[Snort-sigs] SID 321

Anton Chuvakin anton at ...1177...
Thu Jan 16 07:59:38 EST 2003


Jim and all,

>I was messing around with this signature a little... I had access to an
>unpatched Solaris 2.6 box.  It would appear that any string with a space
Hmm, looks like all the boxes round here are patched... I vaguely remember
trying this thing long time ago with different strings with similar
results.

>in the finger request would enumerate a partial list of users, not just
>"a b c d e f"@somehost.  I also found that a string like "234567" would
>enumerate a partial list of users as well.
Ooh! That works even on boxes where the 'a b c ' fails. He-he, a better
sig is definitely needed:

$ finger 234567 at ...1187...

Login       Name               TTY         Idle    When    Where
daemon          ???                         < .  .  .  . >
bin             ???                         < .  .  .  . >
sys             ???                         < .  .  .  . >
test            ???            pts/3        <Dec 20 11:14> 10.10.10.11

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org







More information about the Snort-sigs mailing list