[Snort-sigs] SID 322

Anton Chuvakin anton at ...1177...
Fri Jan 24 15:38:02 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search
query"; flow:to_server,established; content:"search";
reference:cve,CVE-1999-0259; reference:arachnids,375;
classtype:attempted-recon; sid:322; rev:7;)

Sid: 322

Summary: An information leak exploit against the finger daemon


Impact: attacker will obtain the list of some accounts existing on the
victim system

Detailed Information:

The signature is triggerred when an attempt to use a search feature in
"cfingerd" version of a finger daemon is attempted. The search feature
allows the attacker to obtain the lists of accounts existing on the
target system by issuing a specially crafted finger request to
"search" for information. Knowing the list of accounts might
facilitate a password guessing attacks, email attacks or other abuse.


Attack Scenarios: an attacker learns that "guest" account exists and
has never been used. He then guesses that the password for this
account and logs in to the system remotely using telnet.


Ease of Attack: very easy, no exploit software required


False Positives: not known

False Negatives: not known


Corrective Action: look for other IDS alerts involving the same IP
addresses, look for suspicious logins to the affected system, disable
fingerd daemon or apply a vendor patch that removes the vulnerability

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:


More information about the Snort-sigs mailing list