Preface: FTP USER name overflowLogo -Internet Security Systems

FTP USER name overflow
advICE :Intrusions : 2001306
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

An attempt has been made to break into the FTP server by sending a very long user name.

Details

This is a typical buffer overflow bug, and it is found in many FTP servers. When logging on, rather than typing a normal user name like "alice", the attack attempts to send a very loooooooonnnnnnnnnggggggg user name. The intruder intends to send more data than the FTP server expects, thereby causing the extra characters to overflow into other memory, and thereby compromise the system.

Defense

Make sure that the latest FTP service is installed. The links below list many (but not all) FTP servers and versions that may be vulnerable to this problem.

 more information
CERT: CA-99-03-FTP-Buffer-Overflows  
 
advICE: Buffer overflows  
More about this general class of attacks, which is the root cause of many attacks on the Internet.  
advICE: FTP defense  
How to harden an FTP server against Internet attacks.  
advICE: FTP exploits  
A list of common ways that intruders break into FTP servers.  
BugtraqID: 1582   OS/2 4.5 FTP Server Login DoS Vulnerability
 
BugtraqID: 1352   Shadow Op Dragon Server Multiple DoS Vulnerabilities
 
BugtraqID: 796   QPC QVT Suite FTP Server DoS Vulnerability
If the combined username and password are greater than 2000 characters, then a buffer overflow occurs.  
BugtraqID: 783   TransSoft Broker User Name Buffer Overflow Vulnerability
If a user name of more than 2730 characters is passed to the Broker FTP server software, the program will crash.  
BugtraqID: 749   Celtech ExpressFS USER Buffer Overflow Vulnerability
 
BugtraqID: 442   Solaris libauth Buffer Overflow vulnerabilities
A buffer overflow exists in the authentication code, so that long hostnames or usernames can be used to break into the system.  

 parametric information
lengthThe length of the login name; if it is longer than a few hundred characters, then it may be a buffer overflow attempt.
login nameThe initial portion of the login name.

 configuration for this item
login.maxname100The maximum length of a login name.

 
Version appeared:
Privacy Policy |  Copyright Info