cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
347
Views
0
Helpful
2
Replies
Enthusiast

XML-RPC PHP Command Execution

The follow captured packet is said to have caused the signature called “XML-RPC PHP Command Execution” (SIGID: 3254 SubSig: 0) to trigger

..~...........E..$..@.=....C....'O....QxE..+.UP....j....<?xml version="1.0"?>..<methodCall>..<methodName>test.method..</methodName>..<params>..<param>..<value><name>','')); echo ..'______BEGIN______'; ..passthru('id'); ..echo ..'_____FIM_____';..exit;/*</name></value>..</param>..</params>..</methodCall>....{.

The signature looks for 2 criteria before sending the alert to the console.

HeaderRegex:

[Cc][Oo][Nn][Tt][Ee][Nn][Tt][-][Tt][Yy][Pp][Ee][:]\x20?([Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn]|[Tt][Ee][Xx][Tt])[/\\][Xx][Mm][Ll]

RequestRegex:

[^\x5c]['][);\x0a\x0d\x20]+([Ee][Cc][Hh][Oo]|[Ss][Yy][Ss][Tt][Ee][Mm])

I am looking for the part in the triggered packet that has caused the event to trigger.

Could someone from the list please point out which part in the trigged packet caused the event?

2 REPLIES 2
Enthusiast

Re: XML-RPC PHP Command Execution

this signature triggers often when the header contains the following

"tent-Type: application/xml..Content-Length: 250..Via: 1.1 annaka"

but the regular expression looks for more behond the word application. can you confirm that there are no false postives from this signature..??

thanks in advance

Highlighted
Cisco Employee

Re: XML-RPC PHP Command Execution

Hi Darin,

This signature is indeed firing because the following part is included into the XML file being posted:

','')); echo ..'______BEGIN______';

I'm not too sure if this is legitimate or not in your case, but that definitely looks like a code injection!

It is indeed pretty similar to the exploits related to this vulnerability:

http://www.securityfocus.com/bid/14088/exploit

JF

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards
This widget could not be displayed.