Snort mailing list archives

Metasploit - CVE-2012-1823 - Snort Sleeping

From: MA Bel <mab_generic () outlook com>
Date: Fri, 26 Apr 2013 20:43:28 +0000

Hi,

I found a working exploit (reverse shell) where Snort’s
signature fail to trigger an alert.

In a lab I have 3 physical hosts: one Snort, one with BackTrack, and one Ubuntu running
Metasploitable in VirtualBox. I use Metasploit to attack the Metasploitable VM,
Snort is in passive (non-inline) mode.

I came across CVE-2012-1823 (PHP CGI Argument Injection)
which corresponds to three potential snort signatures: 22097, 22063, 22064.
Metasploit has a nice exploit that will give you a reverse shell. It works.

http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection

SID 22063’s rule attempts to catch the string “auto_prepend_file”
When the Metasploint exploit is launched, WireShark confirms that the string is
indeed sent. I get a reverse shell. I can list directories, move into them,
delete stuff, etc, yet Snort does not generate an alert. Yes, rules are up to
date, activated, etc. The basics are covered.

I decided to strip off all extra parameters and create a
very basic rule: “content: auto_prepend_file”.
No luck catching the exploit. I used Scapy to send the “auto_prepend_file” string. Snort
woke up. I used Scapy to send the whole string sent by Metasploit (I did a copy
& paste of what I found in Wireshark). That works, Snort wakes up.

I don’t understand why an http string sent by Scapy
generates an alert whereas the same string sent by Metasploit keeps Snort silent.
I am not event using evasion techniques.

How do I get Snort to catch the exploit? I am worried other rules won't fire when they should.

Thanks in advance.

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
  - Re: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
    - Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
    - Re: Metasploit - CVE-2012-1823 - Snort Sleeping Alex McDonnell (Apr 26)
    - Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
    - [SPAM] Re: Metasploit - CVE-2012-1823 - Snort Sleeping rmkml (Apr 26)
- <Possible follow-ups>
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
  - Message not available
    - FW: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 29)