| GEN:SID | 1:361 |
| Message | FTP SITE EXEC attempt |
| Summary | This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1.
|
| Impact | Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit.
|
| Detailed Information | A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command.
|
| Affected Systems | Servers running Washington University wu-ftpd version 2.4.1 or earlier.
|
| Attack Scenarios | An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server.
|
| Ease of Attack | Simple.
|
| Corrective Action | Upgrade to a later version of the wu-ftp daemon.
|
| Additional References | CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080
CERT http://www.cert.org/advisories/CA-1995-16.html
|
| Rule References | arachnids: 317
bugtraq: 2241
cve: 1999-0080
cve: 1999-0955
|