File: 1529.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (70 lines) | stat: -rw-r--r-- 1,836 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Rule:

--
Sid:
1529

--
Summary:
This event is generated when an attempt is made to exploit a buffer
overflow or denial of service vulnerability associated with FTP SITE command. 

--
Impact:
Remote access or denial of service.  A successful attack can cause a
denial of service or allow remote execution of arbitrary commands with
privileges of the process running the FTP server. 

--
Detailed Information:
This event is generated when an attempt is made to exploit various
vulnerabilities associated with the FTP SITE command of different FTP
servers. The Windows Serv-U FTP server 2.5a can be made to crash when an
overly long argument is supplied to the SITE PASS command. The GuildFTPd
free Windows FTP server 0.97 is vulnerable to a buffer overflow caused
by issuing a SITE command that is 261 bytes or longer. A buffer overflow
exists in Debian Linux 2.2 FTP daemon that is caused by issuing a SITE
command that is 400 bytes or longer. The buffer overflow attacks may
permit the execution of arbitrary commands with the privileges of the
process running the FTP server. All of these attacks require login
access to the vulnerable server via an authenticated or anonymous user.

--
Affected Systems:
	Serv-U FTP server 2.5a.
	GuildFTPd Server 0.97.
	Debian 2.2 FTP server.

--
Attack Scenarios:
An attacker may login to a vulnerable FTP server and enter an overly
long file argument with the SITE command, causing a denial of service or
buffer overflow.

--
Ease of Attack:
Simple.  

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com> 
Nigel Houghton <nigel.houghton@sourcefire.com>
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

--