[Snort-sigs] SID 1808 documentation revised
kevin.peuhkurinen at ...1555...
Tue Jun 10 05:23:02 EDT 2003
This is a revised copy of the 1808 docs that I submitted yesterday.
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
apache chunked encoding memory
corruption exploit attempt"; flow:established,to_server; content:"|C0 50
52 89 E1 50 51 52 50 B8 3B 00 00 00
CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392;
An attacker is using exploit code for the Apache chunked encoding
vulnerability against your web server.
If successful, this exploit can allow attackers to cause code of their
choice to run on your server or cause
a denial of service.
Older versions of the Apache HTTP server suffered from a bug in the
routines that handled chunked encoding.
This exploit takes advantage of this vulnerability.
Version of Apache 1.3 up to and including 1.3.24 and versions of Apache
2.0 up to 2.0.36. All versions of
Apache 1.2 are vulnerable. Although this vulnerability is present in
all ports of Apache, the exploit code
detected by this signature appears to only work against systems running BSD.
Most likely scenario is a script kiddie running the exploit code against
your web server.
Ease of Attack:
This signature detects specific exploit code that targets systems
running BSD. It is certainly possible for this vulnerability to be
exploited in ways other than those detected by this signature.
Ensure that you are running a version of Apache newer than those listed
in the "affected systems" section.
More information about the Snort-sigs