Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 921

Table 124: Deep Inspection Alarm Log Entries (continued)
Attack Name
FTP:OVERFLOW:FREEBSD-FTPD-GLOB
FTP:OVERFLOW:LINE_TOO_LONG
FTP:OVERFLOW:OPENBSD-X86
FTP:OVERFLOW:PASS_TOO_LONG
FTP:OVERFLOW:PATH-LINUX-X86-1
FTP:OVERFLOW:PATH-LINUX-X86-2
FTP:OVERFLOW:PATH-LINUX-X86-3
FTP:OVERFLOW:PATH-TOO-LONG
FTP:OVERFLOW:SITESTRING-2-LONG
FTP:OVERFLOW:USERNAME-2-LONG
Copyright © 2010, Juniper Networks, Inc.
Attack Description
This signature detects buffer overflow attempts against the
FreeBSD FTP daemon. FreeBSD-4.2 is vulnerable. Attackers
may submit a malicious STAT request that contains file
globbing characters to execute arbitrary code on the target
host with administrator privileges.
This protocol anomaly is an incoming FTP line that is too
long. This may indicate an attempt to overflow the server.
This signature detects buffer overflow attempts against ftpd
in OpenBSD. OpenBSD versions 2.7 and 2.8, FTP code
revisions 1.49 to 1.79 are vulnerable. Attackers with write
access may exploit the replydirname() function in
BSD-based ftpd daemons to gain root access.
This protocol anomaly is an FTP client password that
exceeds the length threshold. This may indicate a malicious
FTP client attempting to overflow the server.
This signature detects attempts to exploit a realpath
vulnerability in ProFTPD and wuFTPd running on LINUX.
Versions ProFTPD 1.2pre1 and earlier and wuFTPd 2.4.2 (beta
18) VR9 and earlier are susceptible. Attackers may gain write
access, remotely create long pathnames, and overflow the
buffer to gain root access.
This signature detects attempts to exploit a realpath
vulnerability in ProFTPD and wuFTPd running on LINUX.
Versions ProFTPD 1.2pre1 and earlier and wuFTPd 2.4.2 (beta
18) VR9 and earlier are susceptible. Attackers may gain write
access, remotely create long pathnames, and overflow the
buffer to gain root access.
This signature detects attempts to exploit a realpath
vulnerability in ProFTPD and wuFTPd running on LINUX.
Versions ProFTPD 1.2pre1 and earlier and wuFTPd 2.4.2 (beta
18) VR9 and earlier are susceptible. Attackers may gain write
access, remotely create long pathnames, and overflow the
buffer to gain root access.
This protocol anomaly is a pathname in an FTP command
(RETR, STOR, APPE, SMNT, RNFR, RNTO, DELE, RMD, MKD,
STAT, CWD, LIST, NLST) that exceeds the length threshold.
This may be an attempt to overflow the server.
This protocol anomaly is an argument in the FTP SITE
command that exceeds the length threshold. This may be
an attempt to overflow the server.
This protocol anomaly is a username in an FTP connection
that exceeds the length threshold. This may be an attempt
to overflow the server.
Appendix E: Log Entries
Severity Versions
critical sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
871