Vulnerabilities > CVE-2003-0271 - Remote Security vulnerability in Personal Ftp Server

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cooolsoft
nessus

Summary

Buffer overflow in Personal FTP Server allows remote attackers to execute arbitrary code via a long USER argument.

Vulnerable Configurations

Part Description Count
Application
Cooolsoft
1

Nessus

NASL familyFTP
NASL idFTP_OVERFLOW.NASL
descriptionThe remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id10084
published1999-06-22
reporterThis script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/10084
titleMultiple FTP Server Command Handling Overflow
code
#
# (C) Tenable Network Security, Inc.
#

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if(description)
{
 script_id(10084);
 script_version ("1.85");

 script_cve_id(
  "CVE-1999-0219",
  "CVE-2000-0870",
  "CVE-2000-0943",
  "CVE-2000-1035",
  "CVE-2000-1194",
  "CVE-2002-0126",
  "CVE-2003-0271",
  "CVE-2005-0634",
  "CVE-2005-1415"
 );
 script_bugtraq_id(269, 1227, 1675, 1690, 1858, 3884, 7251, 7278, 7307, 12704, 13454);

 script_name(english:"Multiple FTP Server Command Handling Overflow");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is susceptible to buffer overflow attacks." );
 script_set_attribute(attribute:"description", value:
"The remote FTP server closes the connection when a command or argument
is too long.  This is probably due to a buffer overflow and may allow
an attacker to execute arbitrary code on the remote host." );
 script_set_attribute(attribute:"solution", value:
"Upgrade / switch the FTP server software or disable the service if 
it is not needed." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'GlobalSCAPE Secure FTP Server Input Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "1997/07/01");
 script_cvs_date("Date: 2018/08/31 12:25:01");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 summary["english"] = "attempts some buffer overflows";
 script_summary(english:summary["english"]);
 
 script_category(ACT_DESTRUCTIVE_ATTACK);
 
 script_copyright(english: "This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"FTP");
 script_dependencies("ftpserver_detect_type_nd_version.nasl");
 script_require_keys("ftp/login", "ftp/password");
 script_exclude_keys("global_settings/supplied_logins_only");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

#
# The script code starts here
#
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ftp_func.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

global_var port = get_ftp_port(default: 21);

foreach f (make_list("msftpd", "ncftpd", "fw1ftpd", "vxftpd"))
  if (get_kb_item("ftp/"+port+"/"+f))
    exit(0, "The FTP server on port "+port+" is "+f+".");

function is_vulnerable (value)
{
 if (service_is_dead(port: port) > 0)
 {
   set_kb_item(name:"ftp/overflow", value:TRUE);
   set_kb_item(name:"ftp/"+port+"/overflow", value:TRUE);
   set_kb_item(name:"ftp/"+port+"/overflow_method", value:value);
   security_hole(port);
 }
 exit (0);
}

soc = open_sock_tcp(port);
if (! soc) exit(1, "Connection failed to port "+port+".");

  ftp_debug(str:"custom banner");
  d = ftp_recv_line(socket:soc);
  if(!d){
	close(soc);
	exit(1, "No answer on port "+port+".");
	}
  if(!egrep(pattern:"^220[ -]", string:d))
   {
    # not an FTP server
    close(soc);
    exit(1, "The service on port "+port+" does not look like FTP.");	
   }
 
  if ("Microsoft FTP Service" >< d)
    exit(0, "MS FTP is running on port "+port+".");
 
  req = 'USER ftp\r\n';
  send(socket:soc, data:req);
  d = ftp_recv_line(socket:soc);
  ftp_close(socket:soc);
  if(!d)
  {
   exit(1, "No answer on port "+port+".");	
  }
  
  soc = open_sock_tcp(port);
  if ( ! soc ) exit(1, "Connection failed to port "+port+".");
  d = ftp_recv_line(socket:soc);
  s = ('USER ' + crap(4096) + '\r\n');
  send(socket:soc, data:s);
  d = ftp_recv_line(socket:soc);
  if(!d){
	close (soc);
	is_vulnerable (value:"USER");
	}

   # Let's try to access it with valid credentials now.
   login = get_kb_item("ftp/login");
   password = get_kb_item("ftp/password");

   s = ('USER ' + login + '\r\n');
   send(socket:soc, data:s);
   d = ftp_recv_line(socket:soc);
   # ProFTPD 1.5.2 crashes with more than 12 KB
   s = ('PASS ' + crap(12500) + '\r\n');
   send(socket:soc, data:s);
   d = ftp_recv_line(socket:soc);
   if(!d){
	close (soc);
	is_vulnerable (value:"PASS");
	}

     s = ('PASS ' + password + '\r\n');
     send(socket:soc, data:s);
     d = ftp_recv_line(socket:soc);
     if(!d) exit(1, "No answer from port "+port+".");

     foreach cmd (make_list ('CWD', 'LIST', 'STOR', 'RNTO', 'MKD', 'XMKD', 
     	 'RMD', 'XRMD', 'APPE', 'SIZE', 'RNFR', 'HELP', ''))
     {
       s = (cmd + ' ' + crap(4096) + '\r\n');
       d = ftp_recv_line(socket:soc);
       if (! d)
       {
	close (soc);
	is_vulnerable (value: cmd);
       }
     }
		

   if ( soc )  close(soc);