[Snort-sigs] SID 1328

Anton Chuvakin anton at ...1177...
Tue Feb 18 19:59:02 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-1328.txt,v 1.1 2003/02/18 20:39:03 anton Exp anton $

(msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established;
uricontent:"/bin/ps"; nocase; sid:1328;
classtype:web-application-attack; rev:4;)

Sid: 1328

Summary: A web command execution attack involving the use of a UNIX
"ps" command

Impact: attacker might have gained an ability to execute commands
remotely on the system

Detailed Information: This signature triggers when a UNIX "ps"
command is used over a plain-text (unencrypted) connection on one of
the specified web ports to the target web server. The "ps" command is
used to display the list of processes running on a UNIX machine. Using
"ps", the attackers would check for various running system services to
exploit or for the presence of security software, such as host IDS or
monitoring scripts. The signature looks for the "ps" command in the
URL part of the client to web server connection and does not indicate
whether the command was actually successful in displaying the list of
processes. The presence of the "ps" command in the URL indicates that
an attacker attempted to trick the web server into executing system in
non-interactive mode i.e. without a valid shell session. Another case
when this signature might trigger is unencrypted HTTP tunneling
connection to the server.

Attack Scenarios: An attacker uses a "ps" command via a web server
connection to make sure that the SSH daemon is running. He then
proceeds to exploit the SSH daemon locally in order to gain "root"
privileges via the same web-based mechanism.

Ease of Attack: very easy, no exploit software required

False Positives: the signature will trigger if the string "/bin/ps" is
present in the URL requested from the web server, such as a part of a long
URL string.

False Negatives: none known

Corrective Action: check the web server software for
vulnerabilities and possible upgrade the system to the latest version,
also investigate the server for signs of compromise

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:

More information about the Snort-sigs mailing list