1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
Rule:
Sid:
--
1122
Summary:
--
This event is generated when an attempt is made to retrieve a protected
system file on a host via a web request.
--
Impact:
Information Gathering.
--
Detailed Information:
The passwd file usually found in the /etc/ directory on UNIX based
systems, contains login information for users of a host. If shadow
password files are not being used, an attacker could obtain valid login
information for the system by using widely available password cracking
tools on the file.
The file may also be used to garner information that may be used in
brute force password guessing attacks against the host.
--
Affected Systems:
All UNIX based systems running a Web Server.
--
Attack Scenarios:
The attacker can make a standard HTTP request that contains
'/etc/passwd'in the URI.
--
Ease of Attack:
Simple HTTP request.
--
False Positives:
None Known
--
False Negatives:
None Known
--
Corrective Action:
Webservers should not be allowed to view or execute files and binaries
outside of it's designated web root or cgi-bin. This file may also be
requested on a command line should the attacker gain access to the
machine. Making the file read only by the superuser on the system will
disallow viewing of the file by other users.
--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
