Vulnerabilities > CVE-2001-0770 - Unspecified vulnerability in Steve Poulsen Guildftpd 0.97

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
steve-poulsen
nessus
NVD
Published: 2001-10-18
Updated: 2017-10-10

Summary

Buffer overflow in GuildFTPd Server 0.97 allows remote attacker to execute arbitrary code via a long SITE command.

Vulnerable Configurations

Part Description Count
Application
Steve_Poulsen
1

Nessus

NASL familyFTP
NASL idGUILDFTPD_SITE_CMD_OVERFLOW.NASL
descriptionThe remote ftp server seems to be vulnerable to a denial of service attack through the SITE command when handling specially long requests. An attacker can exploit this flaw in order to crash the affected service or possibly execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id15851
published2004-11-30
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15851
titleGuildFTPd Long SITE Command Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15851);
 script_version("1.19");

 script_cve_id("CVE-2001-0770");
 script_bugtraq_id(2782);

 script_name(english:"GuildFTPd Long SITE Command Overflow");
 script_summary(english:"Sends an oversized SITE command to the remote server");

 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is vulnerable to a buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"The remote ftp server seems to be vulnerable to a denial of service
attack through the SITE command when handling specially long requests. 
An attacker can exploit this flaw in order to crash the affected
service or possibly execute arbitrary code." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/May/250" );
 script_set_attribute(attribute:"solution", value:
"There is no known solution at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/05/27");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_category(ACT_DENIAL);
  
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"FTP");
 script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");
 script_require_keys("ftp/login");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

#
# da code
#

include("global_settings.inc");
include("misc_func.inc");
include("ftp_func.inc");

login = get_kb_item_or_exit("ftp/login");
password = get_kb_item("ftp/password");

port = get_ftp_port(default: 21);

 banner = get_ftp_banner(port:port);
 if ( ! banner || "GuildFTP" >!< banner ) exit(0);

soc = open_sock_tcp(port);
if (!soc) exit(1);

  if(ftp_authenticate(socket:soc, user:login,pass:password))
  {
   data = strcat('SITE ', crap(262), '\r\n');
   send(socket:soc, data:data);
   reply = ftp_recv_line(socket:soc);
   sleep(1);
   if (service_is_dead(port: port) > 0)
     security_hole(port);
  }
ftp_close(socket: soc);

References