Vulnerabilities > CVE-2004-1439 - Buffer Overflow vulnerability in Sapporoworks Black Jumbodog 3.6.1

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
sapporoworks
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

Buffer overflow in BlackJumboDog 3.x allows remote attackers to execute arbitrary code via long FTP commands such as (1) USER, (2) PASS, (3) RETR,(4) CWD, (5) XMKD, and (6) XRMD.

Vulnerable Configurations

Part Description Count
Application
Sapporoworks
1

Exploit-Db

  • descriptionBlackJumboDog Remote Buffer Overflow Exploit. CVE-2004-1439. Remote exploit for windows platform
    idEDB-ID:378
    last seen2016-01-31
    modified2004-08-05
    published2004-08-05
    reporterTal Zeltzer
    sourcehttps://www.exploit-db.com/download/378/
    titleBlackJumboDog Remote Buffer Overflow Exploit
  • descriptionBlackJumboDog FTP Server 3.6.1 Remote Buffer Overflow Exploit. CVE-2004-1439. Remote exploit for windows platform
    idEDB-ID:439
    last seen2016-01-31
    modified2004-09-12
    published2004-09-12
    reporterDelikon
    sourcehttps://www.exploit-db.com/download/439/
    titleBlackJumboDog FTP Server 3.6.1 - Remote Buffer Overflow Exploit

Nessus

NASL familyFTP
NASL idBLACK_JUMBODOG_FTP_OVERFLOW.NASL
descriptionThe remote host is running BlackJumboDog FTP server. This FTP server fails to properly check the length of parameters in multiple FTP commands, most significant of which is USER, resulting in a stack overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity, and/or availability.
last seen2020-06-01
modified2020-06-02
plugin id14256
published2004-08-11
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14256
titleBlackJumboDog FTP Server Multiple Command Overflow
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(14256);
 script_version("1.17");
 script_cvs_date("Date: 2018/06/27 18:42:25");

 script_cve_id("CVE-2004-1439");
 script_bugtraq_id(10834);
 
 script_name(english:"BlackJumboDog FTP Server Multiple Command Overflow");
 script_summary(english:"Determines the version of BlackJumboDog");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code may be run on the remote host." );
 script_set_attribute(attribute:"description", value:
"The remote host is running BlackJumboDog FTP server.

This FTP server fails to properly check the length of parameters in 
multiple FTP commands, most significant of which is USER, resulting 
in a stack overflow. 

With a specially crafted request, an attacker can execute arbitrary code 
resulting in a loss of integrity, and/or availability." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to version 3.6.2 or newer" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/11");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/29");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_MIXED_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"FTP");
 
 script_dependencies("find_service2.nasl", "ftpserver_detect_type_nd_version.nasl");
 script_require_ports(21, "Services/ftp");
 exit(0);
}

include("ftp_func.inc");

port = get_ftp_port(default: 21);
banner = get_ftp_banner(port:port);
if ( ! banner ) exit(1, "No FTP banner on port "+port+".");
	
#220 FTP ( BlackJumboDog(-RAS) Version 3.6.1 ) ready
#220 FTP ( BlackJumboDog Version 3.6.1 ) ready

if( "BlackJumboDog" >< banner ) 
{
  if (safe_checks())
  {
	if ( egrep(pattern:"^220 .*BlackJumboDog.* Version 3\.([0-5]\.[0-9]+|6\.[01]([^0-9]|$))", string:banner ) )
	security_hole(port);
  }
  else
  {
       req1 = string("USER ", crap(300), "\r\n");
       soc=open_sock_tcp(port);
 	if ( ! soc ) exit(1, "Cannot connect to TCP port "+port+".");
       send(socket:soc, data:req1);    
       close(soc);
       sleep(1);
       soc2 = open_sock_tcp(port);
	if (! soc2 || ! ftp_recv_line(socket:soc))
       {
	  security_hole(port);
	}
	else close(soc2);
	exit(0);
  }
}

References