""ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)""

SID: 2054658

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Web_Server_Applications, attack_target Server, tls_state TLSDecrypt, created_at 2024_07_24, cve CVE_2013_3652, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_07_24

Reference:

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "/rpc.php"

  • Value: "|7b 22|service|22 3a 20 22|Cron|22 2c 20 22|method|22 3a 20 22|set|22 2c 20 22|params|22 3a 20 7b 22|" Depth: 49

  • Value: "|22|username|22 3a 20 22|root|22|"

  • Value: "|22|command|22 3a 20 22|"

Within:

PCRE:

Special Options:

  • http_method

  • http_uri

  • http_client_body

  • fast_pattern

  • http_client_body

  • http_client_body

source