[Snort-sigs] Rules to detect recent Serv-u vulnerabilities

Javier Fernandez-Sanguino jfernandez at ...2106...
Fri May 7 01:16:05 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

# Note:there are several unrelated vulnerabilities in this rules,
feel
# free to divide them into different sids.

# This rule covers
# http://securityfocus.com/bid/9675
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u CHMOD
buffer overflow"; flow:to_server,established; content: "SITE CHMOD";
nocase;  content:!"|0a|"; within:50; reference:bugtraq,9675;
reference: nessus, 12037; classtype:bad-unknown;)
# This rule explicitly states 0666 for the CHMOD since that's
# what the Nessus plugin uses, notice there are other exploits
# that use different CHMOD values (777, 666...) which would be
covered
# by the previous rule
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u CHMOD
#buffer overflow"; flow:to_server,established; content: "SITE CHMOD
#0666"; nocase;  content:!"|0a|"; within:50; reference:bugtraq,9675;
#reference: nessus, 12037; classtype:bad-unknown;)

# This rule covers
# http://securityfocus.com/bid/10181
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u LIST
buffer overflow"; flow:to_server,established; content: "LIST -l";
nocase; content:!"|0a|"; within:50; reference:bugtraq,10181;
classtype:bad-unknown;)

# These are rules for
# http://securityfocus.com/bid/9483
# and
# http://securityfocus.com/bid/9751
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u MDTM
Command Time argument buffer overflow"; flow:to_server,established;
content: "MDTM"; nocase; content:!"|0a|"; within:50;
reference:bugtraq,9751; reference:bugtraq,9483;
classtype:bad-unknown;)
# This one only covers exploits related to
# http://securityfocus.com/bid/9751
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u MDTM
Command Time argument buffer overflow exploit use";
flow:to_server,established; content: "MDTM 20031111111111"; nocase;
content:!"|0a|"; within:50; reference:bugtraq,9751;
classtype:bad-unknown;)

- --
Sid:

- --
Summary:

Buffer overflow attempt on the Serv-U server.

- --
Impact:

If the system has a Serv-U server installed and it has not been
updated to a non-vulnerable version (at least 5.0.0.6) it might crash
or it might have be used to remotely execute code in the server.

- --
Detailed Information:

This rule detects an attempt to use a buffer overflow vulnerability
in
Serv-U FTP servers than can lead to a remote sytem compromise or a
FTP
server crash. Exploits are readily available (and have been also
included as part of mass-rooting software such as in MetaSploit
Framework 2.0) to provide means for remote attackers to take full
control of the vulnerable system.

- --
Affected Systems:

Serv-U FTP servers running on Microsoft Windows systems.

- --
Attack Scenarios:

The remote attacker needs to authenticate with the FTP server in
order
to send the attack code.

- --
Ease of Attack:

Trivial (exploits are available and included in mass-rooting
software)

- --
False Positives:

FTP requests with long (i.e. more than 50 characters in the directory
being manipulated) commands (LIST, MDTM or CHMOD) might triger this
signatures.

- --
False Negatives:

If the remote server is not Serv-U (or if it's not vulnerable to
these
attacks), the attack will probably not have succeded.

Also, exploit code might try to send the payload of this attack even
if the user authentication did not work.

This alarm might be triggered also for remote operations on the FTP
server that use files or directories whose name is bigger than 50
character.

- --
Corrective Action:

If you are using Serv-U please update your Serv-U FTP server to a
version that is not vulnerable to this attacks (Serv-U 5.0.0.6).
Since
this attack might be triggered by remote mass-rooting robots, make
sure you review the attacked system in order to remove any installed
software, in some instances, the server might need to be reinstalled.

- --
Contributors:

Javier Fernandez-Sanguino

- --
Additional References:

Bugtraq:
http://securityfocus.com/bid/10181
http://securityfocus.com/bid/9751
http://securityfocus.com/bid/9675
http://securityfocus.com/bid/9483

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQJtFf6O1I0N5hzVfEQIZpQCfRIHjX5m7y15p+9pVUl8wveHVT/QAoP5l
eLSKZD/EmNlMRynv8vRieDml
=OSMF
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list