Vulnerabilities > CVE-2000-0943 - Unspecified vulnerability in Max-Wilhelm Bruker Bftpd 1.0.11
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in bftp daemon (bftpd) 1.0.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER command.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family FTP NASL id BFTPD_CHOWN.NASL description The version of bftpd running on the remote host is vulnerable to a remote buffer overflow attack when issued very long arguments to the SITE CHOWN command. A remote attacker could exploit this issue to crash the FTP server, or possibly execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 10579 published 2000-12-16 reporter This script is Copyright (C) 2000-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10579 title bftpd Multiple Command Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10579); script_bugtraq_id(2120); script_version ("1.40"); script_cve_id("CVE-2001-0065", "CVE-2000-0943"); script_name(english:"bftpd Multiple Command Remote Overflow"); script_summary(english:"Checks if the remote bftpd daemon is vulnerable to a buffer overflow"); script_set_attribute( attribute:"synopsis", value:"The remote FTP server has a remote buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "The version of bftpd running on the remote host is vulnerable to a remote buffer overflow attack when issued very long arguments to the SITE CHOWN command. A remote attacker could exploit this issue to crash the FTP server, or possibly execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Dec/222" ); script_set_attribute( attribute:"solution", value:"Upgrade to bftpd version 1.0.24 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-0065"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/12/16"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/10/27"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); # mixed script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2000-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl", "ftp_writeable_directories.nasl", "ftp_kibuv_worm.nasl"); script_require_ports("Services/ftp", 21); script_require_keys("Settings/ParanoidReport"); exit(0); } include("global_settings.inc"); include("ftp_func.inc"); if (report_paranoia < 2) exit(0, "This script only runs in 'paranoid' mode."); # # The script code starts here : # login = get_kb_item("ftp/login"); pass = get_kb_item("ftp/password"); port = get_ftp_port(default: 21); # Connect to the FTP server if(safe_checks())login = 0; if(login) { soc = ftp_open_and_authenticate( user:login, pass:pass, port:port ); if(soc) { req = 'SITE CHOWN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A'; req = req + '\r\n'; send(socket:soc, data:req); r = ftp_recv_line(socket:soc); send(socket:soc, data:'HELP\r\n'); r = ftp_recv_line(socket:soc, retry: 2); if(!r)security_hole(port); ftp_close(socket: soc); exit(0); } } banner = get_ftp_banner(port: port); if(!banner)exit(1, "No FTP banner on port "+port+"."); if(egrep(pattern:"220.*bftpd 1\.0\.(([0-9][^0-9])|(1[0-3]))", string:banner)){ data = '\n' + 'Note that Nessus detected this issue solely based on the server banner\n' ; security_hole(port:port, extra:data); }
NASL family FTP NASL id FTP_OVERFLOW.NASL description The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 10084 published 1999-06-22 reporter This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10084 title Multiple FTP Server Command Handling Overflow code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if(description) { script_id(10084); script_version ("1.85"); script_cve_id( "CVE-1999-0219", "CVE-2000-0870", "CVE-2000-0943", "CVE-2000-1035", "CVE-2000-1194", "CVE-2002-0126", "CVE-2003-0271", "CVE-2005-0634", "CVE-2005-1415" ); script_bugtraq_id(269, 1227, 1675, 1690, 1858, 3884, 7251, 7278, 7307, 12704, 13454); script_name(english:"Multiple FTP Server Command Handling Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is susceptible to buffer overflow attacks." ); script_set_attribute(attribute:"description", value: "The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"solution", value: "Upgrade / switch the FTP server software or disable the service if it is not needed." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'GlobalSCAPE Secure FTP Server Input Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22"); script_set_attribute(attribute:"vuln_publication_date", value: "1997/07/01"); script_cvs_date("Date: 2018/08/31 12:25:01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); summary["english"] = "attempts some buffer overflows"; script_summary(english:summary["english"]); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english: "This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FTP"); script_dependencies("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/login", "ftp/password"); script_exclude_keys("global_settings/supplied_logins_only"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here # include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ftp_func.inc"); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); global_var port = get_ftp_port(default: 21); foreach f (make_list("msftpd", "ncftpd", "fw1ftpd", "vxftpd")) if (get_kb_item("ftp/"+port+"/"+f)) exit(0, "The FTP server on port "+port+" is "+f+"."); function is_vulnerable (value) { if (service_is_dead(port: port) > 0) { set_kb_item(name:"ftp/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow_method", value:value); security_hole(port); } exit (0); } soc = open_sock_tcp(port); if (! soc) exit(1, "Connection failed to port "+port+"."); ftp_debug(str:"custom banner"); d = ftp_recv_line(socket:soc); if(!d){ close(soc); exit(1, "No answer on port "+port+"."); } if(!egrep(pattern:"^220[ -]", string:d)) { # not an FTP server close(soc); exit(1, "The service on port "+port+" does not look like FTP."); } if ("Microsoft FTP Service" >< d) exit(0, "MS FTP is running on port "+port+"."); req = 'USER ftp\r\n'; send(socket:soc, data:req); d = ftp_recv_line(socket:soc); ftp_close(socket:soc); if(!d) { exit(1, "No answer on port "+port+"."); } soc = open_sock_tcp(port); if ( ! soc ) exit(1, "Connection failed to port "+port+"."); d = ftp_recv_line(socket:soc); s = ('USER ' + crap(4096) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"USER"); } # Let's try to access it with valid credentials now. login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); s = ('USER ' + login + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); # ProFTPD 1.5.2 crashes with more than 12 KB s = ('PASS ' + crap(12500) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"PASS"); } s = ('PASS ' + password + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d) exit(1, "No answer from port "+port+"."); foreach cmd (make_list ('CWD', 'LIST', 'STOR', 'RNTO', 'MKD', 'XMKD', 'RMD', 'XRMD', 'APPE', 'SIZE', 'RNFR', 'HELP', '')) { s = (cmd + ' ' + crap(4096) + '\r\n'); d = ftp_recv_line(socket:soc); if (! d) { close (soc); is_vulnerable (value: cmd); } } if ( soc ) close(soc);