Vulnerabilities > CVE-2000-1194 - Buffer Overflow vulnerability in Argosoft FTP Server 1.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

argosoft

nessus

NVD

Published: 2001-08-31

Updated: 2008-09-05

Summary

Argosoft FRP server 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to the (1) USER or (2) CWD commands.

Vulnerable Configurations

Part	Description	Count
Application	Argosoft Argosoft FTP Server 1.0	1

Nessus

NASL family	FTP
NASL id	FTP_OVERFLOW.NASL
description	The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	10084
published	1999-06-22
reporter	This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/10084
title	Multiple FTP Server Command Handling Overflow
code	# # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if(description) { script_id(10084); script_version ("1.85"); script_cve_id( "CVE-1999-0219", "CVE-2000-0870", "CVE-2000-0943", "CVE-2000-1035", "CVE-2000-1194", "CVE-2002-0126", "CVE-2003-0271", "CVE-2005-0634", "CVE-2005-1415" ); script_bugtraq_id(269, 1227, 1675, 1690, 1858, 3884, 7251, 7278, 7307, 12704, 13454); script_name(english:"Multiple FTP Server Command Handling Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is susceptible to buffer overflow attacks." ); script_set_attribute(attribute:"description", value: "The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"solution", value: "Upgrade / switch the FTP server software or disable the service if it is not needed." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'GlobalSCAPE Secure FTP Server Input Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22"); script_set_attribute(attribute:"vuln_publication_date", value: "1997/07/01"); script_cvs_date("Date: 2018/08/31 12:25:01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); summary["english"] = "attempts some buffer overflows"; script_summary(english:summary["english"]); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english: "This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FTP"); script_dependencies("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/login", "ftp/password"); script_exclude_keys("global_settings/supplied_logins_only"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here # include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ftp_func.inc"); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); global_var port = get_ftp_port(default: 21); foreach f (make_list("msftpd", "ncftpd", "fw1ftpd", "vxftpd")) if (get_kb_item("ftp/"+port+"/"+f)) exit(0, "The FTP server on port "+port+" is "+f+"."); function is_vulnerable (value) { if (service_is_dead(port: port) > 0) { set_kb_item(name:"ftp/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow_method", value:value); security_hole(port); } exit (0); } soc = open_sock_tcp(port); if (! soc) exit(1, "Connection failed to port "+port+"."); ftp_debug(str:"custom banner"); d = ftp_recv_line(socket:soc); if(!d){ close(soc); exit(1, "No answer on port "+port+"."); } if(!egrep(pattern:"^220[ -]", string:d)) { # not an FTP server close(soc); exit(1, "The service on port "+port+" does not look like FTP."); } if ("Microsoft FTP Service" >< d) exit(0, "MS FTP is running on port "+port+"."); req = 'USER ftp\r\n'; send(socket:soc, data:req); d = ftp_recv_line(socket:soc); ftp_close(socket:soc); if(!d) { exit(1, "No answer on port "+port+"."); } soc = open_sock_tcp(port); if ( ! soc ) exit(1, "Connection failed to port "+port+"."); d = ftp_recv_line(socket:soc); s = ('USER ' + crap(4096) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"USER"); } # Let's try to access it with valid credentials now. login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); s = ('USER ' + login + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); # ProFTPD 1.5.2 crashes with more than 12 KB s = ('PASS ' + crap(12500) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"PASS"); } s = ('PASS ' + password + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d) exit(1, "No answer from port "+port+"."); foreach cmd (make_list ('CWD', 'LIST', 'STOR', 'RNTO', 'MKD', 'XMKD', 'RMD', 'XRMD', 'APPE', 'SIZE', 'RNFR', 'HELP', '')) { s = (cmd + ' ' + crap(4096) + '\r\n'); d = ftp_recv_line(socket:soc); if (! d) { close (soc); is_vulnerable (value: cmd); } } if ( soc ) close(soc);

Summary

Vulnerable Configurations

Nessus

References