Rule:

--
Sid:
1975

--
Summary:
This event is generated when an attempt is made to exploit an FTP 
command buffer overflow vulnerability in CaesarFTPD 

--
Impact:
When properly exploited, this could grant the attacker 'SYSTEM' 
privilege (under NT/2000) or the ability to execute arbitrary code

--
Detailed Information:
By sending a long string of characters argumenting any of several FTP 
commands, an attacker can cause a stack overflow. 

This exploit effects the following systems that are using the server.
   - Microsoft Windows 2000 Professional 
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Workstation 
   - Microsoft Windows 2000 Workstation rev.2031
   - Microsoft Windows 2000 Workstation rev.2072
   - Microsoft Windows 2000 Workstation rev.2195
   - Microsoft Windows 95 
   - Microsoft Windows 95 Build 490.R6
   - Microsoft Windows 95 j
   - Microsoft Windows 98 
   - Microsoft Windows 98 a
   - Microsoft Windows 98 b
   - Microsoft Windows 98 j
   - Microsoft Windows 98SE 
   - Microsoft Windows ME 
   - Microsoft Windows NT 3.5
   - Microsoft Windows NT 3.5.1
   - Microsoft Windows NT 3.5.1 SP1
   - Microsoft Windows NT 3.5.1 SP2
   - Microsoft Windows NT 3.5.1 SP3
   - Microsoft Windows NT 3.5.1 SP4
   - Microsoft Windows NT 3.5.1 SP5
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a

--
Attack Scenarios:
The attacker merely needs to send a long string of characters after an 
FTP command.

--
Ease of Attack:
Simple.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Neal Timm <nealtimm@sbcglobal.net>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/2972

Message: cesarFTP v0.98b 'HELP' buffer overflow 
Message: CesarFTPd, Cerberus FTPd
