[Snort-sigs] SID 321

Anton Chuvakin anton at ...1177...
Wed Jan 15 22:36:02 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account
enumeration attempt"; flow:to_server,established; content:"a b c d e
f"; nocase; reference:nessus,10788; classtype:attempted-recon;
sid:321; rev:5;)

Sid: 321

Summary: An information leak exploit against the old Solaris finger daemon


Impact: attacker will obtain the list of some accounts existing on the victim system

Detailed Information:

The signature is triggerred when an attempt to exploit a bug in old
Solaris "fingerd" daemon is attempted. The bug allows the attacker to
obtain the lists of accounts existing on the Sun system by issuing a
specially crafted finger request. Knowing the list of accounts might
facilitate a pasword guessing attacks, email attacks or other abuse.


Attack Scenarios: an attacker learns that "guest" account has never
been used. He then guesses that the password for this account and logs
in to the system remotely over telnet.


Ease of Attack: very easy, no exploit software required


False Positives: not known

False Negatives: not known


Corrective Action: look for other IDS alerts involving the same IP
addresses, look for suspicious logins to the affected system, disable
fingerd daemon or apply a vendor patch that removes the vulnerability

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:

nessus,10788  http://cgi.nessus.org/plugins/dump.php3?id=10788
securiteam http://www.securiteam.com/unixfocus/6B00M0U2UW.html

More information about the Snort-sigs mailing list