[Snort-sigs] SID 1808 documentation
kevin.peuhkurinen at ...1555...
Mon Jun 9 08:04:08 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
apache chunked encoding memory corruption exploit attempt";
flow:established,to_server; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B
00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392;
classtype:web-application-activity; sid:1808; rev:3;)
An attacker is using exploit code for the Apache chunked encoding
vulnerability against your web server.
If successful, this exploit can allow attackers to cause code of their
choice to run on your server or cause a denial of service.
Older versions of the Apache HTTP server suffered from a bug in the
routines that handled chunked encoding. This exploit takes advantage of
Version of Apache 1.3 up to and including 1.3.24 and versions of Apache
2.0 up to 2.0.36. All versions of Apache 1.2 are vulnerable.
Although this vulnerability is present in all ports of Apache, the
exploit code detected by this signature appears to only work against
systems running BSD.
Most likely scenario is a script kiddie running the exploit code against
your web server.
Ease of Attack:
Ensure that you are running a version of Apache newer than those listed
in the "affected systems" section.
More information about the Snort-sigs