GEN:SID | 1:2546 |
Message | FTP MDTM overflow attempt |
Summary | This event is generated when an attempt is made to exploit a known vulnerability in the Serv-U FTP server, namely the MDTM buffer overflow.
|
Impact | Serious. Denial of service is possible; when combined with shellcode, arbitrary code can be remotely executed with SYSTEM privileges.
|
Detailed Information | The vulnerability in question is a buffer overflow present in the handling of the MDTM command in the RhinoSoft Serv-U FTP server for Windows.
The rule searches for an MDTM command which is not terminated within 100 characters; no valid command would be longer than this.
|
Affected Systems | All versions of RhinoSoft Serv-U FTP 4.2 and earlier.
|
Attack Scenarios | Several scripts exist to exploit this flaw, and shellcode is publicly available. An attacker could either use one of these scripts, craft their own, or simply manually enter an MDTM command which triggers the overflow after having logged into a vulnerable server.
|
Ease of Attack | Simple. Exploit code exists.
|
Corrective Action | Upgrade to the latest non-affected version of the software.
|
Additional References | |
Rule References | bugtraq: 9751
cve: 2001-1021
cve: 2004-0330
nessus: 12080
|