[Snort-sigs] SID 322

Anton Chuvakin anton at ...1177...
Fri Jan 24 15:38:02 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search
query"; flow:to_server,established; content:"search";
reference:cve,CVE-1999-0259; reference:arachnids,375;
classtype:attempted-recon; sid:322; rev:7;)

--
Sid: 322

-- 
Summary: An information leak exploit against the finger daemon

-- 

Impact: attacker will obtain the list of some accounts existing on the
victim system

--
Detailed Information:

The signature is triggerred when an attempt to use a search feature in
"cfingerd" version of a finger daemon is attempted. The search feature
allows the attacker to obtain the lists of accounts existing on the
target system by issuing a specially crafted finger request to
"search" for information. Knowing the list of accounts might
facilitate a password guessing attacks, email attacks or other abuse.

--

Attack Scenarios: an attacker learns that "guest" account exists and
has never been used. He then guesses that the password for this
account and logs in to the system remotely using telnet.

-- 

Ease of Attack: very easy, no exploit software required

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: look for other IDS alerts involving the same IP
addresses, look for suspicious logins to the affected system, disable
fingerd daemon or apply a vendor patch that removes the vulnerability

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.whitehats.com/info/IDS375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0259
http://www.iss.net/security_center/static/1811.php





More information about the Snort-sigs mailing list