Snort mailing list archives
Re: Cisco HTTP Admin IOS attack signature
From: Dragos Ruiu <dr () kyx net>
Date: Fri, 29 Jun 2001 20:11:16 -0700
Just had another thought... these two rules instead of the below will run slower but false less and bypass another obfuscation.... alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; regex:"level/*1[6-9]"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; regex:"level/*[2-9][0-9]"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) cheers, --dr On Fri, 29 Jun 2001, Dragos Ruiu wrote:
If you do have any Cisco's and are running snort you ought to add a some signatures like this to avoid any grief... (and change the sid when Brian assigns it a new one... ) Also this is done from theory as I don't have a vulnerable box to poke at right now... so If someone could test these for me.... (vulnerability info below) rule file additions: variable $CISCOS [IPs of your ciscos with commas and no spaces] alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/16/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/17/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/18/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/19/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/2"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/3"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/4"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/5"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/6"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/7"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/8"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) alert tcp any any -> $CISCOS 80 (msg:"EXPLOIT Cisco HTTP admin"; flags: A+; \ content:"GET"; content:"level/9"; content:"/exec"; nocase; \ reference:bugtraq,2936; class type:attempted-admin; sid:1100000; rev:1;) Some alerts on any ssl access to your Cisco's might also be warranted if that is also an access method... (if there is some nonstandard port mapping you may have to change the above ports. And turning on the unicode preprocessor might be a good idea as I don't know if anyone's analyzed unicode obfuscation on these.) The vulnerability... Oh boy, this sounds like a fun one.... In the words of:http: //www.securityfocus.com/bid/2936 IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches. It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. --kyx-- cheers, --dr
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- <Possible follow-ups>
- Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)
- Fwd: Re: Cisco HTTP Admin IOS attack signature Dragos Ruiu (Jun 29)