[Snort-sigs] SID 321

Anton Chuvakin anton at ...1177...
Wed Jan 15 22:36:02 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account
enumeration attempt"; flow:to_server,established; content:"a b c d e
f"; nocase; reference:nessus,10788; classtype:attempted-recon;
sid:321; rev:5;)

--
Sid: 321

-- 
Summary: An information leak exploit against the old Solaris finger daemon

-- 

Impact: attacker will obtain the list of some accounts existing on the victim system

--
Detailed Information:

The signature is triggerred when an attempt to exploit a bug in old
Solaris "fingerd" daemon is attempted. The bug allows the attacker to
obtain the lists of accounts existing on the Sun system by issuing a
specially crafted finger request. Knowing the list of accounts might
facilitate a pasword guessing attacks, email attacks or other abuse.

--

Attack Scenarios: an attacker learns that "guest" account has never
been used. He then guesses that the password for this account and logs
in to the system remotely over telnet.

-- 

Ease of Attack: very easy, no exploit software required

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: look for other IDS alerts involving the same IP
addresses, look for suspicious logins to the affected system, disable
fingerd daemon or apply a vendor patch that removes the vulnerability

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

nessus,10788  http://cgi.nessus.org/plugins/dump.php3?id=10788
securiteam http://www.securiteam.com/unixfocus/6B00M0U2UW.html





More information about the Snort-sigs mailing list