[Snort-sigs] SID 325

Anton Chuvakin anton at ...1177...
Thu Jan 30 20:33:03 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0
attempt"; flow:to_server,established;
content:"0";reference:arachnids,378; classtype:attempted-recon;
sid:325; rev:3;)

--
Sid: 325

-- 

Summary: An intelligence gathering attack against the finger daemon

-- 

Impact: attacker will obtain the list of some accounts existing on the
victim system

--
Detailed Information:

The signature is triggerred when an attempt to use a finger command
against a UNIX host with a username of "0" is launched.  Such finger query
against the vulnerable finger daemon allows the attacker to obtain a list
of some accounts existing on the target system with some details on each
account (such as time and source of the last login). Knowing the list of
accounts might facilitate a password guessing attacks, email attacks and
other abuse.

--

Attack Scenarios: an attacker learns that "sys" account exists on the
system. He then proceeds to guess the password remotely and connects to
the system.

-- 

Ease of Attack: very easy, no exploit software required

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.whitehats.com/info/IDS378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197
http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host
http://www.iss.net/security_center/advice/Intrusions/2001105/default.htm





More information about the Snort-sigs mailing list