2063.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
2063

--
Summary:
This event is generated when an attempt is made to exploit a known 
vulnerability in Demarc PureSecure.

--
Impact:
Administrative control of the Demarc PureSecure IDS, Information 
disclosure

--
Detailed Information:
Demarc PureSecure is a Snort based Intrusion Detection System. A 
vulnerability exists where an attacker can bypass login authorization 
using SQL injection.

Versions of Demarc PureSecure up to 1.6 suffer from poor authentication 
methods, where input in the form of specially constructed SQL queries 
can allow an attacker to gain administrative access to the IDS.

--
Affected Systems:
Demarc PureSecure prior to version 1.6

--
Attack Scenarios:
The attacker needs to send specially constructed SQL queries directly to
the Demarc login page.

For example, the attacker might send his own variables for the session 
id or session key in a query s_key=' OR current_session_id LIKE '%' the 
attacker would of course, need to convert spaces to their encoded 
equivalents and escape special characters.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Bugtraq
http://www.securityfocus.com/bid/4520

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0539

--