[Snort-sigs] Sid 2340

Steven Alexander alexander.s at ...1565...
Fri Mar 12 14:50:09 EST 2004

FTP SITE CHMOD overflow attempt 
This attack is for a buffer overflow in the SITE CHMOD command in the
Serv-U FTP server.


Administrative privilege can be gained remotely or a denial of service
can occur.

Detailed Information:

The SITE CHMOD command is vulnerable to a buffer overflow when a
non-existent filename is specified.  This signature detects  to see if
the argument to the command exceeds 100 characters without a newline.

Affected Systems:
RhinoSoft Serv-U versions prior to version

Attack Scenarios:
A remote or local attacker can use this attack against a vulnerable FTP
daemon to gain root privileges or cause a denial of  service.
Ease of Attack:

Easy; multiple exploits are available to take advantage of this

False Positives:

Possible, it is well within the ability of non-vulnerable FTP servers to
handle filenames in excess of 100 characters.

False Negatives:

None known.
Corrective Action:

Upgrade Serv-U FTP to version 5.0 or greater.

Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:


More information about the Snort-sigs mailing list