Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 908

Network and Security Manager Administration Guide
Table 122: Deep Inspection Alarm Log Entries (continued)
Attack Name
FTP:WS-FTP:CPWD
FTP:WU-FTP:DELE-OF
FTP:WU-FTP:FTPD-BSD-X86
FTP:WU-FTP:GLOBARG
FTP:WU-FTP:IREPLY-FS
FTP:WU-FTP:LINUX-OF
FTP:WU-FTP:REALPATH-OF
858
Attack Description
This signature detects buffer overflow attempts against WS
FTP Server. The code that handles arguments to the SITE
CPWD command, which allows users to change their
password, contains an unchecked string copy. Attackers
may send a maliciously crafted argument in the SITE CPWD
command to overflow the buffer and overwrite the return
address.
This signature detects buffer overflow attempts against the
DELE command in a WU-ftpd server. Wu-ftpd versions 2.4
and prior (Academ beta12-18 included) are vulnerable. This
may be a variation on the ADM exploit; attackers may log in
anonymously using a hardcoded e-mail address as the
password.
This signature detects attempts to exploit an input validation
vulnerability in wuFTPd running on FreeBSD. FreeBSD
versions 4.3 and 4.4 are vulnerable. Because user input goes
directly into a format string for a *printf function, attackers
may overwrite data on a stack (i.e. a return address), access
the shellcode pointed to by the overwritten eip, and execute
arbitrary commands.
This signature detects attempts to exploit a vulnerability in
Wu-ftpd, a software package that provides File Transfer
Protocol (FTP) services for UNIX and Linux systems. Wu-ftpd
versions 2.6.1 to 2.6.18 are vulnerable. Attackers may send
a maliciously crafted pathname in a CWD or LIST command
to the FTP server to execute arbitrary commands as root.
This signature detects attempts to exploit a format string
vulnerability in Wu-ftpd 2.4 running on Solaris 2.8. Attackers
may inject malicious code into the Wu-ftp daemon memory
space; later in the same session, the attacker may exploit a
format string vulnerability in the Ireply() function to access
that code and execute arbitrary commands as root.
This signature detects attempts to exploit an input validation
vulnerability in wuFTPd running on LINUX. All versions are
susceptible. Because user input goes directly into a format
string for a *printf function, attackers may overwrite data
on a stack, i.e. a return address, access the shellcode pointed
to by the overwritten eip, and execute arbitrary commands.
This same attack may be successful seen against ProFTPD
servers.
This signature detects buffer overflow attempts against the
realpath() function in Wu-ftpd, a software package that
provides File Transfer Protocol (FTP) services for UNIX and
Linux systems. Wu-ftpd version 2.5.0 and earlier are
vulnerable. Attackers may send a maliciously crafted FTP
pathname to overflow a buffer in realpath() and execute
arbitrary commands with administrator privileges.
Severity Versions
medium sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
Copyright © 2010, Juniper Networks, Inc.