[Snort-sigs] SID 336

Jeremy Stashewsky jstash at ...277...
Tue Jan 22 02:15:02 EST 2002

This was an easy one =)

I've attached the information for SID 336, feel free to make changes.

Note that i am not on the snort-sigs list, so please e-mail any replys
directly to me.  thanks.

-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule: FTP CWD ~root
Sid: 336
Summary: Possible Exploit or Security Breach: Root's home directory has been accessed durring an ftp session. 
A remote attacker may have have gained root ftp access, or will be able to gain root access.
The ~root directory may be world readable.
Detailed Information:
An ftp command to change directories to root's home directory has succeeded.  
Under normal ftp usage (by non-root users), this should never occur.  
However, an administrator (root) could be using ftp remotely (which, in general, is a Bad Idea).
Attack Scenarios:
Scenario A:
1. Remote attacker has gained root password/access, or is able to access root's home directory.
2. Attacker will be able to replace important system files at their will, possibly gaining shell access as root.

Scenario B:
1. System administrator (root) connects to the system via un-encrypted ftp.
2. An attacker, listening in on the tcp/ip traffic, gains root's password since it was transmitted in 'clear-text'.
3. The attacker can now log in as root.

Scenario C:
1. The ~root directory is world readable.
2. Sensitive files that may exist in this directory can now be accessed by anyone.
Ease of Attack:
Scenario A: depends on how the attacker gained root's password
Scenario B: trivial for someone on the same network or on the route to the comprimiseable system.
Scenario C: easy.
False Positives:
The administrator has legitimately logged into this machine from a remote location. 
Note: this still has the potential for a security breach (see Scenario B).
False Negatives:
Accessing other system critical directories other than ~root (for example, /etc, where passwd/shadow files are kept) could indicate the same comprimise.
Corrective Action:
 - Dissallow ftp login for root, consider using something more secure than ftp for root file transfers.
 - Make sure root's home directory is NOT world readable.
 - Root's password may have been discovered, take apropriate action.
Jeremy Stashewsky -- jstash at omitthis uvic dot ca
Additional References:
Arachnids 318
CVE CVE-1999-0082
RFC 959: File Transfer Protocol (http://www.ietf.org/rfc/rfc959.txt)

More information about the Snort-sigs mailing list