[Snort-sigs] WEB-MISC xp_cmdshell attempt documentation.
daniel uriah clemens
daniel_clemens at ...842...
Wed Jul 9 08:38:01 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS\
(msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established;\
content:"xp_cmdshell"; nocase; classtype:web-application-attack;
When a asp form has not performed proper input sanitization an attacker
can perform sql injection type attacks.
One of the common methods an attacker will utilize is the use of the ms
sql function xp_cmdshell which will act as an agent in executing system
based commands on the remote sql server.
The impact of this attack can lead to a deep foothold on your network and
usually leads to root or administrator access to your server.
A simplistic attack might look like so:
While the attacker looks for traffic looking for an A record for the
listed above which would indicate the command had been successfully
on the remote system and the remote network segment did not perform
Microsoft based asp forms which do not perform input sanitation and ms sql
which allow the execution of the xp_cmdshell function.
Usually the returning code from this type of command on the server will be
error '800a0cc1' to the client connection.
Ease of Attack:
This is not entirely 'script kiddie friendly', but can be performed farely
easily by a savy cyber slueth.
1. Peform input sanitation on your asp forms.
2. Limit the use of the xp_cmdshell functionality
3. If you have a firewall that supports certain content filters in the
http uri you could restrict xp_cmdshell
(checkpoint and Microsoft ISA amongst many others have this
4. Enable egress filtering on the network segment that your sql servers
Daniel Uriah Clemens dan.clemens at ...1661...
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
More information about the Snort-sigs