Snort mailing list archives

Re: Cisco HTTP Admin IOS attack signature

From: Dragos Ruiu <dr () kyx net>
Date: Fri, 29 Jun 2001 20:11:16 -0700


Just had another thought... these two rules instead of the below
will run slower but false less and bypass another obfuscation....

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*1[6-9]"; content:"/exec";  nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
  content:"GET"; regex:"level/*[2-9][0-9]"; content:"/exec";  nocase; \
  reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

cheers,
--dr

On Fri, 29 Jun 2001, Dragos Ruiu wrote:

If you do have any Cisco's and are running snort you ought to
add a some signatures like this to avoid any grief...  (and change 
the sid when  Brian assigns it a new one... ) Also this is done 
from theory as I don't have a vulnerable box to poke at right now... 
so If someone could test these for me....

(vulnerability info below)
rule file additions:

variable $CISCOS  [IPs of your ciscos with commas and no spaces]

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/16/exec";  nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/17/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET";  content:"level/18/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/19/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/2"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/3"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/4"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/5"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/6"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/7"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/8"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

alert tcp any any ->  $CISCOS 80  (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \
content:"GET"; content:"level/9"; content:"/exec"; nocase; \
reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) 

Some alerts on any ssl access to your Cisco's might also be warranted
if that is also an access method...

(if there is some nonstandard port mapping you may have to change 
the above ports. And turning on the unicode preprocessor might be a 
good idea as I don't know if anyone's analyzed unicode obfuscation
on these.)

The vulnerability... Oh boy, this sounds like a fun one....
In the words of:http: //www.securityfocus.com/bid/2936

 IOS is router firmware developed and distributed by Cisco Systems. IOS
functions on numerous Cisco devices, including routers and switches.

 It is possible to gain full remote administrative access on devices using
affected releases of IOS. By using a URL of
http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer
between 16 and 99, it is possible for a remote user to gain full administrative
access.

 This problem makes it possible for a remote user to gain full administrative
privileges, which may lead to further compromise of the network or result in a
denial of service.

--kyx--

cheers,
--dr

-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- <Possible follow-ups>
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Fwd: Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)