[Snort-sigs] SID 332

Anton Chuvakin anton at ...1177...
Wed Feb 12 20:26:10 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query";
flow:to_server,established; content:"0"; reference:nessus,10069;
reference:arachnids,378; reference:arachnids,131;
reference:cve,CAN-1999-0197; classtype:attempted-recon; sid:332;
rev:5;)

--
Sid: 332

-- 

Summary: An intelligence gathering attack against the finger daemon

-- 

Impact: attacker will obtain the list of some accounts existing on the
victim system

--
Detailed Information:

The signature is triggerred when an attempt to use a finger command
against a host with a username of "0".  Such finger query against the
vulnerable finger daemon allows the attacker to obtain a list of some
accounts existing on the target system with some details on each
account (such as time and source of the last login). Knowing the list
of accounts might facilitate a password guessing attacks, email
attacks and other abuse.

--

Attack Scenarios: an attacker learns that "sys" account exists on the
system. He then proceeds to guess the pasword remotely and connect to
the system.

-- 

Ease of Attack: very easy, no exploit software required

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.whitehats.com/info/IDS378
http://www.whitehats.com/info/IDS131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197
http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host
http://www.iss.net/security_center/advice/Intrusions/2001105/default.htm






More information about the Snort-sigs mailing list