[Snort-users] Re: Cisco HTTP Admin IOS attack signature

Dragos Ruiu dr at ...381...
Fri Jun 29 23:11:16 EDT 2001


Just had another thought... these two rules instead of the below
will run slower but false less and bypass another obfuscation....

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*1[6-9]"; content:"/exec";  nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*[2-9][0-9]"; content:"/exec";  nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

cheers,
--dr

On Fri, 29 Jun 2001, Dragos Ruiu wrote:
> If you do have any Cisco's and are running snort you ought to
> add a some signatures like this to avoid any grief...  (and change 
> the sid when  Brian assigns it a new one... ) Also this is done 
> from theory as I don't have a vulnerable box to poke at right now... 
> so If someone could test these for me....
> 
> (vulnerability info below)
> rule file additions:
> 
> variable $CISCOS  [IPs of your ciscos with commas and no spaces]
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/16/exec";  nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/17/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET";  content:"level/18/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/19/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/2"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/3"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/4"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/5"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/6"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/7"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/8"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/9"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 
> 
> Some alerts on any ssl access to your Cisco's might also be warranted
> if that is also an access method...
> 
> (if there is some nonstandard port mapping you may have to change 
> the above ports. And turning on the unicode preprocessor might be a 
> good idea as I don't know if anyone's analyzed unicode obfuscation
> on these.)
> 
> The vulnerability... Oh boy, this sounds like a fun one....
> In the words of:http: //www.securityfocus.com/bid/2936
> 
>  IOS is router firmware developed and distributed by Cisco Systems. IOS
> functions on numerous Cisco devices, including routers and switches.
> 
>  It is possible to gain full remote administrative access on devices using
> affected releases of IOS. By using a URL of
> http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer
> between 16 and 99, it is possible for a remote user to gain full administrative
> access.
> 
>  This problem makes it possible for a remote user to gain full administrative
> privileges, which may lead to further compromise of the network or result in a
> denial of service.
> 
> --kyx--
> 
> cheers,
> --dr
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc




More information about the Snort-users mailing list