Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:361 |
Message | FTP SITE EXEC attempt |
Summary | This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1. |
Impact | Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit. |
Detailed Information | A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command. |
Affected Systems | Servers running Washington University wu-ftpd version 2.4.1 or earlier. |
Attack Scenarios | An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server. |
Ease of Attack | Simple. |
Corrective Action | Upgrade to a later version of the wu-ftp daemon. |
Additional References | CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080 CERT http://www.cert.org/advisories/CA-1995-16.html |
Rule References | arachnids: 317 bugtraq: 2241 cve: 1999-0080 cve: 1999-0955 |
--
DID:250131
--
http://www.aanval.com/