[Snort-sigs] phpBB remote code execution detection rule (final)

Alex Kirk alex.kirk at ...435...
Wed Dec 1 06:56:01 EST 2004


Federico,

You might want to have an additional rule that uses uricontent instead 
of content, to deal with obfuscated GET requests such as:

http://<victim>/%76%69%65%77%74%6F%70%69%63.php?%74=2&%68%69%67%68%6C%69%67%68%74=...

Also, consider using distance:0 as a modifier to your content:"system" 
match if, as seems to be implied here, system will always be part of the 
value of the highlight parameter. This will force Snort to find "system" 
after "highlight=", adding a nice validity check to your detection.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> Hello, this rule is intended to detect the recently discovered remote
> code execution bug, it is similar to rule 2001457, but there is some 
> attacks I tested that that rule does not detect and this one does 
> (p.e. 
> viewtopic.php?t=2&highlight=%2527%252esystem(chr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(47)%252echr(101)%252echr(116)%252echr(99)%252echr(47)%252echr(104)%252echr(111)%252echr(115)%252echr(116)%252echr(115))%252e%2527)) 
>
>
> Rule:
>
> drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"phpBB <=
> 2.0.10 Remote code execution"; content:"/viewtopic.php?"; content:"t=";
> content:"highlight="; content:"system";
> reference:url,secunia.com/advisories/13239;
> classtype:web-application-attack; sid:100100; rev:1;)
>
> Reference:
>     http://secunia.com/advisories/13239
>
> Thanks...






More information about the Snort-sigs mailing list