Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 1999-2024 and is owned by Tenable, Inc. or an Affiliate thereof.FTP_OVERFLOW.NASL
HistoryJun 22, 1999 - 12:00 a.m.

Multiple FTP Server Command Handling Overflow

1999-06-2200:00:00
This script is Copyright (C) 1999-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
51

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.8 High

AI Score

Confidence

Low

0.36 Low

EPSS

Percentile

97.2%

JSON

The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host.

#
# (C) Tenable Network Security, Inc.
#

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if(description)
{
 script_id(10084);
 script_version("1.86");

 script_cve_id(
  "CVE-1999-0219",
  "CVE-2000-0870",
  "CVE-2000-0943",
  "CVE-2000-1035",
  "CVE-2000-1194",
  "CVE-2002-0126",
  "CVE-2003-0271",
  "CVE-2005-0634",
  "CVE-2005-1415"
 );
 script_bugtraq_id(269, 1227, 1675, 1690, 1858, 3884, 7251, 7278, 7307, 12704, 13454);

 script_name(english:"Multiple FTP Server Command Handling Overflow");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is susceptible to buffer overflow attacks." );
 script_set_attribute(attribute:"description", value:
"The remote FTP server closes the connection when a command or argument
is too long.  This is probably due to a buffer overflow and may allow
an attacker to execute arbitrary code on the remote host." );
 script_set_attribute(attribute:"solution", value:
"Upgrade / switch the FTP server software or disable the service if 
it is not needed." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2005-1415");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'GlobalSCAPE Secure FTP Server Input Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "1997/07/01");
 script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_DESTRUCTIVE_ATTACK);
 
 script_copyright(english: "This script is Copyright (C) 1999-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"FTP");
 script_dependencies("ftpserver_detect_type_nd_version.nasl");
 script_require_keys("ftp/login", "ftp/password");
 script_exclude_keys("global_settings/supplied_logins_only");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

#
# The script code starts here
#
include("ftp_func.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

global_var port = get_ftp_port(default: 21);

foreach f (make_list("msftpd", "ncftpd", "fw1ftpd", "vxftpd"))
  if (get_kb_item("ftp/"+port+"/"+f))
    exit(0, "The FTP server on port "+port+" is "+f+".");

function is_vulnerable (value)
{
 if (service_is_dead(port: port) > 0)
 {
   set_kb_item(name:"ftp/overflow", value:TRUE);
   set_kb_item(name:"ftp/"+port+"/overflow", value:TRUE);
   set_kb_item(name:"ftp/"+port+"/overflow_method", value:value);
   security_hole(port);
 }
 exit (0);
}

soc = open_sock_tcp(port);
if (! soc) exit(1, "Connection failed to port "+port+".");

  dbg::detailed_log(name:'ftp_func', src:SCRIPT_NAME, lvl:2, msg:"Getting the FTP banner.");
  d = ftp_recv_line(socket:soc);
  if(!d){
	close(soc);
	exit(1, "No answer on port "+port+".");
	}
  if(!egrep(pattern:"^220[ -]", string:d))
   {
    # not an FTP server
    close(soc);
    exit(1, "The service on port "+port+" does not look like FTP.");	
   }
 
  if ("Microsoft FTP Service" >< d)
    exit(0, "MS FTP is running on port "+port+".");
 
  req = 'USER ftp\r\n';
  send(socket:soc, data:req);
  d = ftp_recv_line(socket:soc);
  ftp_close(socket:soc);
  if(!d)
  {
   exit(1, "No answer on port "+port+".");	
  }
  
  soc = open_sock_tcp(port);
  if ( ! soc ) exit(1, "Connection failed to port "+port+".");
  d = ftp_recv_line(socket:soc);
  s = ('USER ' + crap(4096) + '\r\n');
  send(socket:soc, data:s);
  d = ftp_recv_line(socket:soc);
  if(!d){
	close (soc);
	is_vulnerable (value:"USER");
	}

   # Let's try to access it with valid credentials now.
   login = get_kb_item("ftp/login");
   password = get_kb_item("ftp/password");

   s = ('USER ' + login + '\r\n');
   send(socket:soc, data:s);
   d = ftp_recv_line(socket:soc);
   # ProFTPD 1.5.2 crashes with more than 12 KB
   s = ('PASS ' + crap(12500) + '\r\n');
   send(socket:soc, data:s);
   d = ftp_recv_line(socket:soc);
   if(!d){
	close (soc);
	is_vulnerable (value:"PASS");
	}

     s = ('PASS ' + password + '\r\n');
     send(socket:soc, data:s);
     d = ftp_recv_line(socket:soc);
     if(!d) exit(1, "No answer from port "+port+".");

     foreach cmd (make_list ('CWD', 'LIST', 'STOR', 'RNTO', 'MKD', 'XMKD', 
     	 'RMD', 'XRMD', 'APPE', 'SIZE', 'RNFR', 'HELP', ''))
     {
       s = (cmd + ' ' + crap(4096) + '\r\n');
       d = ftp_recv_line(socket:soc);
       if (! d)
       {
	close (soc);
	is_vulnerable (value: cmd);
       }
     }
		

   if ( soc )  close(soc);

Related

nvd 9
cve 10
cvelist 10
nessus 3
openvas 2
packetstorm 1
checkpoint_advisories 1
nvd
nvd
CVE-2000-1035
2000-12-11 05:00:00
CVE-2000-0870
2000-11-14 05:00:00
CVE-2000-1194
2001-08-31 04:00:00
cve
cve
CVE-2000-1035
2000-12-11 05:00:00
CVE-1999-0219
1999-09-29 04:00:00
CVE-2000-1194
2001-09-12 04:00:00
cvelist
cvelist
CVE-2000-1035
2000-11-29 05:00:00
CVE-2000-0870
2001-01-22 05:00:00
CVE-2003-0271
2003-05-09 04:00:00
nessus
nessus
Serv-U CWD Command Overflow
1999-06-22 00:00:00
GlobalSCAPE Secure FTP Server User Input Overflow
2005-07-06 00:00:00
bftpd Multiple Command Remote Overflow
2000-12-16 00:00:00
openvas
openvas
GlobalSCAPE Secure FTP Server User Input Overflow
2005-11-03 00:00:00
GlobalSCAPE Secure FTP Server <= 3.0.2 User Input Overflow Vulnerability
2005-11-03 00:00:00
packetstorm
packetstorm
GlobalSCAPE Secure FTP Server Input Overflow
2009-11-26 00:00:00
checkpoint_advisories
checkpoint_advisories
Preemptive Protection against Golden FTP USER Denial of Service Vulnerability
2006-12-19 00:00:00

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.8 High

AI Score

Confidence

Low

0.36 Low

EPSS

Percentile

97.2%

JSON
Related for FTP_OVERFLOW.NASL
nvd9cve10cvelist10nessus3openvas2packetstorm1checkpoint_advisories1