[Snort-sigs] SID 520

Warchild warchild at ...288...
Thu Feb 7 18:27:02 EST 2002


Rule:  
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root
directory"; content:"|0001|/"; reference:arachnids,138;
 reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:520; rev:2;)


--
Sid:
520

--
Summary:

A remote host attempted to get to the root directory as part of a
tftp session.

--
Impact:
Little or none, so long as your tftp server is properly configured and
does not allow access to the root directory.  If this _is_
allowed, any files that the user the tftpd daemon runs as (typically
"nobody") may be accessed allowing further information to be gleaned
about your system. 

--
Detailed Information:
See impact.

--
Attack Scenarios:

warchild at ...351...
[~/txt]$ tftp localhost
tftp> get /etc/hosts

--
Ease of Attack:
Trivial.   Nearly all windows and *nix clients provide tftp clients.

--
False Positives:
Legitimate uploading of files may trigger this rule inappropriately.

--
False Negatives:
Unlikely.

--
Corrective Action:
Determine whether or not the file attempted to be up/downloaded was
successful, and if access to the root directory is possible.

--
Contributors:
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

-- 
Additional References:




More information about the Snort-sigs mailing list