[Snort-sigs] Documentation sid 2337

Nigel Houghton nigel at ...435...
Fri Mar 12 14:53:07 EST 2004


This is our fault, but all the new rules that appeared on snort.org as being without
documentation, actually do have documentation. We just neglected to put it there, sorry. Bit of
a mix up in cvs.

On Fri, Mar 12, 2004 at 11:03:43AM -0800 or thereabouts, Steven Alexander wrote:
: From: "Steven Alexander" <alexander.s at ...1565...>
: To: snort-sigs at lists.sourceforge.net
: Subject: [Snort-sigs] Documentation sid 2337
: Date: Fri, 12 Mar 2004 11:03:43 -0800
: 
: Rule:  
: TFTP PUT filename overflow attempt 
: --
: Sid:
: 2337
: --
: Summary:
: This attack is a buffer overflow using the PUT command in the atftpd and
: TftpdNT daemons.
: 
: --
: Impact:
: 
: root privilege can be gained remotely.
: 
: --
: Detailed Information:
: 
: The PUT commands in these TFTP daemons are not able to correctly handle
: long filenames.  This rule checks to see that the  filename is 100
: characters or less (including the terminating NULL).
: 
: --
: Affected Systems:
: 
: atftpd 0.6.0 and 06.1.1 running on Debian Linux 3.0.
: Tullerian TftpdNT 2.0 and earlier.
: 
: --
: Attack Scenarios:
:  
: A remote or local attacker can use this attack against a vulnerable TPTP
: daemon to gain root privileges.
: --
: Ease of Attack:
: 
: Easy; an exploit is publicly available for both ftp daemons.
: 
: --
: False Positives:
: 
: Possible, it is well within the ability of non-vulnerable TFTP servers
: to handle filenames in excess of 100 characters.
: 
: --
: False Negatives:
: 
: None known.
: --
: Corrective Action:
: 
: Upgrade atftpd or TftpdNT.  Block access to TFTP from outside your local
: network and/or trusted workstations.
: 
: --
: Contributors:
: Documentation - Steven Alexander<alexander.s at ...1565...>
: -- 
: Additional References:
: http://www.securityfocus.com/bid/7819
: http://www.securityfocus.com/bid/8505
: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0380
: 
: 
: 
: 
: 
: 
: -------------------------------------------------------
: This SF.Net email is sponsored by: IBM Linux Tutorials
: Free Linux tutorial presented by Daniel Robbins, President and CEO of
: GenToo technologies. Learn everything from fundamentals to system
: administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
: _______________________________________________
: Snort-sigs mailing list
: Snort-sigs at lists.sourceforge.net
: https://lists.sourceforge.net/lists/listinfo/snort-sigs
: 
-------------------------------------------------------------
Nigel Houghton       Security Engineer        Sourcefire Inc.

"I have read of a place where humans do battle in a ring of Jell-O."




More information about the Snort-sigs mailing list