[Snort-sigs] SID 334

Anton Chuvakin anton at ...1177...
Wed Jan 8 12:15:08 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward";
content: ".forward"; flow:to_server,established;
reference:arachnids,319; classtype:suspicious-filename-detect;
sid:334; rev:4;)

Sid: 334


Summary: An attempt to copy a specific file to an FTP server.


Impact: attacker might gain an ability to execute commands remotely as
the affected user.

Detailed Information:

The attack is an attempt to copy a ".forward" to a server. A
".forward"file is used to configure email forwarding on UNIX
systems. Usually it contains the email addresses where the arriving
email is forwarded. However, ".forward" file can also be used to
forward email to programs (for example, "|IFS=' ' && exec
/usr/bin/procmail -f- || exit 75 anton") and thus cause program
execution triggered by arriving email messages. The functionality can
be used to activate a backdoor such as start a daemon on high port,
launch an xterm on the attacker's machine or initiate a reverse shell
session. Attack requires an established FTP session.


Attack Scenarios: an attacker uploads a ".forward" file with commands
to launch an "xterm" window on his machine into the user's home
directory. Then he sends an email to the user whose ".forward" file
was modified. That triggers the command in ".forward" and causes the
xterm terminal window to be open, providing shell access to a system with
the privileges of the above user.


Ease of Attack: The attack requires an access to any user's home
directory via FTP. That means that anonymous FTP access cannot be used
for such attack and a valid username and password is
required. Additionally, an ability to upload files via FTP is required
for a successful attack.


False Positives: if the string ".forward" is contained within the
filename that is being uploaded to a server or within other FTP client
response, the signature will trigger.


False Negatives: not known


Corrective Action: locate the uploaded ".forward" file and check it
for signs of suspicious commands. Look for other suspicious events
that might have occurred within the same FTP session

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:


More information about the Snort-sigs mailing list