Rule Document 1:56778

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP ARRIS VAP2500 list_mac_address cmb_macaddrfilter command injection attempt

Rule Explanation

This rule will trigger if - POST request is destined to vulnerable URI `/list_mac_address.php"` - POST body contains vulnerable parameter `cmb_macaddrfilter` and shell meta-characters are present in its value.

What To Look For

These rules detects an exploit for Command Injection Remote Code Execution vulnerability present in ARRIS VAP2500 default public facing web server. This vulnerability can allow an un-authenticated user to execute code with root privileges.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

None

Additional Links

www.zerodayinitiative.com/advisories/ZDI-16-694/

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None

MITRE ATT&CK Framework

Tactic: Initial Access

Technique: Exploit Public-Facing Application

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org