SonicALERT
Search

Sonicwall Signatures

 

  All Categories


Category: FTP

FTP Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to attacks on FTP servers. FTP or File Transfer Protocol is the standard protocol used to transfer files across widely different operating systems. FTP servers usually require a lengthy login process to authenticate users before giving them to download or upload files. Attackers have found a variety of vulnerabilities in FTP server software that they can exploit to cause these servers to malfunction, allowing them to cirvumvent security mechanisms, take control of the server, or make the server crash resulting in a denial of service.

The most common attack on FTP servers is a buffer overflow attack. Attackers who have performed scan of the network's servers can guess whether the software handling FTP requests is patched to known vulnerabilities, and exploit an unchecked buffer by sending a malformed command to the server. For example, several FTP server versions are vulnerable to a specially crafted STAT command which is usually used to report the status of a connection, file, or directory. If the command includes an argument that is larger than 479 bytes, the program will write past the end of the allocated buffer, causing the server to crash or to execute code that the attacker included in the request. Buffer overflow attacks can effecitvely give attackers control of the compromised system.

Attackers also exploit vulnerabilities in FTP servers that involve mishandling of memory. For example, the SITE NEWER command is mishandled by the Washington University FTP Daemon (WU-FTPD), which fails to free memory when the command is executed, causing the server to crash.

Most other FTP attacks attempt to get the server to return information that it should not by using special characters in requests that make the machine behave in strange ways. A common directory traversal attack involves attackers using strings like '..' in requests that they submit to the server, causing certain server versions to return an arbitrary file that the attacker would usually not be able to access. Other attacks return the first line or arbitrary files or a core dump of the server program, which can often supply shadowed passwords. These attacks can allow attackers to corrupt or steal sensitive information, presenting a significant liability for companies that maintain an FTP server.

SonicWALL FTP signatures are classified from low- to high-priority. When enabled for prevention, these signatures can keep malicious commands from reaching FTP servers. It should be noted, however, that vendors have made patches and updates available to close the vulnerabilities in the above mentioned FTP server software. Administrators should use these patches and updates in conjunction with SonicWALL signatures to ensure maximum security for their FTP servers.

  FTP Request with Malformed USER Command
  FTP Request with Malformed PASS Command
  FTP Request with Malformed MKD Command 1
  FTP Request with Malformed LIST Command
  FTP Response with Malformed Return Code (220)
  Malformed TFTP Request 1
  FTP Request with Malformed SIZE Command 1
  FTP Request with Malformed CWD Command
  wu-ftpd SITE EXEC Command Format String Attack
  FTP Request with Malformed REST Command
  Ipswitch WS_FTP Logging Server DoS
  FTP Server Format String Attack 1
  FTP Response with Malformed Return Code (227) 1
  TFTP Server Directory Traversal 1
  TFTP Server Directory Traversal 2
  SolarWinds Serv-U Remote Code Execution
  Malformed FTP Response 1
  Malformed FTP Response 2
  FTP Request with Malformed XMKD Command
  FTP Request with Malformed SITE Command 1
  FTP Request with Malformed NLST Command 1
  FTP Server Remote Code Execution 1
  TFTP Server Directory Traversal 3
  FTP Request with Malformed XCWD Command
  FTP Request with Malformed MDTM Command
  TFTP Read Format String Attatck
  FTP Request with Malformed XMD5 Command
  Malformed TFTP Read Request
  Malformed TFTP Write Request
  FTP Request with Malformed RETR Command 1
  FTP Request with Malformed PASV Command
  FTP Server Suspicious Zip File Upload 1
  FTP Request with Malformed SIZE Command 2
  FTP Server Suspicious Zip File Upload 2
  Microsoft .NET Framework Privilege Escalation (CVE-2023-36049)
  SolarWinds TFTP Read Request DoS
  FTP Request with Malformed NLST Command 2
  FTP Response with Malformed Return Code (257) 1
  FTP Server Remote Code Execution 2
  FTP Response with Malformed Return Code (257) 2
  FTP Request with Malformed STOR Command 1
  FTP Request with Malformed RNFR Command
  FTP Request with Malformed RNTO Command
  FTP Request with Malformed PORT Command 1
  FileWrangler FTP Client Buffer Overflow
  FTP Request with Malformed STOR Command 2
  FTP CWD root Command
  FTP Server Remote Code Execution 3
  FTP Server Remote Code Execution 4
  Malformed TFTP Data
  Malformed TFTP Error
  AmmSoft ScriptFTP Buffer Overflow
  FTP Server Authentication Bypass
  FTP Request with Malformed MKD Command 2
  FTP Request with Malformed RETR Command 2
  Malformed TFTP Request 3
  Malformed TFTP Request 4
  FTP Request with Malformed STOR Command 3
  FTP Request with Malformed PORT Command 2
  TFTP Server Directory Traversal 4
  Sami FTP Server Buffer Overflow
  FileZilla Server PORT Command DoS
  FTP Server Format String Attack 2
  FTP Request with Malformed SITE Command 2
  VicFTPS LIST Command DoS
  WinFTP FTP Server DoS
  PacketTrap TFTP Server DoS
  FTP Server Remote Code Execution 6
  BulletProof FTP Client Buffer Overflow
  FTP Server Remote Code Execution 7
  HPE Intelligent Management Center TFTP Remote Code Execution
  Cisco Prime Infrastructure TFTP Arbitrary File Creation 1
  Cisco Prime Infrastructure TFTP Arbitrary File Creation 2
  Windows Deployment Services TFTP Server Remote Code Execution (NOV 18) 1
  Windows Deployment Services TFTP Server Remote Code Execution (NOV 18) 2
  ProFTPD mod_copy Arbitrary File Read
  FTP Request with Malformed STOR Command 4
  FTP Request with Malformed DELE Command
  FTP Server Remote Code Execution 8
  SolarWinds Serv-U Web UI XSS
  uftpd PORT Command Buffer Overflow 1
  uftpd PORT Command Buffer Overflow 2
  FTPShell Client Buffer Overflow
  VestaCP FTP Command Injection 1
  VestaCP FTP Command Injection 2
  SolarWinds Serv-U Path Traversal


Relevant Information