File: 342.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (62 lines) | stat: -rw-r--r-- 1,330 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
SID:
342
--

Rule:
--

Summary:
This event is generated when an attack attempt is made against an ftp 
server possibly running a vulnerable ftpd on Solaris 8

--

Impact:
Possible remote execution of commands on the affected server as the root user
--

Detailed Information:
The Washington University ftp daemon (wu-ftpd) does not perform proper 
checking in its SITE EXEC implementation, and allows user input to be 
sent directly to printf. This allows an attacker to overwrite data and 
eventually execute code on the server.

--

Affected Systems:
Any system running wu-ftpd 2.6 .0 or below
--

Attack Scenarios:
A remote attacker will attempt to execute commands on the ftp server 
with root user privileges, over writing or modifying system files. This 
can be done with anonymous and real user logins.
--

Ease of Attack:
Simple, Exploit code exists
--

False Positives:
None known
--

False Negatives:
None known
--

Corrective Action:
Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure.
Restrict access to ftp at the firewall to known hosts only
--

Contributors:
Snort documentation contributed by matthew harvey <indexone@yahoo.com>
Original Rule Writer Unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
References:

--