File: 1372.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (69 lines) | stat: -rw-r--r-- 1,672 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Rule:  

Sid:
1372

--
Summary:
This event is generated when an attempt is made to retrieve a protected
system file on a host via a web request.

--
Impact:
Information Gathering.

--
Detailed Information:
The shadow file usually found in the /etc/ directory on UNIX based
systems, contains login information for users of a host.

In this case, the rule will generate an event due to the attempted
transfer of a shadow file. This file is generally used on muli-user
systems to provide greater security for user passwords. This file should
only be readable by the super user. If an attacker was successful in
retrieving this file, they could then obtain valid login information for 
the system by using widely available password cracking tools on the file.

The file may also be used to garner information that may be used in
brute force password guessing attacks against the host.

--
Affected Systems:
	All UNIX based systems running a Web Server.
 
--
Attack Scenarios:
The attacker can make a standard HTTP request that contains 
'/etc/shadow'in the URI.

--
Ease of Attack:
Simple HTTP request.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:

Webservers should not be allowed to view or execute files and binaries 
outside of it's designated web root or cgi-bin. This file may also be 
requested on a command line should the attacker gain access to the 
machine. Making the file read only by the superuser on the system will 
disallow viewing of the file by other users.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

--