Finger overflow
advICE :Intrusions : 2001107

Summary

An extremely long finger request was seen, indicating either a buffer overflow attempt or a DoS.

Details

Because finger is such an easy protocol to implement, there are numerous independently written versions of them around. Many contain the same programming mistake of making an assumption as to the size of the input.

History

The Morris worm of 1988 exploited a hole in a popular finger service of the time. Despite the fact that this bug is over a decade old, it still appears in new finger programs created today.

Trigger

This is a protocol-validation signature that looks for long content sent to the finger service. This is unlikely to be a false-positive, not only because long-content is never sent to finger, but also because finger is usually disabled on secure networks.

parametric information cmd The finger command seen. len The length of the command.

 
Version appeared: 2.5