File: 1661.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (55 lines) | stat: -rw-r--r-- 1,132 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Rule:

--
Sid:
1661

--
Summary:
This event is generated when an attempt is made to access the cmd32.exe file.

--
Impact:
Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. 

--
Detailed Information:
The cmd32.exe file allows execution of commands on Windows hosts.  This file is only accessible if maliciously placed in the web server's root directory or an attacker performs unauthorized directory traversal.  This may permit the attacker to execute arbitrary commands on the vulnerable server.

--
Affected Systems:
???

--
Attack Scenarios:
An attacker can attempt to access the cmd32.exe file to execute arbitrary commands on the vulernable server. 

--
Ease of Attack:
Simple.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Make sure that the cmd32.exe is not in the webroot directory.

Make sure that all appropriate patches have been applied.

--
Contributors:
Original rule writer unknown
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

--