Vulnerabilities > CVE-2001-0318 - Unspecified vulnerability in Proftpd Project Proftpd 1.2.0Rc2

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2001:021. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(61895);
  script_version("1.6");
  script_cvs_date("Date: 2019/08/02 13:32:46");

  script_cve_id("CVE-2001-0136", "CVE-2001-0318");
  script_xref(name:"MDKSA", value:"2001:021");

  script_name(english:"Mandrake Linux Security Advisory : proftpd (MDKSA-2001:021)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Mandrake Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The ProFTPD FTP server has problems with memory leaking that could be
used in a DoS attack, as reported by Wojciech Purczynski. A memory
leak will happen every time a SIZE command was given provided that the
scoreboard file is not writable, which is not the case in a default
Linux-Mandrake installation. A similar problem also existed with the
USER command where every time it was given the server would use more
memory. Additionally, some format string vulnerabilities were reported
by Przemyslaw Frasunek which have also been fixed."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected proftpd package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:proftpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2001/02/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"proftpd-1.2.0rc3-1.1mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-029. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(14866);
  script_version("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:16");

  script_cve_id("CVE-2001-0136", "CVE-2001-0318");
  script_xref(name:"DSA", value:"029");

  script_name(english:"Debian DSA-029-2 : proftpd - remote DOS & potential buffer overflow");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The following problems have been reported for the version of proftpd
in Debian 2.2 (potato) :

  - There is a memory leak in the SIZE command which can
    result in a denial of service, as reported by Wojciech
    Purczynski. This is only a problem if proftpd cannot
    write to its scoreboard file; the default configuration
    of proftpd in Debian is not vulnerable.
  - A similar memory leak affects the USER command, also as
    reported by Wojciech Purczynski. The proftpd in Debian
    2.2 is susceptible to this vulnerability; an attacker
    can cause the proftpd daemon to crash by exhausting its
    available memory.

  - There were some format string vulnerabilities reported
    by Przemyslaw Frasunek. These are not known to have
    exploits, but have been corrected as a precaution."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2001/dsa-029"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All three of the above vulnerabilities have been corrected in
proftpd-1.2.0pre10-2potato1. We recommend you upgrade your proftpd
package immediately."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:proftpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2001/02/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"2.2", prefix:"proftpd", reference:"1.2.0pre10-2.0potato1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(11407);
 script_version("1.16");
 script_cvs_date("Date: 2018/07/25 18:58:03");

 script_cve_id("CVE-2001-0318");
 script_bugtraq_id(6781);
 
 script_name(english:"ProFTPD 1.2.0rc2 Malformed cwd Command Format String");
 script_summary(english:"Checks if the version of the remote proftpd");
             
 script_set_attribute(attribute:"synopsis", value:
"It might be possible to run arbitrary code on this server.");
 script_set_attribute(attribute:"description", value:
"The remote ProFTPd server is as old or older than 1.2.0rc2

There is a very hard to exploit format string vulnerability in
this version that could allow an attacker to execute arbitrary
code on this host.

The vulnerability is believed to be nearly impossible to exploit
though.");
 script_set_attribute(attribute:"solution", value:
"Upgrade to a newer version.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
                 
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/17");
 script_set_attribute(attribute:"vuln_publication_date", value:"2001/01/10");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"FTP");

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
                  
 script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");
 script_require_keys("ftp/proftpd");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

#
# The script code starts here : 
#



include("ftp_func.inc");

port = get_ftp_port(default: 21);

# get_ftp_banner will return NULL if the server is fake.
banner = get_ftp_banner(port:port);
if (! banner) exit(1);

if ( egrep(pattern:"^220 ProFTPD 1\.[0-1]\..*", string:banner) ||
     egrep(pattern:"^220 ProFTPD 1\.2\.0(pre.*|rc[1-2][^0-9])", string:banner))
  security_hole(port);