Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1672 |
Message | FTP CWD ~ attempt |
Summary | This event is generated when an attempt is made to exploit a buffer overflow associated with certain versions of the Sun Solaris FTP server. |
Impact | Reconnaissance. An attacker may be able to examine records from the password shadow file. |
Detailed Information | This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with a globbing function in Sun Solaris FTP servers. An attacker may exploit this vulnerability by logging into the FTP server with a valid username and an invalid password then supplying the command "CWD ~". This may produce a core dump in the root directory with world-readable permissions that could be examined to discover valid FTP users for the server. |
Affected Systems | SPARC * Solaris 2.5 without patch 103577-13 * Solaris 2.5.1 without patch 103603-16 * Solaris 2.6 without patch 106301-03 * Solaris 2.7 without patch 110646-02 * Solaris 2.8 without patch 111606-01 Intel * Solaris 2.5 without patch 103578-13 * Solaris 2.5.1 without patch 103604-16 * Solaris 2.6 without patch 106302-03 * Solaris 2.7 without patch 110647-02 * Solaris 2.8 without patch 111607-01 |
Attack Scenarios | An attacker may attempt to exploit this vulnerability to learn valid FTP usernames to later attempt brute force guessing of passwords. |
Ease of Attack | Simple. |
Corrective Action | Upgrade to the latest non-affected version of the software or apply the appropriate patch. |
Additional References | Bugtraq: http://www.securityfocus.com/bid/2601 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0421 |
Rule References | bugtraq: 2601 bugtraq: 9215 cve: 2001-0421 |
--
DID:116469
--
http://www.aanval.com/