Vulnerabilities > CVE-2005-1415 - Remote Buffer Overflow vulnerability in GlobalSCAPE Secure FTP Server 3.0/3.0.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
description GlobalScape Secure FTP Server 3.0 Buffer Overflow Exploit. CVE-2005-1415. Remote exploit for windows platform id EDB-ID:975 last seen 2016-01-31 modified 2005-05-01 published 2005-05-01 reporter muts source https://www.exploit-db.com/download/975/ title GlobalScape Secure FTP Server 3.0 - Buffer Overflow Exploit description GlobalSCAPE Secure FTP Server Input Overflow. CVE-2005-1415. Remote exploit for windows platform id EDB-ID:16703 last seen 2016-02-02 modified 2010-10-05 published 2010-10-05 reporter metasploit source https://www.exploit-db.com/download/16703/ title GlobalSCAPE Secure FTP Server Input Overflow
Metasploit
| description | This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work. |
| id | MSF:EXPLOIT/WINDOWS/FTP/GLOBALSCAPEFTP_INPUT |
| last seen | 2020-01-14 |
| modified | 2017-07-24 |
| published | 2005-11-24 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/globalscapeftp_input.rb |
| title | GlobalSCAPE Secure FTP Server Input Overflow |
Nessus
NASL family FTP NASL id FTP_OVERFLOW.NASL description The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 10084 published 1999-06-22 reporter This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10084 title Multiple FTP Server Command Handling Overflow code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if(description) { script_id(10084); script_version ("1.85"); script_cve_id( "CVE-1999-0219", "CVE-2000-0870", "CVE-2000-0943", "CVE-2000-1035", "CVE-2000-1194", "CVE-2002-0126", "CVE-2003-0271", "CVE-2005-0634", "CVE-2005-1415" ); script_bugtraq_id(269, 1227, 1675, 1690, 1858, 3884, 7251, 7278, 7307, 12704, 13454); script_name(english:"Multiple FTP Server Command Handling Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is susceptible to buffer overflow attacks." ); script_set_attribute(attribute:"description", value: "The remote FTP server closes the connection when a command or argument is too long. This is probably due to a buffer overflow and may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"solution", value: "Upgrade / switch the FTP server software or disable the service if it is not needed." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'GlobalSCAPE Secure FTP Server Input Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22"); script_set_attribute(attribute:"vuln_publication_date", value: "1997/07/01"); script_cvs_date("Date: 2018/08/31 12:25:01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); summary["english"] = "attempts some buffer overflows"; script_summary(english:summary["english"]); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english: "This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FTP"); script_dependencies("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/login", "ftp/password"); script_exclude_keys("global_settings/supplied_logins_only"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here # include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ftp_func.inc"); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); global_var port = get_ftp_port(default: 21); foreach f (make_list("msftpd", "ncftpd", "fw1ftpd", "vxftpd")) if (get_kb_item("ftp/"+port+"/"+f)) exit(0, "The FTP server on port "+port+" is "+f+"."); function is_vulnerable (value) { if (service_is_dead(port: port) > 0) { set_kb_item(name:"ftp/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow", value:TRUE); set_kb_item(name:"ftp/"+port+"/overflow_method", value:value); security_hole(port); } exit (0); } soc = open_sock_tcp(port); if (! soc) exit(1, "Connection failed to port "+port+"."); ftp_debug(str:"custom banner"); d = ftp_recv_line(socket:soc); if(!d){ close(soc); exit(1, "No answer on port "+port+"."); } if(!egrep(pattern:"^220[ -]", string:d)) { # not an FTP server close(soc); exit(1, "The service on port "+port+" does not look like FTP."); } if ("Microsoft FTP Service" >< d) exit(0, "MS FTP is running on port "+port+"."); req = 'USER ftp\r\n'; send(socket:soc, data:req); d = ftp_recv_line(socket:soc); ftp_close(socket:soc); if(!d) { exit(1, "No answer on port "+port+"."); } soc = open_sock_tcp(port); if ( ! soc ) exit(1, "Connection failed to port "+port+"."); d = ftp_recv_line(socket:soc); s = ('USER ' + crap(4096) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"USER"); } # Let's try to access it with valid credentials now. login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); s = ('USER ' + login + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); # ProFTPD 1.5.2 crashes with more than 12 KB s = ('PASS ' + crap(12500) + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d){ close (soc); is_vulnerable (value:"PASS"); } s = ('PASS ' + password + '\r\n'); send(socket:soc, data:s); d = ftp_recv_line(socket:soc); if(!d) exit(1, "No answer from port "+port+"."); foreach cmd (make_list ('CWD', 'LIST', 'STOR', 'RNTO', 'MKD', 'XMKD', 'RMD', 'XRMD', 'APPE', 'SIZE', 'RNFR', 'HELP', '')) { s = (cmd + ' ' + crap(4096) + '\r\n'); d = ftp_recv_line(socket:soc); if (! d) { close (soc); is_vulnerable (value: cmd); } } if ( soc ) close(soc);NASL family FTP NASL id GLOBALSCAPEFTP_USER_INPUT.NASL description The remote host is running GlobalSCAPE Secure FTP Server. GlobalSCAPE Secure FTP Server 3.0.2 and prior versions are affected by a buffer overflow due to mishandling the user-supplied input. An attacker would first need to authenticate to the server before they can execute arbitrary commands. last seen 2020-06-01 modified 2020-06-02 plugin id 18627 published 2005-07-06 reporter This script is Copyright (C) 2005-2018 SensePost source https://www.tenable.com/plugins/nessus/18627 title GlobalSCAPE Secure FTP Server User Input Overflow code # # written by Gareth Phillips - SensePost (www.sensepost.com) # GPLv2 # # Changes by Tenable: # - Fixed regex # - Changed plugin family (8/15/09) # - Revised description and added CPE (12/03/12) include("compat.inc"); if(description) { script_id(18627); script_version ("1.21"); script_cve_id("CVE-2005-1415"); script_bugtraq_id (13454); script_name(english:"GlobalSCAPE Secure FTP Server User Input Overflow"); script_summary(english:"GlobalSCAPE Secure FTP Server User Input Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is affected by a buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is running GlobalSCAPE Secure FTP Server. GlobalSCAPE Secure FTP Server 3.0.2 and prior versions are affected by a buffer overflow due to mishandling the user-supplied input. An attacker would first need to authenticate to the server before they can execute arbitrary commands." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/May/12" ); script_set_attribute(attribute:"see_also", value:"http://www.globalscape.com/gsftps/history.aspx" ); script_set_attribute(attribute:"solution", value: "Upgrade to GlobalSCAPE Secure FTP 3.0.3 Build 4.29.2005 or later as this reportedly fixes the issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'GlobalSCAPE Secure FTP Server Input Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/06"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/01"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:globalscape:secure_ftp_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 SensePost"); script_family(english:"FTP"); script_dependencie("ftpserver_detect_type_nd_version.nasl"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here # include("ftp_func.inc"); port = get_ftp_port(default: 21); ftpbanner = get_ftp_banner(port:port); if ( ftpbanner && egrep(pattern:"^220 GlobalSCAPE Secure FTP Server \(v. 3(.0|\.0\.[0-2])\)",string:ftpbanner) )security_hole(port);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82955/globalscapeftp_input.rb.txt |
| id | PACKETSTORM:82955 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | Mati Aharoni |
| source | https://packetstormsecurity.com/files/82955/GlobalSCAPE-Secure-FTP-Server-Input-Overflow.html |
| title | GlobalSCAPE Secure FTP Server Input Overflow |