[Snort-sigs] Sig 348

Pedro Rosa Pedro.Rosa at ...402...
Sat Mar 2 06:32:03 EST 2002


-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:FTP EXPLOIT wu-ftpd 2.6.0

--
Sid:348

--
Summary:Attempt to execute arbitrary code on server for further malicious action.

--
Impact:Serious

--
Detailed Information:This exploit works on several old versions of wu-ftpd, mostly those <=2.6.0. It uses a flaw in SITE EXEC implementation, allowing the execution of arbitrary code on the host machine. The exploit overflows the stack through a printf call, which allows eip to point to arbitrary code. It works even under anonymous login. 

--
Attack Scenarios:Data collection (ex. passwords), data removal, arbitrary program execution.

--
Ease of Attack:Average

--
False Positives:Attempts on servers with fixed versions of wu-ftpd

--
False Negatives:

--
Corrective Action:In case you have installed an old unfixed version of wu-ftpd <=2.6.0 upgrade immediately.

--
Contributors:

-- 
Additional References:


More information about the Snort-sigs mailing list