[Snort-sigs] SID 1334

Anton Chuvakin anton at ...1177...
Tue Feb 18 20:00:16 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-1334.txt,v 1.1 2003/02/18 22:31:30 anton Exp anton $
#
#

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established;
content:"/bin/echo";nocase; sid:1334;
classtype:web-application-attack; rev:4;)

--
Sid: 1334

-- 
Summary: A web command execution attack involving the use of a UNIX
"echo" command

-- 
Impact: attacker might have gained an ability to execute system commands
remotely on the system

-- 
Detailed Information: This signature triggers when a UNIX "echo"
command is used over a plain-text (unencrypted) connection on one of
the specified web ports to the target web server. The "echo" command
may be used to modify the content of arbitrary files by means of shell
output redirection. The signature looks for the "echo" command in the
client to web server network traffic and does not indicate whether the
command was actually successful. The presence of the "echo" command
web traffic indicates that an attacker attempted to trick the web
server into executing system in non-interactive mode i.e. without a
valid shell session. Another case when this signature might trigger is
unencrypted HTTP tunneling connection to the server.

-- 
Attack Scenarios: An attacker uses a "echo" command via a web server
connection to add "+ +" to a corresponding ".rhosts" file which opened
the access permissions to the system via the r-commands

--
Ease of Attack: very easy, no exploit software required

-- 
False Positives: the signature will trigger if the string
"/bin/echo" is present in the URL requested from the web server, such
as a part of a long URL string.

--
False Negatives: none known

-- 
Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:





More information about the Snort-sigs mailing list