passwd file accessed (HTTP_Unix_Passwords)

About this signature or vulnerability

RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows), Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Network IDS, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects attempts to access the /etc/passwd file on UNIX systems via a Web (HTTP) server.

This event triggers when an HTTP GET request contains '*/etc/passwd' or '*/etc/shadow' or '*/etc/master.passwd' or '*/etc/security/passwd' and '*/etc/security/shadow'.

This signature detects an HTTP GET request for a 'passwd' or 'shadow' password file.


False positives

RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows), Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Network IDS, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: A Web site with a legitimate URL containing '/etc/passwd' could cause a false positive. Examine the URL reported in the event. This event triggers on what appears to be a request for the password or shadow file, which may or may not be successful. A false positive is not indicated when the request is unsuccessful. This event triggers on the request for the file, which may or may not be successful.

Default risk level

High risk vulnerability  High

Sensors that have this signature

RealSecure Server Sensor: 5.5, RealSecure Server Sensor: 7.0, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.0, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IPS: 2.0, Proventia Network IDS: A Series, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Desktops: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0

Systems affected

IBM AIX, Wind River BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, Data General DG/UX, SCO SCO Unix, Compaq Tru64, Digital OSF/1

Type

Unauthorized Access Attempt

Vulnerability description

The /etc/passwd file on Unix systems contains password information. An attacker who has accessed the etc/passwd file may attempt a brute force attack of all passwords on the system.

An attacker may attempt to gain access to the etc/passwd file through HTTP, FTP, or SMB. Typically this is done through one of the CGI scripts installed on the server, so this event may be seen in conjunction with other events of that type.

How to remove this vulnerability

Examine the URL accessed and evaluate if the access attempt could have been successful. If so, consider the system compromised and all passwords exposed. Although this event is not the result of a specific vulnerability, you should take steps to ensure that HTTP, FTP, and SMB file shares do not contain vulnerabilities that could allow remote access to the /etc/passwd file.

References

The Hack FAQ Web page
28.0 Unix Passwords
http://www.nmrc.org/pub/faq/hackfaq/hackfaq-28.html

ISS X-Force
passwd file accessed
http://www.iss.net/security_center/static/1069.php