1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
|
SID:
345
--
Rule:
--
Summary:
This event is generated when an attack attempt is made against an ftp
server possibly running a vulnerable ftpd
--
Impact:
Possible remote execution of commands on the affected server as the root user
--
Detailed Information:
The Washington University ftp daemon (wu-ftpd) does not perform proper
checking in its SITE EXEC implementation, and allows user input to be
sent directly to printf. This allows an attacker to overwrite data and
eventually execute code on the server.
--
Affected Systems:
Any system running wu-ftpd 2.6 .0 or below
--
Attack Scenarios:
A remote attacker will attempt to execute commands on the ftp server
with root user privileges, over writing or modifying system files. This
can be done with anonymous and real user logins.
--
Ease of Attack:
Simple, Exploits exist
--
False Positives:
None known
--
False Negatives:
None known
--
Corrective Action:
Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure
--
Contributors:
Snort documentation contributed by matthew harvey <indexone@yahoo.com>
Original Rule Writer Unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
--
References:
--
|