[Snort-sigs] Sid 2343

Steven Alexander alexander.s at ...1565...
Fri Mar 12 14:59:09 EST 2004


Rule:  
FTP STOR overflow attempt 
--
Sid:
2343
--
Summary:
This attack is for a buffer overflow in the STOR command in wu-ftpd.

--
Impact:

Administrative privilege can be gained remotely or a denial of service
can occur.

--
Detailed Information:

A remote stack based buffer overflow vulnerability exists in the
SockPrintf() function.  This vulnerability only exists if  the server
had been configured using the "MAIL_ADMIN" option; this is not the
default behavior.  This signature only checks  to see if the argument to
the STOR command is over 100 characters.

--
Affected Systems:
Washington University wu-ftpd 2.6.2 and earlier.

--
Attack Scenarios:
 
A remote or local attacker can use this attack against a vulnerable FTP
daemon to gain root privileges.
--
Ease of Attack:
Moderate, The details of the vulnerability are known but an exploit is
not publicly available.

--
False Positives:

Possible, it is well within the ability of non-vulnerable FTP servers to
handle filenames in excess of 100 characters.

--
False Negatives:

None known.
--
Corrective Action:
Upgrade to a newer version of wu-ftpd.

--
Contributors:
Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:
http://www.securityfocus.com/bid/8668
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2003
&m=slackware-security.365971








More information about the Snort-sigs mailing list