File: 1338.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (63 lines) | stat: -rw-r--r-- 1,351 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Rule:

--
Sid:
1338

--
Summary:
Attempted chown command access via web

--
Impact:
Attempt to change file ownership permissions on a webserver.

--
Detailed Information:
This is an attempt to change file ownership permissions on a machine.
Using thiscommand an attacker may change the permissions of a file to
suit his ownneeds, make a file owned by another user who would
otherwise not havethese special permissions.

--
Attack Scenarios:
The attacker can make a standard HTTP request that contains '/bin/chown'
in the URI whichcan then change file permissions of files present on
the host.Thiscommand may also be requested on a command line should
the attacker gainaccess to the machine.

--
Ease of Attack:
Simple HTTP request.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:

Webservers should not be allowed to view or execute files and binaries
outside of it'sdesignated web root or cgi-bin.Whenever possible,
sensitive files andcertain areas of the filesystem should have the
system immutable flagset to negate the use of the chown command. On
BSD derived systems,setting the systems runtime securelevel also
prevents the securelevelfrom being changed. (note: the securelevel can
only beincreased)

--
Contributors:
Sourcefire Research Team

-- 
Additional References:
sid: 1336
sid: 1337

man chown

--