[Snort-sigs] SID 519

Warchild warchild at ...288...
Thu Feb 7 18:26:02 EST 2002


Rule:  
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent
directory"; content:".."; reference:arachnids,137; re
ference:cve,CVE-1999-0183; classtype:bad-unknown; sid:519; rev:1;)

--
Sid:
519

--
Summary:

A remote host attempted to get to the parent directory as part of a
tftp session.

--
Impact:
Little or none, so long as your tftp server is properly configured and
does not allow traversal out of the tftp directory.  If this _is_
allowed, any files that the user the tftpd daemon runs as (typically
"nobody") may be accessed allowing further information to be gleaned
about your system. 

--
Detailed Information:
See impact.

--
Attack Scenarios:

warchild at ...351...
[~/txt]$ tftp localhost
tftp> get ../etc/hosts

warchild at ...351...
[~/txt]$ tftp localhost
tftp> put ../etc/hosts

warchild at ...351...
[~/txt]$ tftp localhost
tftp> put foobar ../tmp


--
Ease of Attack:
Trivial.   Nearly all windows and *nix clients provide tftp clients.

--
False Positives:
Legitimate uploading of files may trigger this rule inappropriately.
If the file being uploaded is outside the parent directory, this rule
will fire.  For example:

warchild at ...351...
[~/txt]$ tftp localhost
tftp> put ../bar.txt .

warchild at ...351...
[~/txt]$ tftp localhost
tftp> get hosts ../hosts
Received 720 bytes in 0.0 seconds


Whereas this rule is meant to alert on the situation listed in the
Attack Scenarios. 


--
False Negatives:
Unlikely.

--
Corrective Action:
Determine whether or not the file attempted to be up/downloaded was
successful, and what directory it came from/to.

--
Contributors:
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

-- 
Additional References:






More information about the Snort-sigs mailing list