[Snort-sigs] SID 327

Anton Chuvakin anton at ...1177...
Thu Jan 30 20:37:05 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote
command pipe execution attempt"; flow:to_server,established;
content:"|7c|"; reference:cve,CVE-1999-0152; reference:bugtraq,2220;
reference:arachnids,380; classtype:attempted-user; sid:327; rev:5;)

--
Sid: 327

-- 

Summary: A remote command execution exploit against a finger daemon

-- 

Impact: attacker will run a command of his choice on the target UNIX
system

--
Detailed Information:

The signature is triggerred when a specific attack against a vulnerable
version of finger daemon is detected. Finger daemon is used to provide
information about the UNIX system users. It used to be installed and
enabled by default on most UNIX/Linux systems, but is more often disabled
nowadays. The attack allows running a command remotely on a target system
with the privileges of a "finger" user. The user is usually defined in the
/etc/inetd.conf file. The user "nobody" is commonly used for this purpose
on UNIX systems.

--

Attack Scenarios: an attacker runs an attack and executes a command to
download a backdoor to the target system. He then connects to a
systems and exploits local SUID application to gain "root" privileges.

-- 

Ease of Attack: very simple, no exploit software is required, just a
specially formatted finger query

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon, patch to a non-vulnerable
version or limit the addresses that can access the service via firewall or
TCP wrappers.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0152
http://www.whitehats.com/info/IDS380
http://online.securityfocus.com/bid/2220





More information about the Snort-sigs mailing list