Rule: -- Sid: 1748 -- Summary: This event is generated when an attempt is made to send an overly long FTP command, possibly with the intent to cause of denial of service or buffer overflow in the 3CDaemon FTP server. -- Impact: Attempted remote access or denial of service. Successful execution of this attack can cause a denial of service or buffer overflow, allowing the execution of arbitrary commands on the vulnerable FTP server. -- Detailed Information: 3CDaemon is an FTP server for Windows hosts. A buffer overflow vulnerability exists in 3CDaemon revision 10. The exploit is caused by sending an FTP command that is 400 bytes or longer, causing the server to crash or permitting a buffer overflow that may allow the execution of arbitrary commands with the privileges of the process running the FTP server. This attack does not require login access to the FTP server. -- Affected Systems: 3Com 3CDaemon 2.0 revision 10 -- Attack Scenarios: An attacker may attempt to exploit this vulnerability by sending and overly long FTP command, permitting the execution of arbitrary commands or causing a denial of service against the vulnerable server. -- Ease of Attack: Simple. Exploit code is freely available. -- False Positives: This rule may generate an event if an FTP client provides a legitimate request which is over 100 characters long. For example, when FTP clients store or request files with full path located in deep directory hierarchies the full request might result in a filename that exceedes 95 characters. This rule may also generate an event if Kerberos authentication is used for the FTP server. -- False Negatives: None Known. -- Corrective Action: Upgrade to the latest non-affected version of the software or apply the appropriate patch. -- Contributors: Sourcefire Research Team Brian Caswell Nigel Houghton Judy Novak -- Additional References: Bugtraq: http://www.securityfocus.com/bid/4638 --