Vulnerabilities > CVE-2000-0573 - Unspecified vulnerability in HP Hp-Ux 11.00

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
hp
nessus
exploit available
metasploit

Summary

The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.

Vulnerable Configurations

Part Description Count
OS
Hp
1

Exploit-Db

  • descriptionBeroFTPD 1.3.4(1) Linux x86 Remote Root Exploit. CVE-2000-0573. Remote exploit for linux platform
    idEDB-ID:269
    last seen2016-01-31
    modified2001-05-08
    published2001-05-08
    reporterqitest1
    sourcehttps://www.exploit-db.com/download/269/
    titleBeroFTPD 1.3.41 - Remote Root Exploit Linux x86
  • descriptionwu-ftpd 2.6.0 Remote Root Exploit. CVE-2000-0573. Remote exploits for multiple platform
    idEDB-ID:201
    last seen2016-01-31
    modified2000-11-21
    published2000-11-21
    reportervenglin
    sourcehttps://www.exploit-db.com/download/201/
    titlewu-ftpd 2.6.0 - Remote Root Exploit
  • descriptionwu-ftpd 2.6.0 Remote Format Strings Exploit. CVE-2000-0573. Remote exploit for solaris platform
    idEDB-ID:239
    last seen2016-01-31
    modified2001-01-03
    published2001-01-03
    reporterkalou
    sourcehttps://www.exploit-db.com/download/239/
    titlewu-ftpd 2.6.0 - Remote Format Strings Exploit
  • descriptionwu-ftpd 2.4.2/2.5 .0/2.6 .0 Remote Format String Stack Overwrite (2). CVE-2000-0573. Remote exploit for linux platform
    idEDB-ID:20031
    last seen2016-02-02
    modified2000-09-26
    published2000-09-26
    reportervsz_
    sourcehttps://www.exploit-db.com/download/20031/
    titlewu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite 2
  • descriptionwu-ftpd 2.4.2/2.5 .0/2.6 .0 Remote Format String Stack Overwrite (3). CVE-2000-0573. Remote exploit for lin_x86 platform
    idEDB-ID:20032
    last seen2016-02-02
    modified2001-05-04
    published2001-05-04
    reporterjustme
    sourcehttps://www.exploit-db.com/download/20032/
    titlewu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite 3
  • descriptionwu-ftpd 2.4.2/2.5 .0/2.6 .0 Remote Format String Stack Overwrite (1). CVE-2000-0573. Remote exploit for unix platform
    idEDB-ID:20030
    last seen2016-02-02
    modified1999-10-15
    published1999-10-15
    reportertf8
    sourcehttps://www.exploit-db.com/download/20030/
    titlewu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite 1
  • descriptionwu-ftpd SITE EXEC/INDEX Format String Vulnerability. CVE-2000-0573. Remote exploit for linux platform
    idEDB-ID:16311
    last seen2016-02-01
    modified2010-11-30
    published2010-11-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16311/
    titlewu-ftpd - SITE EXEC/INDEX Format String Vulnerability

Metasploit

descriptionThis module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code.
idMSF:EXPLOIT/MULTI/FTP/WUFTPD_SITE_EXEC_FORMAT
last seen2020-04-11
modified2017-07-24
published2009-12-06
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0573
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/ftp/wuftpd_site_exec_format.rb
titleWU-FTPD SITE EXEC/INDEX Format String Vulnerability

Nessus

NASL familyFTP
NASL idWU_FTPD_SITE_EXEC.NASL
descriptionThe version of WU-FTPD hosted on the remote server does not properly sanitize the argument of the SITE EXEC command. It may be possible for a remote attacker to gain root access.
last seen2020-06-01
modified2020-06-02
plugin id10452
published2000-06-27
reporterThis script is Copyright (C) 2000-2018 A. de Bernis
sourcehttps://www.tenable.com/plugins/nessus/10452
titleWU-FTPD site_exec() Function Remote Format String
code
#
# This script was written by Alexis de Bernis <[email protected]>
#

# Changes by Tenable:
# - rely on the banner if we could not log in
# - changed the description to include a Solution:
# - revised plugin title, removed unrelated CVE ref (2/04/2009)
#
# See the Nessus Scripts License for details
#

include("compat.inc");

if (description)
{
  script_id(10452);
  script_version("1.49");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2000-0573");
  script_bugtraq_id(726, 1387, 2240);

  script_name(english:"WU-FTPD site_exec() Function Remote Format String");
  script_summary(english:"Checks if the remote FTP server sanitizes the SITE EXEC command");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running an FTP server with a remote root
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of WU-FTPD hosted on the remote server does not properly
sanitize the argument of the SITE EXEC command. It may be possible for
a remote attacker to gain root access.");
  script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=96171893218000&w=2");
  script_set_attribute(attribute:"solution", value:"Upgrade to WU-FTPD version 2.6.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-0573");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'WU-FTPD SITE EXEC/INDEX Format String Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_publication_date", value:"2000/06/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"FTP");

  script_copyright(english:"This script is Copyright (C) 2000-2018 A. de Bernis");

  script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");
  script_require_keys("ftp/wuftpd");
  script_require_ports("Services/ftp", 21);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("ftp_func.inc");

login = get_kb_item("ftp/login");
pass  = get_kb_item("ftp/password");

# Connect to the FTP server
port = get_ftp_port(default: 21);

ftpport = port;

if(login)
{
 soc = ftp_open_and_authenticate( user:login, pass:pass, port:port );
 if(soc)
 {
  # We are in
  c = 'SITE EXEC %p \r\n';
  send(socket:soc, data:c);
  b = recv(socket:soc, length:6);
  if(b == "200-0x") security_hole(ftpport);
  ftp_close(socket: soc);
  exit(0);
  }
  else
  {
    soc = open_sock_tcp(ftpport);
    if (! soc ) audit(AUDIT_SOCK_FAIL,ftpport);
    r = ftp_recv_line(socket:soc);
    close(soc);
  }
}
  if (report_paranoia < 2) audit(AUDIT_PARANOID);

  if(egrep(pattern:"220.*FTP server.*[vV]ersion (wu|wuftpd)-((1\..*)|(2\.[0-5]\..*)|(2\.6\.0)).*",
  	 string:r)){
	 report = "
Nessus is solely basing this finding on the version reported
in the banner, so this may be a false positive.
";
	 security_hole(port:ftpport, extra:report);
	 }

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/84534/wuftpd_site_exec_format.rb.txt
idPACKETSTORM:84534
last seen2016-12-05
published2009-12-31
reporterjduck
sourcehttps://packetstormsecurity.com/files/84534/Wu-ftpd-SITE-EXEC-INDEX-Format-String-Vulnerability.html
titleWu-ftpd SITE EXEC/INDEX Format String Vulnerability

Redhat

advisories
rhsa
idRHSA-2000:039