[Snort-sigs] SID 1050 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Thu Jun 12 07:00:14 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
iPlanet GETPROPERTIES attempt"; flow:to_server,established; 
content:"GETPROPERTIES"; offset:0; depth:13; 
classtype:web-application-attack; sid:1050; rev:6;)
--
Sid:
1050
--
Summary:
A buffer overflow attack may be in process.
--
Impact:
If successful, this attack will allow attackers to run code of their 
choosing on your server.
--
Detailed Information:
The web publishing feature in iPlanet Web Server 4.1 is vulnerable to a 
buffer overflow.
--
Affected Systems:
iPlanet Web Server 4.1 up to Service Pack 8
--
Attack Scenarios:
An attacker can spawn a remote shell on the server and execute any 
command they desire.
--
Ease of Attack:
Difficult.  Exploit code does not appear to exist as of June 2003, so an 
attacker would need to write the code themselves.
--
False Positives:
Legimate uses of web publishing.
--
False Negatives:
This vulnerability can be exploited using any number of web publishing 
commands, however this signature only triggers on one specific command 
(GETPROPERTIES).
--
Corrective Action:
Disable web publishing or upgrade your web server software.
--
Contributors:
Kevin Peuhkurinen
-- 
Additional References:
http://archives.neohapsis.com/archives/ntbugtraq/2001-q2/0035.html






More information about the Snort-sigs mailing list