2546.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

-- 
Sid: 
2546 

-- 
Summary:
This event is generated when an attempt is made to exploit a known 
vulnerability in the Serv-U FTP server, namely the MDTM buffer overflow.

--
Impact:
Serious. Denial of service is possible; when combined with shellcode,
arbitrary code can be remotely executed with SYSTEM privileges.

-- 
Detailed Information:
The vulnerability in question is a buffer overflow present in the handling 
of the MDTM command in the RhinoSoft Serv-U FTP server for Windows. 

The rule searches for an MDTM command which is not terminated within 100 
characters; no valid command would be longer than this.

--
Affected Systems:
All versions of RhinoSoft Serv-U FTP 4.2 and earlier.

--
Attack Scenarios:
Several scripts exist to exploit this flaw, and shellcode is publicly available. 
An attacker could either use one of these scripts, craft their own, or simply 
manually enter an MDTM command which triggers the overflow after having logged 
into a vulnerable server.

--
Ease of Attack:
Simple. Exploit code exists.

--
False Positives:
None Known

-- 
False Negatives:
None Known

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

-- 
Contributors:
Sourcefire Vulnerability Research Team
Alex Kirk <alex.kirk@sourcefire.com> 

-- Additional References:


--