Vulnerabilities > CVE-2001-0249 - Incorrect Calculation of Buffer Size vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

oracle

sgi

CWE-131

critical

nessus

NVD

Published: 2001-06-18

Updated: 2024-02-02

Summary

Heap overflow in FTP daemon in Solaris 8 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the LIST command, which uses glob to generate long strings.

Vulnerable Configurations

Part	Description	Count
OS	Hp HP HP UX 11.00	1
OS	Oracle Oracle Solaris 8	1
OS	Sgi SGI Irix 6.5 SGI Irix 6.5.1 SGI Irix 6.5.2 SGI Irix 6.5.2F SGI Irix 6.5.2M SGI Irix 6.5.3 SGI Irix 6.5.3F SGI Irix 6.5.3M SGI Irix 6.5.4 SGI Irix 6.5.4F SGI Irix 6.5.4M SGI Irix 6.5.5 SGI Irix 6.5.5F SGI Irix 6.5.5M SGI Irix 6.5.6 SGI Irix 6.5.6F SGI Irix 6.5.6M SGI Irix 6.5.7 SGI Irix 6.5.7F SGI Irix 6.5.7M SGI Irix 6.5.8 SGI Irix 6.5.8F SGI Irix 6.5.8M SGI Irix 6.5.9 SGI Irix 6.5.9F SGI Irix 6.5.9M SGI Irix 6.5.10 SGI Irix 6.5.10F SGI Irix 6.5.10M SGI Irix 6.5.11 SGI Irix 6.5.11F SGI Irix 6.5.11M SGI Irix 6.5.12 SGI Irix 6.5.12F SGI Irix 6.5.12M SGI Irix 6.5.13 SGI Irix 6.5.13F SGI Irix 6.5.13M SGI Irix 6.5.14 SGI Irix 6.5.14F SGI Irix 6.5.14M SGI Irix 6.5.15 SGI Irix 6.5.15F SGI Irix 6.5.15M SGI Irix 6.5.16 SGI Irix 6.5.16F SGI Irix 6.5.16M SGI Irix 6.5.17 SGI Irix 6.5.17F SGI Irix 6.5.17M SGI Irix 6.5.18 SGI Irix 6.5.18F SGI Irix 6.5.18M SGI Irix 6.5.19 SGI Irix 6.5.19F SGI Irix 6.5.19M SGI Irix 6.5.20	57

Common Weakness Enumeration (CWE)

CWE-131 - Incorrect Calculation of Buffer Size

Common Attack Pattern Enumeration and Classification (CAPEC)

