989.txt

来自「This is the snapshot of Snot Latest Rule」· 文本 代码 · 共 57 行

Rule:

--
Sid:
989

--
Summary:
This event is generated when an attempt is made to access the sensepost.exe file. 

--
Impact:
Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. 

--
Detailed Information:
A vulnerability associated Microsoft Internet Information Services (IIS) servers allows an attacker to escape the web root directory (inetpub) permitting navigation to unauthorized directories.  This vulnerability is exploitable by encoding characters in unicode because unauthorized directory traversal is not examined after the unicode decoding.  A widely available script exploits this vulnerability and copies the \winnt\system32\cmd.exe file to \inetpub\scripts\sensepost.exe, essentially allowing an attacker to execute arbitrary commands on the vulnerable host even after the patch has been applied. 

--
Affected Systems:
Microsoft IIS 4.0, 5.0 

--
Attack Scenarios:
An attacker can attempt to access the sensepost.exe file to execute arbitrary commands on the exploited server. 

--
Ease of Attack:
Simple.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Apply the patch referenced in the Microsoft link.

--
Contributors:
Original rule writer unknown
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Vulnerability Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

--