed Information:
> "Francisco Torres" posted information on this one which is repeated on
> After connecting to the vulnerable web server, the command:
> GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
> results in retrieving /etc/passwd
> Affected Systems: web servers running very old (1995) version of NCSA web
> may have this cgi script installed.
> Attack Scenarios:
> Attacker connects on tcp port 80 (http default port), issues the command
> and the
> desired file is retrieved. Attacker must know (or guess) the path to the
> file desired. It is not known whether wild cards will work with this
> exploit. --
> Ease of Attack:
> Trivial for known file paths.
> False Positives:
> If you have a legitimate cgi script named 'campas.cgi', requests for it
> will trigger this alert.
> NOTE: the snort rule replicates a typo at insecure.org. As the script
> is 'campas.cgi', the rule should not trigger on 'campus.cgi'
> False Negatives:
> Obfuscated web requests might cause an IDS to miss the request.
> Corrective Action:
> Delete all unnecessary cgi scripts!
> Run web server in chroot jail so access to files outside web service file
> is difficult.
> For this particular exploit, remove campas.cgi and/or update NCSA web
> Additional References:
I got a lot of bad ideas in my head.
More information about the Snort-sigs