[Snort-sigs] SID 330

Anton Chuvakin anton at ...1177...
Wed Feb 12 20:26:05 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection
attempt"; flow:to_server,established; content:"@";
reference:nessus,10073; reference:arachnids,251;
reference:cve,CAN-1999-0105; classtype:attempted-recon; sid:330;
rev:6;)

--
Sid: 330

-- 

Summary: A connection laundering attack against the finger daemon

-- 

Impact: attacker will obtain information about a third party without a
direct connection to it

--
Detailed Information:

The signature is triggerred when an attempt to use a machine to run
finger queries against the third party UNIX system is attempted. The
attack utilizes "finger forwarding" functionality, normally used to
forward queries to a third party machine. The information is obtained
without a direct connection to the said third party, since the target
systems performs a connection on behalf of the attacker. Finger daemon
is used to provide information about the UNIX system users. It used to
be installed and enabled by default on most UNIX/Linux systems. The
attack will confirm that the target host will indeed try to forward
queries.

--

Attack Scenarios: an attacker runs a finger query and obtains the
information about the root account. He then proceeds to compromise a
system using the obtained data.

--

Ease of Attack: very simple, no exploit software required

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon or upgrade to a daemon with
no finger forwarding functionality


--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://cgi.nessus.org/plugins/dump.php3?id=10073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105
http://www.whitehats.com/info/IDS251






More information about the Snort-sigs mailing list