Vulnerabilities > CVE-2004-1626 - Remote Buffer Overflow vulnerability in Code-Crafters Ability Server 2.2.5/2.3.2/2.3.4

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
code-crafters
nessus
exploit available
metasploit
NVD
Published: 2004-10-22
Updated: 2017-07-11

Summary

Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.

Vulnerable Configurations

Part Description Count
Application
Code-Crafters
3

Exploit-Db

  • descriptionAbility Server 2.34 FTP STOR Buffer Overflow. CVE-2004-1626. Remote exploit for windows platform
    idEDB-ID:588
    last seen2016-01-31
    modified2004-10-21
    published2004-10-21
    reportermuts
    sourcehttps://www.exploit-db.com/download/588/
    titleAbility Server 2.34 - FTP STOR Buffer Overflow
  • descriptionAbility Server 2.34 FTP STOR Buffer Overflow Exploit (Unix Exploit). CVE-2004-1626. Remote exploit for windows platform
    idEDB-ID:618
    last seen2016-01-31
    modified2004-11-07
    published2004-11-07
    reporterNoPh0BiA
    sourcehttps://www.exploit-db.com/download/618/
    titleAbility Server 2.34 - FTP STOR Buffer Overflow Exploit Unix Exploit

Metasploit

descriptionThis module exploits a stack-based buffer overflow in Ability Server 2.34. Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands, which leads to a stack based buffer overflow. This plugin uses the 'STOR' command. The vulnerability has been confirmed on version 2.34 and has also been reported in version 2.25 and 2.32. Other versions may also be affected.
idMSF:EXPLOIT/WINDOWS/FTP/ABILITY_SERVER_STOR
last seen2020-06-01
modified2017-07-24
published2011-12-07
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1626
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/ability_server_stor.rb
titleAbility Server 2.34 STOR Command Stack Buffer Overflow

Nessus

NASL familyFTP
NASL idABILITY_FTP_OVERFLOW.NASL
descriptionThe remote host is running Ability FTP Server. It is reported that the remote version of this software is prone to a remote buffer overflow attack via the
last seen2020-06-01
modified2020-06-02
plugin id15628
published2004-11-04
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15628
titleAbility FTP Server Multiple Command Remote Buffer Overflows
code
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
 script_id(15628);
 script_cve_id("CVE-2004-1626", "CVE-2004-1627");
 script_bugtraq_id(11508);
 script_xref(name:"Secunia", value:"12941");

 script_version("1.17");
 
 script_name(english:"Ability FTP Server Multiple Command Remote Buffer Overflows");
 script_summary(english:"Gets the version of the remote Ability FTP server");

 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is vulnerable to multiple remote buffer
overflow attacks. ");

 script_set_attribute(attribute:"description", value:
"The remote host is running Ability FTP Server. It is reported
that the remote version of this software is prone to a remote buffer
overflow attack via the 'STOR' and 'APPE' commands. An attacker,
exploiting this flaw, would only need to be able to craft and send a
query to the FTP server on its service port (usually 21).");

 script_set_attribute(attribute:"see_also", value:
"https://seclists.org/bugtraq/2004/Oct/252");
 # http://web.archive.org/web/20060921101554/http://lists.virus.org/dw-0day-0412/msg00004.html
 script_set_attribute(attribute:"see_also", value:
"http://www.nessus.org/u?cbaf8896");
 
 script_set_attribute(attribute:"solution", value:
"Upgrade to Ability FTP Server version 2.35 or newer.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Ability Server 2.34 STOR Command Stack Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/04");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/10/22");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"FTP");
 script_dependencie("ftpserver_detect_type_nd_version.nasl");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

# Check starts here

include("ftp_func.inc");


port = get_ftp_port(default: 21);

banner = get_ftp_banner(port:port);
if ( ! banner ) exit(1, "Cannot read FTP banner on port "+port+".");

if ( egrep(pattern:"^220 Welcome to Code-Crafters - Ability Server ([0-1]\..*|2\.([0-2]|3[0-4]))[^0-9]", string:banner) ) security_hole(port);

References