[Snort-users] Cisco HTTP Admin IOS attack signature

Dragos Ruiu dr at ...381...
Fri Jun 29 22:24:58 EDT 2001


If you do have any Cisco's and are running snort you ought to
add a some signatures like this to avoid any grief...  (and change 
the sid when  Brian assigns it a new one... ) Also this is done 
from theory as I don't have a vulnerable box to poke at right now... 
so If someone could test these for me....

(vulnerability info below)
rule file additions:

variable $CISCOS  [IPs of your ciscos with commas and no spaces]

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/16/exec";  nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/17/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET";  content:"level/18/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/19/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/2"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/3"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/4"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/5"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/6"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/7"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/8"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/9"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

Some alerts on any ssl access to your Cisco's might also be warranted
if that is also an access method...

(if there is some nonstandard port mapping you may have to change 
the above ports. And turning on the unicode preprocessor might be a 
good idea as I don't know if anyone's analyzed unicode obfuscation
on these.)

The vulnerability... Oh boy, this sounds like a fun one....
In the words of:http: //www.securityfocus.com/bid/2936

 IOS is router firmware developed and distributed by Cisco Systems. IOS
functions on numerous Cisco devices, including routers and switches.

 It is possible to gain full remote administrative access on devices using
affected releases of IOS. By using a URL of
http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer
between 16 and 99, it is possible for a remote user to gain full administrative
access.

 This problem makes it possible for a remote user to gain full administrative
privileges, which may lead to further compromise of the network or result in a
denial of service.

--kyx--

cheers,
--dr




More information about the Snort-users mailing list