[Snort-sigs] ProFTPD vulnerability signature development

Joe Stewart jstewart at ...5...
Wed Sep 24 12:19:18 EDT 2003

While trying to reproduce the recent ProFTPD vulnerability described by 
ISS ( http://xforce.iss.net/xforce/alerts/id/154 ) I have come to the 
conclusion that there is no way to write a concise Snort rule that 
would detect the condition of the vulnerability. The condition is that 
you have a large number of newlines (around 600 or more) in a single 
1024-byte aligned chunk of the file being downloaded in ASCII. It 
doesn't matter if the newlines are contiguous or if they have other 
content randomly interspersed. A simple way to logically detect this is 
to count the number of occurances of 0x0A in a packet, no matter how 
they are arranged. However, there doesn't seem to be a way to do this 
with Snort.  

It seems when you are dealing with parsers in software, there are often 
conditions you get into where a particular character causes buffer 
sizes to be miscalculated (think sendmail prescan vulns), and that 
these conditions are not easily detected by Snort because of the myriad 
of ways they can be formatted, even though it seems as if it would be 
easy to spot. Is there a solution to this problem utilizing existing 
Snort features?



Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation

More information about the Snort-sigs mailing list