[Snort-sigs] CVE-2018-8733, CVE-2018-8734, CVE-2018-8735

Y M snort at outlook.com
Tue May 1 09:24:16 EDT 2018


Hi,

The below rules are for detecting exploit attempts against the listed CVEs. Pcap is available for this one.

# Date: 2018-05-01
# Title: CVE-2018-873X - NagiosXI Vulnerability Chaining; Death By a Thousand Cuts
# Reference: http://blog.redactedsec.net/exploits/2018/04/26/nagios.html, https://www.exploit-db.com/exploits/44560/
# CVEs: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735
# Tests: pcap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated SQL injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; http_client_body; content:"union"; nocase; http_client_body; content:"select"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-8734; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; classtype:attempted-admin; sid:8000033; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated authentication bypass attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtRootPath="; http_client_body; content:"&txtDBserver="; http_client_body; content:"&txtDBname="; http_client_body; content:"&txtDBuser="; http_client_body; reference:cve,2018-8733; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; classtype:attempted-admin; sid:8000034; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI authenticated command injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosxi/backend/index.php?"; fast_pattern:only; http_uri; content:"command_data="; http_uri; content:"&cmd=submitcommand"; http_uri; content:"&command="; http_uri; content:"nagiosxi="; http_cookie; reference:cve,2018-8735; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; classtype:attempted-admin; sid:8000035; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180501/4f868d66/attachment.html>


More information about the Snort-sigs mailing list