Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

Acitve Update Notification: BSD Telnet Daemon Buffer Overflow

The following instructions provide a guide for adding a custom signature to your Cisco IDS 3.0 sensor using the Signature Wizard tool. This signature will be included in an upcoming signature update.

Cisco IDS 3.0 is currently available at Software Center on CCO (http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids.shtml

). The upgrade paths are as follows:

2.2.1 sensor --> 3.0 sensor:

CD upgrade to 2.5, CCO download of service pack 2.5(0)S1, CCO download of 3.0. (The upgrade CD that will enable a direct upgrade from 2.2.1 to 3.0 will be available shortly)

2.5 sensor --> 3.0 sensor:

CCO download.

PLEASE NOTE THAT THE LATEST VERSION OF THE MANAGEMENT CONSOLE WILL BE REQUIRED TO SUPPORT THE 3.0 SENSOR.

The latest versions of CSPM & the Unix Director are 2.3.1i & 2.2.2a, respectively.

########## Critical Signature Update ###############

The Cisco security research team has released the following custom

signature to provide immediate coverage to customers of the Cisco Secure

Intrusion Detection System.

Vulnerability: BSD Telnet Daemon Buffer Overflow

Date: July 27, 2001

A buffer overflow condition was recently discovered in telnet daemons derived

from the BSD (Berkeley) telnet source. By exploiting this vulnerability, remote

attackers can completely compromise the security of a system. This vulnerability

has been widely publicized and exploit tools are available on the Internet.

For more information about this vulnerability, please consult the Cisco Secure

Encyclopedia entry listed below:

http://www.cisco.com/cgi-bin/front.x/csec/view.pl?VID=3346&VVID=1

######### Adding the Custom Signature ###############

Note: The following instructions provide a guide for adding a custom signature

to your CSIDS 3.0 sensor using the Signature Wizard tool. It is recommended

that you read the Signature Wizard documentation before adding any custom

signatures to your sensor. Online documentation can be found at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/12216_01.htm

Log into your sensor as the user 'netrangr'. From the command prompt, type

'SigWizMenu' and follow the guide below.

Main Menu:

a) Select option 2 to create new custom signature.

Add NEW Custom Signature:

a) Select option 1, and set the Engine Name to STRING.TCP (choice 16).

b) Select option 2 to generate a SIGID.

c) Select option 4, and set the Signature Name to

'BSD Telnet Daemon Buffer Overflow'.

d) Select option 5 to continue.

Adjust Alarm Severity and Action:

a) Select option 5 to set the Alarm Severity to 5.

1) Select an option to choose the desired action.

2) Select option x to continue.

b) Select option x to continue.

Customization:

a) Select option 1, and set the AlarmThrottle to 'FireOnce'.

b) Select option 3, and set the Direction to 'ToService'.

c) Select option 7, and set the MinMatchLength to '500'.

d) Select option 9, and set the RegexString to:

\xFF\xFA\x27\x00\x03(\x30){5,}[\x01-\xFF\x00]+\xFF\xF0

e) Select option 11, and set the ServicePorts to '23'.

f) Select option 14, and set the SigStringInfo to 'telnetd buffer overflow'.

g) Select option x to continue.

After completing the steps above, your screen to should look like this.

1 - AlarmThrottle = FireOnce

2 - ChokeThreshold =

3 - Direction = ToService

4 - FlipAddr =

5 - MaxInspectLength =

6 - MinHits = 1

7 - MinMatchLength = 500

8 - MultipleHits =

9 * RegexString = \xFF\xFA\x27\x00\x03(\x30){5,}[\x01-\xFF\x00]+\xFF\xF0

10 - ResetAfterIdle = 15

11 - ServicePorts = 23

12 - SigComment =

13 - SigName = BSD Telnet Daemon BufferOverflow

14 - SigStringInfo = telnetd buffer overflow

15 - StripTelnetOptions =

16 - ThrottleInterval = 15

17 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

Exit and Save:

a) Press enter to return to the main menu.

b) Select x to exit.

c) Select y to save the signature and exit.

After exiting SigWizMenu, you should have something like the following.

In /usr/nr/etc/SigUser.conf:

Engine STRING.TCP SIGID 20000 AlarmThrottle FireOnce Direction ToService MinHits

1 MinMatchLength 500 RegexString \xFF\xFA\x27\x00\x03(\x30){5,}[\x01-\xFF\x00]+

\xFF\xF0 ResetAfterIdle 15 ServicePorts 23 SigName BSD Telnet Daemon BufferOverf

low SigStringInfo telnetd buffer overflow ThrottleInterval 15

In /usr/nr/etc/SigSettings.conf:

SigOfGeneral 20000 6 5 5 5 5 5 5 5

1 REPLY
Cisco Employee

Re: Acitve Update Notification: BSD Telnet Daemon Buffer Overflo

Small Correction:

The following statement:

2.2.1 sensor --> 3.0 sensor:

CD upgrade to 2.5, CCO download of service pack 2.5(0)S1, CCO download of 3.0. (The upgrade CD that will enable a direct upgrade from 2.2.1 to 3.0 will be available shortly)

Should have read:

2.2.1 sensor --> 3.0 sensor:

CD upgrade to 2.5, CCO download of 3.0. (The upgrade CD that will enable a direct upgrade from 2.2.1 to 3.0 will be available shortly)

The user does not have to install the 2.5(0)S1 package prior to installing the 3.0 update on the 2.5 sensor.

257
Views
0
Helpful
1
Replies
CreatePlease to create content