[Snort-sigs] Sid 2343

Steven Alexander alexander.s at ...1565...
Fri Mar 12 14:59:09 EST 2004

FTP STOR overflow attempt 
This attack is for a buffer overflow in the STOR command in wu-ftpd.


Administrative privilege can be gained remotely or a denial of service
can occur.

Detailed Information:

A remote stack based buffer overflow vulnerability exists in the
SockPrintf() function.  This vulnerability only exists if  the server
had been configured using the "MAIL_ADMIN" option; this is not the
default behavior.  This signature only checks  to see if the argument to
the STOR command is over 100 characters.

Affected Systems:
Washington University wu-ftpd 2.6.2 and earlier.

Attack Scenarios:
A remote or local attacker can use this attack against a vulnerable FTP
daemon to gain root privileges.
Ease of Attack:
Moderate, The details of the vulnerability are known but an exploit is
not publicly available.

False Positives:

Possible, it is well within the ability of non-vulnerable FTP servers to
handle filenames in excess of 100 characters.

False Negatives:

None known.
Corrective Action:
Upgrade to a newer version of wu-ftpd.

Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:

More information about the Snort-sigs mailing list