[Snort-sigs] SID 520

Warchild warchild at ...288...
Thu Feb 7 18:27:02 EST 2002

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root
directory"; content:"|0001|/"; reference:arachnids,138;
 reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:520; rev:2;)



A remote host attempted to get to the root directory as part of a
tftp session.

Little or none, so long as your tftp server is properly configured and
does not allow access to the root directory.  If this _is_
allowed, any files that the user the tftpd daemon runs as (typically
"nobody") may be accessed allowing further information to be gleaned
about your system. 

Detailed Information:
See impact.

Attack Scenarios:

warchild at ...351...
[~/txt]$ tftp localhost
tftp> get /etc/hosts

Ease of Attack:
Trivial.   Nearly all windows and *nix clients provide tftp clients.

False Positives:
Legitimate uploading of files may trigger this rule inappropriately.

False Negatives:

Corrective Action:
Determine whether or not the file attempted to be up/downloaded was
successful, and if access to the root directory is possible.

Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list