Rule: -- Sid: 2125 -- Summary: This event is generated when an attempt is made to escape the root directory of an FTP server. -- Impact: Information gathering possible system file disclosure. -- Detailed Information: This event indicates that an attempt has been made to exploit potential weaknesses in a host running an FTP server vulnerable to an attack that allows the user to escape the FTP root directory. The attacker may be trying to gain information on the FTP implementation on the host, this may be the prelude to an attack against that host using that information. The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. The ST FTP server from STSoft suffers from a vulnerability that can allow an attacker to access the filesystem on the host running the service. This event will also be generated by someone using Nessus to scan for this vulnerability. -- Affected Systems: STSoft ST FTP Service 3.0 -- Attack Scenarios: The attacker is able to access the filesystem of the server using normal FTP commands. -- Ease of Attack: Simple. No exploit software is required. -- False Positives: None Known. -- False Negatives: None Known. -- Corrective Action: Check the FTP implementation on the host. Ensure all measures have been taken to deny access to sensitive files. Ensure that the underlying operating system is fully patched. Check the host for signs of compromise. Apply the appropriate vendor supplied patches Upgrade to the latest non-affected version of the software -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --
