[Snort-sigs] SID 1808 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Mon Jun 9 08:04:08 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

apache chunked encoding memory corruption exploit attempt"; 
flow:established,to_server; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B 
00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392; 
classtype:web-application-activity; sid:1808; rev:3;)
An attacker is using exploit code for the Apache chunked encoding 
vulnerability against your web server.
If successful, this exploit can allow attackers to cause code of their 
choice to run on your server or cause a denial of service.
Detailed Information:
Older versions of the Apache HTTP server suffered from a bug in the 
routines that handled chunked encoding.  This exploit takes advantage of 
this vulnerability.
Affected Systems:
Version of Apache 1.3 up to and including 1.3.24 and versions of Apache 
2.0 up to 2.0.36.   All versions of Apache 1.2 are vulnerable.   
Although this vulnerability is present in all ports of Apache, the 
exploit code detected by this signature appears to only work against 
systems running BSD.
Attack Scenarios:
Most likely scenario is a script kiddie running the exploit code against 
your web server.
Ease of Attack:
False Positives:
Highly unlikely.
False Negatives:
None known.
Corrective Action:
Ensure that you are running a version of Apache newer than those listed 
in the "affected systems" section.
Kevin Peuhkurinen
Additional References:

More information about the Snort-sigs mailing list