Home page logo
/

snort logo Snort mailing list archives

Re: Metasploit - CVE-2012-1823 - Snort Sleeping
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Fri, 26 Apr 2013 17:03:05 -0400

Alerts for me, please attach your configuration as Nathan asked.

Alex McDonnell
VRT


On Fri, Apr 26, 2013 at 4:56 PM, MA Bel <mab_generic () outlook com> wrote:



To: snort-sigs () lists sourceforge net
Date: Fri, 26 Apr 2013 14:49:45 -0600
From: jlay () slave-tothe-box net
Subject: Re: [Snort-sigs] Metasploit - CVE-2012-1823 - Snort Sleeping


On 2013-04-26 14:43, MA Bel wrote:
Hi,

I found a working exploit (reverse shell) where Snort’s signature
fail to trigger an alert.

In a lab I have 3 physical hosts: one Snort, one with BackTrack, and
one Ubuntu running Metasploitable in VirtualBox. I use Metasploit to
attack the Metasploitable VM, Snort is in passive (non-inline) mode.

I came across CVE-2012-1823 (PHP CGI Argument Injection) which
corresponds to three potential snort signatures: 22097, 22063, 22064.
Metasploit has a nice exploit that will give you a reverse shell. It
works.



http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection
[1]

SID 22063’s rule attempts to catch the string
“auto_prepend_file” When the Metasploint exploit is launched,
WireShark confirms that the string is indeed sent. I get a reverse
shell. I can list directories, move into them, delete stuff, etc, yet
Snort does not generate an alert. Yes, rules are up to date,
activated, etc. The basics are covered.

I decided to strip off all extra parameters and create a very basic
rule: “content: auto_prepend_file”. No luck catching the exploit.
I used Scapy to send the “auto_prepend_file” string. Snort woke
up. I used Scapy to send the whole string sent by Metasploit (I did a
copy & paste of what I found in Wireshark). That works, Snort wakes
up.

I don’t understand why an http string sent by Scapy generates an
alert whereas the same string sent by Metasploit keeps Snort silent.
I
am not event using evasion techniques.

How do I get Snort to catch the exploit? I am worried other rules
won't fire when they should.

Thanks in advance.

Links:
------
[1]


http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection

Got a pcap?

James


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring
service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt!
http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]