GEN:SID | 1:336 |
Message | FTP CWD ~root attempt |
Summary | This event is generated when an attempt is made to access roots home directory in an ftp session.
|
Impact | Serious. Information disclosure.
|
Detailed Information | An ftp command to change directories to root's home directory has been made. If roots home directory is world readable and is within the ftp root, the contents may be viewed or downloaded in an ftp session.
Under normal ftp usage (by non-root users), this should never occur.
|
Affected Systems | |
Attack Scenarios | Scenario A: 1. Remote attacker has gained root password/access, or is able to access root's home directory. 2. Attacker will be able to replace important system files at their will, possibly gaining shell access as root.
Scenario B: 1. System administrator (root) connects to the system via un-encrypted ftp. 2. An attacker, listening in on the tcp/ip traffic, gains root's password since it was transmitted in 'clear-text'. 3. The attacker can now log in as root.
Scenario C: 1. The ~root directory is world readable. 2. Sensitive files that may exist in this directory can now be accessed by anyone. |
Ease of Attack | Scenario A: depends on how the attacker gained root's password Scenario B: trivial for someone on the same network or on the route to the comprimiseable system. Scenario C: easy. |
Corrective Action | - Dissallow ftp login for root, consider using something more secure than ftp for root file transfers. - Make sure root's home directory is NOT world readable. - Root's password may have been discovered, take apropriate action. |
Additional References | CVE CVE-1999-0082 RFC 959: File Transfer Protocol http://www.ietf.org/rfc/rfc959.txt
|
Rule References | arachnids: 318
cve: 1999-0082
|