|
|
|
Choosing A Webhost: |
Rule Submit: Centrality IP Phone (PA-168 Chipset) Session Hijacking: msg#00151security.ids.snort.bleedingsnort
This rule detects when an attempt is made to Hijack a session using specific IP Phones. After initially authenticating with the device, there is no authentication token passed back and forth, therefore any well-formed request will be performed by the server. An example session includes: POST /g HTTP/1.1 Host: 192.168.1.100 Content-Length: 13 back=++Back++ HTTP/1.1 200 OK Content-Length: 16727 Content-Type: text/html Connection: close <TITLE>IP Phone V1.54</TITLE> [output omitted] <INPUT name=sipproxy value="sip.test.com"> <INPUT name=domain value="sip.test.com"> <INPUT name=account value="myaccount" size=24 maxlength=32> <INPUT name=pin type=password value="1234"> <INPUT name=superpassword type=password value="12345678"> <INPUT name=password type=password value="1234"> [output omitted] The signature requires the URI to be /g followed by # (anchors), ? (GET parameters), or $ (End of URI) so that longer URI's do not create false alerts. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; uricontent:"/g"; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; classtype:attempted-user; sid:2003328; rev:1; ) Thanks Shirkdog for pointing out this issue and helping put this signature together. Commited with sid:2003328 -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.
Bleeding-sigs mailing list Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Snort_inline 2.6.1.2 BETA 1 released!, Matt Jonkman |
|---|---|
| Next by Date: | RE: New sig for unknown bot, Alex Raitz |
| Previous by Thread: | Snort_inline 2.6.1.2 BETA 1 released!, Matt Jonkman |
| Next by Thread: | P0F in Snort?, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |
