[Snort-sigs] WEB-MISC xp_cmdshell attempt documentation.

daniel uriah clemens daniel_clemens at ...842...
Wed Jul 9 08:38:01 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$


 (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established;\
 content:"xp_cmdshell"; nocase; classtype:web-application-attack;
sid:1061; rev:6;)


When a asp form has not performed proper input sanitization an attacker
can perform sql injection type attacks.
One of the common methods an attacker will utilize is the use of the ms
sql function xp_cmdshell which will act as an agent in executing system
based commands on the remote sql server.


The impact of this attack can lead to a deep foothold on your network and
usually leads to root or administrator access to your server.

Detailed Information:

A simplistic attack might look like so:
While the attacker looks for traffic looking for an A record for the
listed above which would indicate the command had been successfully
on the remote system and the remote network segment did not perform
traffic filtering.

Affected Systems:

Microsoft based asp forms which do not perform input sanitation and ms sql
which allow the execution of the xp_cmdshell function.

Attack Scenarios:


Usually the returning code from this type of command on the server will be
error '800a0cc1' to the client connection.

Ease of Attack:
This is not entirely 'script kiddie friendly', but can be performed farely
easily by a savy cyber slueth.

False Positives:

False Negatives:

Corrective Action:

1. Peform input sanitation on your asp forms.
2. Limit the use of the xp_cmdshell functionality
3. If you have a firewall that supports certain content filters in the
http uri you could restrict xp_cmdshell
(checkpoint and Microsoft ISA amongst many others have this
4. Enable egress filtering on the network segment that your sql servers

Daniel Uriah Clemens dan.clemens at ...1661...

Additional References:

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD

More information about the Snort-sigs mailing list