[Snort-sigs] SID 1050 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Thu Jun 12 07:00:14 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

iPlanet GETPROPERTIES attempt"; flow:to_server,established; 
content:"GETPROPERTIES"; offset:0; depth:13; 
classtype:web-application-attack; sid:1050; rev:6;)
A buffer overflow attack may be in process.
If successful, this attack will allow attackers to run code of their 
choosing on your server.
Detailed Information:
The web publishing feature in iPlanet Web Server 4.1 is vulnerable to a 
buffer overflow.
Affected Systems:
iPlanet Web Server 4.1 up to Service Pack 8
Attack Scenarios:
An attacker can spawn a remote shell on the server and execute any 
command they desire.
Ease of Attack:
Difficult.  Exploit code does not appear to exist as of June 2003, so an 
attacker would need to write the code themselves.
False Positives:
Legimate uses of web publishing.
False Negatives:
This vulnerability can be exploited using any number of web publishing 
commands, however this signature only triggers on one specific command 
Corrective Action:
Disable web publishing or upgrade your web server software.
Kevin Peuhkurinen
Additional References:

More information about the Snort-sigs mailing list