[Snort-sigs] SID 336
jstash at ...277...
Tue Jan 22 02:15:02 EST 2002
This was an easy one =)
I've attached the information for SID 336, feel free to make changes.
Note that i am not on the snort-sigs list, so please e-mail any replys
directly to me. thanks.
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Rule: FTP CWD ~root
Summary: Possible Exploit or Security Breach: Root's home directory has been accessed durring an ftp session.
A remote attacker may have have gained root ftp access, or will be able to gain root access.
The ~root directory may be world readable.
An ftp command to change directories to root's home directory has succeeded.
Under normal ftp usage (by non-root users), this should never occur.
However, an administrator (root) could be using ftp remotely (which, in general, is a Bad Idea).
1. Remote attacker has gained root password/access, or is able to access root's home directory.
2. Attacker will be able to replace important system files at their will, possibly gaining shell access as root.
1. System administrator (root) connects to the system via un-encrypted ftp.
2. An attacker, listening in on the tcp/ip traffic, gains root's password since it was transmitted in 'clear-text'.
3. The attacker can now log in as root.
1. The ~root directory is world readable.
2. Sensitive files that may exist in this directory can now be accessed by anyone.
Ease of Attack:
Scenario A: depends on how the attacker gained root's password
Scenario B: trivial for someone on the same network or on the route to the comprimiseable system.
Scenario C: easy.
The administrator has legitimately logged into this machine from a remote location.
Note: this still has the potential for a security breach (see Scenario B).
Accessing other system critical directories other than ~root (for example, /etc, where passwd/shadow files are kept) could indicate the same comprimise.
- Dissallow ftp login for root, consider using something more secure than ftp for root file transfers.
- Make sure root's home directory is NOT world readable.
- Root's password may have been discovered, take apropriate action.
Jeremy Stashewsky -- jstash at omitthis uvic dot ca
RFC 959: File Transfer Protocol (http://www.ietf.org/rfc/rfc959.txt)
More information about the Snort-sigs