[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: [Snort-users] Re: Cisco HTTP Admin IOS attack signature
From: Dragos Ruiu <dr () dursec ! com>
Date: 2001-06-30 3:20:02
[Download RAW message or body]
Just had another thought... these two rules instead of the below
will run slower but false less and bypass another obfuscation....
alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; regex:"level/*1[6-9]"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; regex:"level/*[2-9][0-9]"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
cheers,
--dr
On Fri, 29 Jun 2001, Dragos Ruiu wrote:
> If you do have any Cisco's and are running snort you ought to
> add a some signatures like this to avoid any grief... (and change
> the sid when Brian assigns it a new one... ) Also this is done
> from theory as I don't have a vulnerable box to poke at right now...
> so If someone could test these for me....
>
> (vulnerability info below)
> rule file additions:
>
> variable $CISCOS [IPs of your ciscos with commas and no spaces]
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/16/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/17/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/18/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/19/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/2"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/3"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/4"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/5"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/6"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/7"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/8"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
> content:"GET"; content:"level/9"; content:"/exec"; nocase; \
> reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;)
>
> Some alerts on any ssl access to your Cisco's might also be warranted
> if that is also an access method...
>
> (if there is some nonstandard port mapping you may have to change
> the above ports. And turning on the unicode preprocessor might be a
> good idea as I don't know if anyone's analyzed unicode obfuscation
> on these.)
>
> The vulnerability... Oh boy, this sounds like a fun one....
> In the words of:http: //www.securityfocus.com/bid/2936
>
> IOS is router firmware developed and distributed by Cisco Systems. IOS
> functions on numerous Cisco devices, including routers and switches.
>
> It is possible to gain full remote administrative access on devices using
> affected releases of IOS. By using a URL of
> http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer
> between 16 and 99, it is possible for a remote user to gain full administrative
> access.
>
> This problem makes it possible for a remote user to gain full administrative
> privileges, which may lead to further compromise of the network or result in a
> denial of service.
>
> --kyx--
>
> cheers,
> --dr
--
Dragos Ruiu <dr@dursec.com> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
-------------------------------------------------------
--
Dragos Ruiu <dr@dursec.com> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic