File: 1362.txt

package info (click to toggle)
snort 2.9.2.2-3
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 53,752 kB
  • sloc: ansic: 214,625; sh: 13,872; makefile: 2,574; yacc: 505; perl: 496; lex: 260; sql: 213; sed: 14
file content (59 lines) | stat: -rw-r--r-- 2,177 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
Rule: 

--
Sid: 
1362

-- 
Summary:
A web command execution attack involving the use of a
"xterm" command

-- 
Impact: 
Possible intelligence gathering activity or an attempt to gain elevated privileges on the server by using xterm to open another connection.

-- 
Detailed Information: 
The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access.

This rule generates an event when a "xterm" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "xterm" command may be used establish an interactive shell session to the machine.

The rule looks for the "xterm" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "xterm" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session.

Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server.

-- 
Attack Scenarios: 
An attacker uses a "xterm" command to open an interactive session then uses that session to move a rootkit to the system.

--
Ease of Attack: 
Simple. No exploit software required

-- 
False Positives: 
Any string containing '/usr/X11R6/bin/xterm
' in the URL will trigger the alarm.

--
False Negatives: 
none known

-- 
Corrective Action: 
Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise

Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested.

--
Contributors: 
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

--