Vulnerabilities > CVE-2004-2074 - Unspecified vulnerability in Bolintech Dream FTP Server 1.02

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
bolintech
nessus
exploit available
metasploit
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands.

Vulnerable Configurations

Part Description Count
Application
Bolintech
1

Exploit-Db

  • descriptionBolinTech Dream FTP Server 1.02 Format String. CVE-2004-2074. Remote exploit for windows platform
    idEDB-ID:16712
    last seen2016-02-02
    modified2010-06-22
    published2010-06-22
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16712/
    titleBolinTech Dream FTP Server 1.02 Format String
  • descriptionDream FTP 1.2 Remote Format String Exploit. CVE-2004-2074. Remote exploit for windows platform
    idEDB-ID:823
    last seen2016-01-31
    modified2004-02-11
    published2004-02-11
    reporterSkylined
    sourcehttps://www.exploit-db.com/download/823/
    titleDream FTP 1.2 - Remote Format String Exploit

Metasploit

descriptionThis module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined.
idMSF:EXPLOIT/WINDOWS/FTP/DREAMFTP_FORMAT
last seen2020-01-12
modified2017-11-08
published2007-09-09
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2074
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/dreamftp_format.rb
titleBolinTech Dream FTP Server 1.02 Format String

Nessus

NASL familyFTP
NASL idDREAMFTP_FORMAT_STRING.NASL
descriptionThe remote DreamFTP server is vulnerable to a format string attack when processing the USER command. An attacker may exploit this flaw to gain a shell on this host.
last seen2020-06-01
modified2020-06-02
plugin id12086
published2004-03-04
reporterThis script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/12086
titleDreamFTP Server username Remote Format String
code
# 
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(12086);
 script_cve_id("CVE-2004-2074");
 script_bugtraq_id(9800);
 script_version ("1.18");
 
 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code may be run on the remote host." );
 script_set_attribute(attribute:"description", value:
"The remote DreamFTP server is vulnerable to a format string attack when
processing the USER command.

An attacker may exploit this flaw to gain a shell on this host." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to DreamFTP 1.03 or newer (when available) or use another FTP
server." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'BolinTech Dream FTP Server 1.02 Format String');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_name(english:"DreamFTP Server username Remote Format String");
 
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/03/04");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/03/04");
 script_cvs_date("Date: 2018/08/31 12:25:01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Logs as a %n");
 script_category(ACT_ATTACK);
 script_copyright(english: "This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"FTP");
 script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");
 script_require_keys("ftp/login");
 script_exclude_keys("global_settings/supplied_logins_only");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("ftp_func.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

port = get_ftp_port(default: 21);


soc = open_sock_tcp(port);
if (! soc) exit(1);

ftp_debug(str:"custom banner");
r = ftp_recv_line(socket:soc);
if ( ! r ) exit(1, "Cannot read FTP banner from port "+port+".");

# Recognize DreamFTP thanks to its error message
send(socket:soc, data:'USER ' + rand()  + '\r\n');
r = ftp_recv_line(socket:soc);
if ( ! r ) exit(1, "The FTP server on port "+port+" did not answer to USER.");
send(socket:soc, data:'PASS ' + rand() + '\r\n');
r = ftp_recv_line(socket:soc);
if ( ! r ) exit(1, "The FTP server on port "+port+" did not answer to PASS.");

if ( "530 Not logged in, user or password incorrect!" >< r )
{
 # Overwrite the username buffer
 send(socket:soc, data:'USER ' + crap(data:"%x", length:86) + '%n\r\n');
 r = ftp_recv_line(socket:soc);
 if ( ! r ) exit(1);
 if (egrep(pattern:"^331 Password required for ..$", string:r) ) security_hole(port);
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83174/dreamftp_format.rb.txt
idPACKETSTORM:83174
last seen2016-12-05
published2009-11-27
reporterPatrick Webster
sourcehttps://packetstormsecurity.com/files/83174/BolinTech-Dream-FTP-Server-1.02-Format-String.html
titleBolinTech Dream FTP Server 1.02 Format String

References