[Snort-sigs] SID 321

Jim Becher jim at ...632...
Thu Jan 16 06:40:05 EST 2003


I was messing around with this signature a little... I had access to an unpatched Solaris 2.6 box.  It would appear that any string with a space in the finger request would 
enumerate a partial list of users, not just "a b c d e f"@somehost.  I also found that a string like "234567" would enumerate a partial list of users as well.

Anyone else come up with a better signature than this?



-jim

01/16/2003 12:34:50 AM, Anton Chuvakin <anton at ...1177...> wrote:

># This is a template for submitting snort signature descriptions to
># the snort.org website
>#
># Ensure that your descriptions are your own
># and not the work of others.  References in the rules themselves
># should be used for linking to other's work.
>#
># If you are unsure of some part of a rule, use that as a commentary
># and someone else perhaps will be able to fix it.
>#
># $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
>#
>#
>
>Rule:
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account
>enumeration attempt"; flow:to_server,established; content:"a b c d e
>f"; nocase; reference:nessus,10788; classtype:attempted-recon;
>sid:321; rev:5;)
>
>--
>Sid: 321
>
>-- 
>Summary: An information leak exploit against the old Solaris finger daemon
>
>-- 
>
>Impact: attacker will obtain the list of some accounts existing on the victim system
>
>--
>Detailed Information:
>
>The signature is triggerred when an attempt to exploit a bug in old
>Solaris "fingerd" daemon is attempted. The bug allows the attacker to
>obtain the lists of accounts existing on the Sun system by issuing a
>specially crafted finger request. Knowing the list of accounts might
>facilitate a pasword guessing attacks, email attacks or other abuse.
>
>--
>
>Attack Scenarios: an attacker learns that "guest" account has never
>been used. He then guesses that the password for this account and logs
>in to the system remotely over telnet.
>
>-- 
>
>Ease of Attack: very easy, no exploit software required
>
>-- 
>
>False Positives: not known
>
>--
>False Negatives: not known
>
>-- 
>
>Corrective Action: look for other IDS alerts involving the same IP
>addresses, look for suspicious logins to the affected system, disable
>fingerd daemon or apply a vendor patch that removes the vulnerability
>
>--
>Contributors: Anton Chuvakin <http://www.chuvakin.org>
>
>-- 
>Additional References:
>
>nessus,10788  http://cgi.nessus.org/plugins/dump.php3?id=10788
>securiteam http://www.securiteam.com/unixfocus/6B00M0U2UW.html
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: A Thawte Code Signing Certificate 
>is essential in establishing user confidence by providing assurance of 
>authenticity and code integrity. Download our Free Code Signing guide:
>http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>







More information about the Snort-sigs mailing list