Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt";flow:to_server,established; content:"DELE "; nocase;
content:!"|0a|"; within:100; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1975; rev:1;)
--
Sid:
1975
--
Summary:
CaesarFTPD FTP Command Buffer Overflow Vulnerability
By sending a long string of characters argumenting any of several FTP commands, an attacker can cause a stack overflow.
--
Impact:
Properly exploited, this could grant the attacker 'SYSTEM' privilege (under NT/2000) or the ability to execute arbitrary code
--
Detailed Information:
This exploit effects the following systems that are using the server.
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation rev.2031
- Microsoft Windows 2000 Workstation rev.2072
- Microsoft Windows 2000 Workstation rev.2195
- Microsoft Windows 95
- Microsoft Windows 95 Build 490.R6
- Microsoft Windows 95 j
- Microsoft Windows 98
- Microsoft Windows 98 a
- Microsoft Windows 98 b
- Microsoft Windows 98 j
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 3.5
- Microsoft Windows NT 3.5.1
- Microsoft Windows NT 3.5.1 SP1
- Microsoft Windows NT 3.5.1 SP2
- Microsoft Windows NT 3.5.1 SP3
- Microsoft Windows NT 3.5.1 SP4
- Microsoft Windows NT 3.5.1 SP5
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6a
--
Attack Scenarios:
--
Ease of Attack:
--
False Positives:
None Known
--
False Negatives:
None Known
--
Corrective Action:
--
Contributors:
Sourcefire Research Team
Brian Caswell
Nigel Houghton
--
Additional References:
Message: cesarFTP v0.98b 'HELP' buffer overflow
Message: CesarFTPd, Cerberus FTPd
|
