SlimFTPd Multiple Command Handling Overflow

2004-11-1300:00:00

www.tenable.com

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.078

Percentile

94.3%

JSON

The remote host appears to be using SlimFTPd, a free, small, standards-compliant FTP server for Windows.

According to its banner, the version of SlimFTPd installed on the remote host is prone to one or more buffer overflow attacks that can lead to arbitrary code execution.

Note that successful exploitation of either of these flaws requires an attacker first authenticate.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(15704);
 script_version("1.17");
 script_cvs_date("Date: 2018/11/15 20:50:22");

 script_cve_id("CVE-2004-2418", "CVE-2005-2373");
 script_bugtraq_id(11645, 14339);
 
 script_name(english:"SlimFTPd Multiple Command Handling Overflow");
 script_summary(english:"Checks version in the banner");
 
 script_set_attribute(
  attribute:"synopsis",
  value:"The remote FTP server is prone to multiple buffer overflow attacks."
 );
 script_set_attribute(
  attribute:"description", 
  value: 
"The remote host appears to be using SlimFTPd, a free, small,
standards-compliant FTP server for Windows. 

According to its banner, the version of SlimFTPd installed on the
remote host is prone to one or more buffer overflow attacks that can
lead to arbitrary code execution. 

Note that successful exploitation of either of these flaws requires an
attacker first authenticate."
 );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/fulldisclosure/2004/Nov/333"
 );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/bugtraq/2005/Jul/346"
 );
 script_set_attribute(
  attribute:"solution", 
  value:"Upgrade to SlimFTPd version 3.17 or later."
 );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'SlimFTPd LIST Concatenation Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/13");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/11/10");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"FTP");
 script_dependencie("ftpserver_detect_type_nd_version.nasl");
 script_require_ports("Services/ftp", 21);
 exit(0);
}


include("ftp_func.inc");


port = get_ftp_port(default: 21);

banner = get_ftp_banner(port:port);
if ( ! banner ) exit(1);


# There's a problem if...
if (
  # The version in the banner is <= 3.16 or...
  egrep(string:banner, pattern:"^220-SlimFTPd ([0-2]\.|3\.1[0-6][^0-9])")
) {
  security_hole(port);
}