[Snort-sigs] SID 322
anton at ...1177...
Fri Jan 24 15:38:02 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search
query"; flow:to_server,established; content:"search";
classtype:attempted-recon; sid:322; rev:7;)
Summary: An information leak exploit against the finger daemon
Impact: attacker will obtain the list of some accounts existing on the
The signature is triggerred when an attempt to use a search feature in
"cfingerd" version of a finger daemon is attempted. The search feature
allows the attacker to obtain the lists of accounts existing on the
target system by issuing a specially crafted finger request to
"search" for information. Knowing the list of accounts might
facilitate a password guessing attacks, email attacks or other abuse.
Attack Scenarios: an attacker learns that "guest" account exists and
has never been used. He then guesses that the password for this
account and logs in to the system remotely using telnet.
Ease of Attack: very easy, no exploit software required
False Positives: not known
False Negatives: not known
Corrective Action: look for other IDS alerts involving the same IP
addresses, look for suspicious logins to the affected system, disable
fingerd daemon or apply a vendor patch that removes the vulnerability
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs