[Snort-sigs] SID 1544 documentation
kevin.peuhkurinen at ...1555...
Wed Jun 11 12:31:14 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Cisco Catalyst command execution attempt"; flow:to_server,established;
uricontent:"/exec/show/config/cr"; nocase; reference:cve,CAN-2000-0945;
classtype:web-application-activity; sid:1544; rev:3;)
This is an attempt to list the user configuration file on a Cisco router
If successful, the switch will reveal the local authentication user
configuration file to an attacker with requiring prior authentication.
The HTTP server that is part of some versions of the Cisco IOS software
allows remote command execution when the access control method is set to
The following Cisco products can be affected. Whether they actually
are vulnerable or not depends on the version of IOS that they are
running. To properly determine if your product is vulnerable, see the
Cisco website referenced below. This is not exploitable if the device
is using an access control method other than local authentication.
Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000,
1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700,
AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000
Most recent versions of the LS1010 ATM switch.
The Catalyst 6000 and 5000 if they are running Cisco IOS software.
The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco
The Catalyst 2900 and 3000 series LAN switches are affected.
The Cisco Distributed Director.
An attacker can take complete control of a Cisco device.
Ease of Attack:
Very easy. Exploitable via the address line in a browser.
This signature only looks for one particular command (show config cr).
However, this vulnerability will allow any other command to be executed
on the device at the highest privilege level, and this signature will
not detect them.
This signature only looks for attacks against systems that are included
in the $HTTP_SERVERS group. Many administrators do not consider
routers or switches to be web servers, and therefore may not include
vulnerable devices in this group, causing an attack to proceed
unnoticed. If you think one of your routers or switches is vulnerable,
reference it in the $HTTP_SERVERS group.
Turn off the web server functionality, use access lists to ensure only
trusted hosts have access to the device, use TACACS+ or RADIUS for
access control, or upgrade your version of IOS.
More information about the Snort-sigs