[Snort-sigs] SID 362

Anton Chuvakin anton at ...1177...
Thu Jan 9 12:20:36 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-362.txt,v 1.1 2003/01/09 19:00:12 anton Exp anton $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters";
flow:to_server,established; content:" --use-compress-program" ;
nocase; reference:bugtraq,2240; reference:arachnids,134;
reference:cve,CVE-1999-0202; classtype:bad-unknown; sid:362; rev:7;)

--
Sid: 362

-- 

Summary: An attempt to abuse an FTP server functionality and
configuration weaknesses.

-- 

Impact: attacker might gain an ability to execute commands remotely
from within the FTP session.

-- 

Detailed Information: The attack is an attempt to abuse the built-in
archive decompression functionality of the FTP server in order to
execute arbitrary commands on the system. Some FTP servers allow one
to compress/archive files on the fly why they are being uploaded or
downloaded. For example, one might be able to "tar" and download the
whole directory in one command simply by requesting the
"directory_name.tar". Additionally, one might be able to specify the
command that "tar" archiver will use for compression (normally,
"gzip", "bzip2", etc) and have an FTP server erroneously accept it. If
this command is a shell, the interactive session will be started.  The
string " --use-compress-program" is an indicator that such a parameter
is being given to "tar" utility.  The attack requires an established
FTP session.

--

Attack Scenarios: an FTP-only user with no shell access can connect to
a server and execute a "/bin/bash" shell via this exploit. That will
give him the interactive access to a system with his account
privileges.

-- 

Ease of Attack: The attack requires an access via FTP to the target
server. In case of anonymous FTP connection, the attack can only cause
the execution of software from within the chrooted anonymous FTP
home. In case of regular FTP user, any software can be from the
machine can be executed. No special exploit software is required.

-- 

False Positives: it is highly unlikely, but the legitimate use of this
functionality might trigger the false alarm

-- 

False Negatives:  not known

-- 

Corrective Action: upgrade the FTP server to a non-vulnerable version,
change to a different FTP server software, restrict the access to an
FTP server to only trusted users/IP addresses, disallow automatic file
archival, disable FTP server.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.whitehats.com/info/IDS134
http://www.eurecom.fr/~dacier/semester_proj_2002/IDS_snort/UCL2001/erreur_de_config/regle.html
http://online.securityfocus.com/bid/2240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0202
http://www.iss.net/security_center/static/619.php






More information about the Snort-sigs mailing list