Rule History

SID: 2054658 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 1 • Jul 24, 2024, 12:00 PM

Message:

ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)

Rule:

alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rpc.php"; http.request_body; content:"|7b 22|service|22 3a 20 22|Cron|22 2c 20 22|method|22 3a 20 22|set|22 2c 20 22|params|22 3a 20 7b 22|"; startswith; fast_pattern; content:"|22|username|22 3a 20 22|root|22|"; content:"|22|command|22 3a 20 22|"; reference:cve,2013-3652; reference:url,attackerkb.com/topics/zl1kmXbAce/cve-2013-3632; classtype:trojan-activity; sid:2054658; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, tls_state TLSDecrypt, created_at 2024_07_24, cve CVE_2013_3652, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_24;)

Created:

Jul 24, 2024, 12:00 PM

Updated:

Jul 24, 2024, 12:00 PM

DB Created:

Jul 24, 2024, 9:02 PM

DB Updated:

Aug 11, 2025, 10:35 PM

Filename:

rules/emerging-web_specific_apps.rules