[Snort-sigs] CVE-2018-8733, CVE-2018-8734, CVE-2018-8735

Phillip Lee phillile at sourcefire.com
Tue May 1 10:51:40 EDT 2018


Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos

> On May 1, 2018, at 9:24 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> Hi,
> 
> The below rules are for detecting exploit attempts against the listed CVEs. Pcap is available for this one.
> 
> # Date: 2018-05-01
> # Title: CVE-2018-873X - NagiosXI Vulnerability Chaining; Death By a Thousand Cuts
> # Reference: http://blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>, https://www.exploit-db.com/exploits/44560/ <https://www.exploit-db.com/exploits/44560/>
> # CVEs: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735
> # Tests: pcap
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated SQL injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; http_client_body; content:"union"; nocase; http_client_body; content:"select"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-8734; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ <http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000033; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated authentication bypass attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtRootPath="; http_client_body; content:"&txtDBserver="; http_client_body; content:"&txtDBname="; http_client_body; content:"&txtDBuser="; http_client_body; reference:cve,2018-8733; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ <http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000034; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI authenticated command injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosxi/backend/index.php?"; fast_pattern:only; http_uri; content:"command_data="; http_uri; content:"&cmd=submitcommand"; http_uri; content:"&command="; http_uri; content:"nagiosxi="; http_cookie; reference:cve,2018-8735; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ <http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000035; rev:1;)
> 
> Thanks.
> YM
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> 
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180501/596385ee/attachment-0001.html>


More information about the Snort-sigs mailing list