Vulnerabilities > CVE-2000-0574

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

openbsd

washington-university

nessus

exploit available

NVD

Published: 2000-07-07

Updated: 2008-09-10

Summary

FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands.

Vulnerable Configurations

Part	Description	Count
Application	Openbsd Openbsd Ftpd 5.51 Openbsd Ftpd 5.60	2
Application	Washington_University Washington University WU Ftpd 2.4.2_Beta1 Washington University WU Ftpd 2.4.2_Beta18 Washington University WU Ftpd 2.4.2_Beta18_Vr4 Washington University WU Ftpd 2.4.2_Beta18_Vr5 Washington University WU Ftpd 2.4.2_Beta18_Vr6 Washington University WU Ftpd 2.4.2_Beta18_Vr7 Washington University WU Ftpd 2.4.2_Beta18_Vr8 Washington University WU Ftpd 2.4.2_Beta18_Vr9 Washington University WU Ftpd 2.4.2_Beta18_Vr10 Washington University WU Ftpd 2.4.2_Beta18_Vr11 Washington University WU Ftpd 2.4.2_Beta18_Vr12 Washington University WU Ftpd 2.4.2_Beta18_Vr13 Washington University WU Ftpd 2.4.2_Beta18_Vr14 Washington University WU Ftpd 2.4.2_Beta18_Vr15 Washington University WU Ftpd 2.4.2_Vr16 Washington University WU Ftpd 2.4.2_Vr17 Washington University WU Ftpd 2.5 Washington University WU Ftpd 2.6	18

Exploit-Db

description	OpenBSD ftp Exploit (teso). CVE-2000-0574. Local exploit for bsd platform
id	EDB-ID:396
last seen	2016-01-31
modified	2002-01-01
published	2002-01-01
reporter	Teso
source	https://www.exploit-db.com/download/396/
title	OpenBSD ftp Exploit teso

Nessus

NASL family	FTP
NASL id	FTP_SETPROCTITLE.NASL
description	The remote FTP server misuses the function setproctitle() and may allow an attacker to gain a root shell on this host by logging in as
last seen	2020-06-01
modified	2020-06-02
plugin id	11391
published	2003-03-15
reporter	This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/11391
title	Multiple FTP Server setproctitle Function Arbitrary Command Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11391); script_version("1.27"); script_cvs_date("Date: 2018/08/31 12:25:01"); script_cve_id("CVE-2000-0574"); script_bugtraq_id(1425, 1438); script_name(english:"Multiple FTP Server setproctitle Function Arbitrary Command Execution"); script_summary(english:"Checks if the remote ftpd is vulnerable to format string attacks"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is susceptible to a remote command execution attack."); script_set_attribute(attribute:"description", value: "The remote FTP server misuses the function setproctitle() and may allow an attacker to gain a root shell on this host by logging in as 'anonymous' and providing a carefully crafted format string as its email address."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aee65ddc"); script_set_attribute(attribute:"solution", value:"Install the latest patches from your vendor."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/07/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/15"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"FTP"); script_copyright(english: "This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl"); script_require_keys("ftp/anonymous", "Settings/ParanoidReport"); script_exclude_keys("global_settings/supplied_logins_only"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("global_settings.inc"); include("ftp_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); port = get_ftp_port(default: 21); # Connect to the FTP server soc = open_sock_tcp(port); if (! soc) exit(1); ftp_debug(str:"custom banner"); banner = ftp_recv_line(socket:soc); if(!banner)exit(1); send(socket:soc, data:'USER anonymous\r\n'); r = ftp_recv_line(socket:soc); if(!egrep(pattern:"^331", string:r))exit(0); send(socket:soc, data:'PASS %n%n%n%n%n%n%n\r\n'); r = ftp_recv_line(socket:soc); if(!r \|\| !egrep(pattern:"^230", string:r))exit(0); send(socket:soc, data:'HELP\r\n'); r = recv_line(socket:soc, length:4096); if(!r)security_warning(port);

Vulnerabilities > CVE-2000-0574 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2000-0574"}]}

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References

Vulnerabilities > CVE-2000-0574