[Snort-sigs] SID 1808 documentation revised

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Tue Jun 10 05:23:02 EDT 2003

This is a revised copy of the 1808 docs that I submitted yesterday.

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

apache chunked encoding memory
corruption exploit attempt"; flow:established,to_server; content:"|C0 50 
52 89 E1 50 51 52 50 B8 3B 00 00 00
CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392; 
classtype:web-application-activity; sid:1808;
An attacker is using exploit code for the Apache chunked encoding 
vulnerability against your web server.
If successful, this exploit can allow attackers to cause code of their 
choice to run on your server or cause
a denial of service.
Detailed Information:
Older versions of the Apache HTTP server suffered from a bug in the 
routines that handled chunked encoding.
This exploit takes advantage of this vulnerability.
Affected Systems:
Version of Apache 1.3 up to and including 1.3.24 and versions of Apache 
2.0 up to 2.0.36.   All versions of
Apache 1.2 are vulnerable.   Although this vulnerability is present in 
all ports of Apache, the exploit code
detected by this signature appears to only work against systems running BSD.
Attack Scenarios:
Most likely scenario is a script kiddie running the exploit code against 
your web server.
Ease of Attack:
False Positives:
Highly unlikely.
False Negatives:
This signature detects specific exploit code that targets systems 
running BSD.  It is certainly possible for this vulnerability to be 
exploited in ways other than those detected by this signature.
Corrective Action:
Ensure that you are running a version of Apache newer than those listed 
in the "affected systems" section.
Kevin Peuhkurinen
Additional References:

More information about the Snort-sigs mailing list