[Snort-sigs] SID 321
anton at ...1177...
Wed Jan 15 22:36:02 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account
enumeration attempt"; flow:to_server,established; content:"a b c d e
f"; nocase; reference:nessus,10788; classtype:attempted-recon;
Summary: An information leak exploit against the old Solaris finger daemon
Impact: attacker will obtain the list of some accounts existing on the victim system
The signature is triggerred when an attempt to exploit a bug in old
Solaris "fingerd" daemon is attempted. The bug allows the attacker to
obtain the lists of accounts existing on the Sun system by issuing a
specially crafted finger request. Knowing the list of accounts might
facilitate a pasword guessing attacks, email attacks or other abuse.
Attack Scenarios: an attacker learns that "guest" account has never
been used. He then guesses that the password for this account and logs
in to the system remotely over telnet.
Ease of Attack: very easy, no exploit software required
False Positives: not known
False Negatives: not known
Corrective Action: look for other IDS alerts involving the same IP
addresses, look for suspicious logins to the affected system, disable
fingerd daemon or apply a vendor patch that removes the vulnerability
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs