Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsIntrusion attempts313FTP Site Newer DOSBase Event:Details:Response:FTPCLI_SITE_NEWERA denial-of-service in WU-FTPD via the SITE NEWER command, which does not free memoryproperly.It may be possible for remote users to cause wu-ftpd to consume large amounts of memory,creating a denial-of-service. If users can upload files, they can execute arbitrary code with the ftpdUID (usually root).You can upgrade to the newest version of Wu-ftpd (2.6) for any vulnerable platform.Affected: Washington University wu-ftpd 2.5.0False Positives: In environments where the SITE NEWER command is used frequently, this signature could producefalse positives.References:CVE-1999-0880CERT: CA-1999-13Security Focus BID: 737FTP WARFtpd Literal ExploitBase Event:Details:Response:Affected:FTPCLI_LITERAL_FILE_ACCESSWarFTPd ships with various macros to assist in setting up complex FTP sites.It is possible to remotely call these macros, some of which are used to compromise the server. Someof these macros will provide server and operating system information. They can also be used toreveal the file contents in error messages, including the configuration files for WarFTP, which canalso include plaintext administrator passwords.The extent of the vulnerability differs between versions of WarFTPd:Version 1.67b2, and prior:Authenticated users can gain access to the restricted files.Version 1.70:Remote attackers can gain access to any file on the system, as well as run any system commandwith administrative privileges, if an ODBC driver is installed. This is done without being logged onto the FTP server.Patches have been provided for both v1.70 and v1.67b2 or older, available at:http://war.jgaa.com/alert/and:ftp://ftp.no.jgaa.com/Jgaa WarFTPd 1.67b2 and priorJgaa WarFTPd 1.70bFalse Positives: None known.References: Security Focus BID: 919CVE-2000-0044Jgaa Support SiteSECURITY ALERT - WARFTP DAEMON ALL VERSIONSWarFTP Homepage