[Snort-sigs] Update to SGI Telnetd Format Bug SIg

Bamm (Robert) Visscher rvisscher at ...408...
Mon Mar 4 08:35:10 EST 2002


I recommend removing the leading slash (/) in the SGI telnetd format bug 
signature (sid:711). I saw multiple exploit attempts this weekend where 
the exploit code did not use it. Example output below.

03/03-14:00:28.621856 a.b.c.d:41953 -> e.f.g.h:23
TCP TTL:42 TOS:0x0 ID:21654 IpLen:20 DgmLen:148 DF
***AP*** Seq: 0x84E41F1B Ack: 0x5CB26E3E Win: 0x16D0 TcpLen: 20
0x0000: 00 50 54 FF 7F 2C 00 03 31 DF 80 1C 08 00 45 00 .PT..,..1.....E.
0x0010: 00 94 54 96 40 00 2A 06 DA CB XX XX XX XX XX XX ..T. at ...180...*...>z.M.o
0x0020: XX XX A3 E1 00 17 84 E4 1F 1B 5C B2 6E 3E 50 18 \]..........n>P.
0x0030: 16 D0 19 5D 00 00 FF FA 24 00 01 5F 52 4C 44 00 {...]....$.._RLD.}
0x0040: 20 20 20 20 20 7F C4 98 1C 20 20 20 20 7F C4 98 .... ...
0x0050: 1E 20 20 20 04 10 02 03 F3 23 02 14 23 E4 FE 08 . .....#..#...
0x0060: 23 E5 FE 10 AF E4 FE 10 AF E0 FE 14 A3 E0 FE 0F #...............
0x0070: 03 62 69 6E 2F 73 68 25 33 32 36 31 34 63 25 31 .bin/sh%32614c%1
0x0080: 31 24 68 6E 25 38 36 30 30 30 63 25 31 32 24 68 {1$hn%86000c%12$h}
0x0090: 6E 68 6E 25 38 36 30 30 30 63 25 31 32 24 68 6E {nhn%86000c%12$hn}
0x00A0: FF F0 ..


Current Rule:
telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET 
SGI telnetd format bug"; flags: A+; content: "_RLD"; content: 
"/bin/sh";reference:arachnids,304; classtype:attempted-admin; sid:711; 
rev:1;)

Change:
content:"/bin/sh" -> content:"bin/sh"

Bammkkkk





More information about the Snort-sigs mailing list