GEN:SID | 1:361 |
Message | FTP SITE EXEC attempt |
Summary | This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1.
|
Impact | Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit.
|
Detailed Information | A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command.
|
Affected Systems | Servers running Washington University wu-ftpd version 2.4.1 or earlier.
|
Attack Scenarios | An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server.
|
Ease of Attack | Simple.
|
Corrective Action | Upgrade to a later version of the wu-ftp daemon.
|
Additional References | CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080
CERT http://www.cert.org/advisories/CA-1995-16.html
|
Rule References | arachnids: 317
bugtraq: 2241
cve: 1999-0080
cve: 1999-0955
|