[Snort-sigs] SID 326

Anton Chuvakin anton at ...1177...
Thu Jan 30 20:35:02 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote
command \; execution attempt"; flow:to_server,established;
content:"|3b|"; reference:cve,CVE-1999-0150; reference:bugtraq,974;
reference:arachnids,379; classtype:attempted-user; sid:326; rev:5;)

--
Sid: 326

-- 

Summary: A remote command execution exploit against a finger daemon

-- 

Impact: attacker will run a command of his choice on the target UNIX
system


--
Detailed Information:

The signature is triggerred when a specific attack against a vulnerable
version of finger daemon is detected. Finger daemon is used to provide
information about a UNIX system users. It used to be installed and enabled
by default on most UNIX/Linux systems, but is more often disabled
nowadays. The attack allows running a command remotely on a target system
with the privileges of a "finger" user. The user is usually defined in the
/etc/inetd.conf file. The user "nobody" is commonly used for this purpose
on many UNIX systems.

--

Attack Scenarios: an attacker runs an attack and executes a command to
download a backdoor to the target system. He then connects to a
systems and exploits local SUID application to gain "root" privileges.

-- 

Ease of Attack: simple, no exploit software required

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon, patch it to a non-vulnerable
version or limit the addresses that can access the service via firewall or
TCP wrappers.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.whitehats.com/info/IDS379
http://online.securityfocus.com/bid/974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0150
http://www.iss.net/security_center/advice/Intrusions/2001104/default.htm





More information about the Snort-sigs mailing list