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Nessus

NASL family	FTP
NASL id	FTPGLOB.NASL
description	The FTPD glob vulnerability manifests itself in handling the glob command. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs - an implementation of the glob command that does not properly return an error condition when interpreting the string
last seen	2020-06-01
modified	2020-06-02
plugin id	10821
published	2001-12-06
reporter	Copyright (C) 2001-2018 E*Maze
source	https://www.tenable.com/plugins/nessus/10821
title	Multiple FTPD glob Command Arbitrary Command Execution
code	# # This script is copyright 2001 by EMAZE Networks S.p.A. # under the General Public License (GPL). All Rights Reserved. # # changes by rd: added risk factor & fix # Changes by Tenable: # - Revised plugin title (1/28/2009) # - Fixed typos in the description (11/30/2012) # - update dependencies (7/23/2018) bracket = raw_string(0x7B); include("compat.inc"); if (description) { script_id(10821); script_version("1.56"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2001-0249", "CVE-2001-0550"); script_bugtraq_id(2550, 3581); script_name(english:"Multiple FTPD glob Command Arbitrary Command Execution"); script_summary(english:"Check if the remote FTPD is affected by a glob heap corruption vulnerability"); script_set_attribute(attribute:"synopsis", value: "The remote ftp server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The FTPD glob vulnerability manifests itself in handling the glob command. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs - an implementation of the glob command that does not properly return an error condition when interpreting the string 'bracket', and then frees memory which may contain user-supplied data. An attacker who is able to log in to a vulnerable server, including users with anonymous access, can exploit this to execute arbitrary code with the privileges of the FTP service."); # https://web.archive.org/web/20040820110551/http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0003.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0332633c"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Nov/237"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Nov/258"); script_set_attribute(attribute:"solution", value:"Contact your vendor for a fix."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-0249"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2001/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2001/12/06"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english:"FTP"); script_copyright(english:"Copyright (C) 2001-2018 EMaze"); script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl", "os_fingerprint.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("ftp_func.inc"); include("global_settings.inc"); port = get_ftp_port(default: 21); if (report_paranoia < 2) audit(AUDIT_PARANOID); login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); if(safe_checks())login = 0; if (login) { soc = open_sock_tcp(port); if (!soc) exit(0); if (ftp_authenticate(socket:soc, user:login, pass:password)) { c = string("CWD ~", bracket, "\r\n"); d = string("CWD ~", bracket, "\r\n"); send(socket:soc, data:c); b = ftp_recv_line(socket:soc); send(socket:soc, data:d); e = ftp_recv_line(socket:soc); # # Buggy version. no known exploits # buggy = "You seem to be running an FTP server which is vulnerable to the 'glob heap corruption' flaw, but which can not be exploited on this server."; # # Vulnerable version. Working exploit has been written # vuln = "You seem to be running an FTP server which is vulnerable to the 'glob heap corruption' flaw, which is known to be exploitable remotely against this server. An attacker may use this flaw to execute arbitrary commands on this host."; # # Check if the connection is lost # if it is, the daemon is vulnerable # linux/bsd: wuftpd, beroftpd # solaris ftpd # if ((!b) \|\| (!e)) { security_hole(port:port, extra:vuln); exit(0); } # # Freebsd / Openbsd command successful. # buggy version # if ((b >< "250 CWD command successful") \|\| (e >< "250 CWD command successful")) { security_hole(port:port, extra:buggy); exit(0); } # # Netbsd vulnerable # if((b >< ":") \|\| (e >< ":")) { security_hole(port:port, extra:vuln); exit(0); } # # Aix buggy # if ((b >< "550 Unknown user name after ~") \|\| (e >< "550 Unknown user name after ~")) { security_hole(port:port, extra:buggy); exit(0); } # # MacOS X Darwin buggy # if ((b >< "550 ~: No such file or directory") \|\| (e >< "550 ~: No such file or directory")) { security_hole(port:port, extra:buggy); exit(0); } # # The non vulnerable version # ftp_close(socket:soc); exit(0); } ftp_close(socket: soc); } os = get_kb_item("Host/OS"); if(os) { if(egrep(pattern:".FreeBSD (4\.[5-9]\|5\..).", string:os))exit(0); } # # We weren't able to login into the ftp server. # check the banner instead # banner = get_ftp_banner(port: port); if (!banner) exit(0); # # FTP server 4.1 (aix/ultrix), 1.1. (hp-ux), 6.00 (darwin), 6.00LS (freebsd) # # wu-ftpd 2.6.1-20 is not vulnerable if(egrep(pattern:"(wu\|wuftpd)-2\.6\.1-[2-9][0-9].", string:banner))exit(0); if ( "PHNE_27765" >< banner \|\| "PHNE_29461" >< banner \|\| "PHNE_30432" >< banner \|\| "PHNE_31931" >< banner \|\| "PHNE_34544" >< banner \|\| "PHNE_30990" >< banner ) exit(0); if ( egrep(pattern: "(wu\|wuftpd)-([0-1]\|(2\.([0-5][^0-9]\|6\.[0-1]))).", string:banner) \|\| egrep(pattern: "BeroFTPD.", string:banner) \|\| egrep(pattern: "NetBSD-ftpd (199[0-9]\|200[0-1]).", string:banner) \|\| egrep(pattern: "Digital UNIX Version [0-5]\..", string:banner) \|\| egrep(pattern: "SunOS [0-5]\.[0-8].", string:banner) \|\| egrep(pattern: "FTP server.Version (1\.[0-1]\.\|4\.1\|6\.00\|6\.00LS).", string:banner) \|\| egrep(pattern: "FTP server .SRPftp 1\.[0-3].", string:banner)) { banvuln = "Nessus relied solely on the banner of the server to issue this warning, so this alert might be a false positive. A valid username/password is needed to fully check this vulnerability"; security_hole(port:port, extra:banvuln); exit(0); }

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References