Vulnerabilities > CVE-2005-1815 - Unspecified vulnerability in Hummingbird Connectivity 10.0/7.1/9.0
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple buffer overflows in Hummingbird Connectivity inetD 10.0.0.1 and 9.0.0.4 allows attackers to cause a denial of service and possibly execute arbitrary code via (1) an FTP command with a long argument to FTPD (ftpdw.exe) or (2) a large amount of data to LPD (Lpdw.exe).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
| description | Hummingbird Connectivity 10 SP5 LPD Buffer Overflow. CVE-2005-1815. Remote exploit for windows platform |
| id | EDB-ID:16337 |
| last seen | 2016-02-01 |
| modified | 2010-09-20 |
| published | 2010-09-20 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/16337/ |
| title | Hummingbird Connectivity 10 SP5 LPD Buffer Overflow |
Metasploit
| description | This module exploits a stack buffer overflow in Hummingbird Connectivity 10 LPD Daemon. This module has only been tested against Hummingbird Exceed v10 with SP5. |
| id | MSF:EXPLOIT/WINDOWS/LPD/HUMMINGBIRD_EXCEED |
| last seen | 2020-03-11 |
| modified | 2017-07-24 |
| published | 2006-09-12 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1815 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/lpd/hummingbird_exceed.rb |
| title | Hummingbird Connectivity 10 SP5 LPD Buffer Overflow |
Nessus
NASL family Gain a shell remotely NASL id HUMMINGBIRD_LPD_OVERFLOW.NASL description The lpd daemon installed on the remote host appears to be from the Hummingbird Connectivity suite and suffers from a buffer overflow vulnerability. An attacker can crash the daemon by sending commands with overly-long queue names. Additionally, with a specially crafted packet, the attacker can also execute code remotely within the context of the affected service. last seen 2020-06-01 modified 2020-06-02 plugin id 18403 published 2005-05-30 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18403 title Hummingbird InetD LPD Component (Lpdw.exe) Data Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18403); script_version("1.14"); script_cve_id("CVE-2005-1815"); script_bugtraq_id(13788); script_name(english:"Hummingbird InetD LPD Component (Lpdw.exe) Data Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote host contains an application that is affected by a buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "The lpd daemon installed on the remote host appears to be from the Hummingbird Connectivity suite and suffers from a buffer overflow vulnerability. An attacker can crash the daemon by sending commands with overly-long queue names. Additionally, with a specially crafted packet, the attacker can also execute code remotely within the context of the affected service."); script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?bbff422b" ); script_set_attribute(attribute:"solution", value: "There is no known solution at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Hummingbird Connectivity 10 SP5 LPD Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/30"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/18"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for buffer overflow vulnerability in Hummingbird lpd"); script_category(ACT_DENIAL); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencie("find_service1.nasl"); script_require_ports("Services/lpd", 515); script_require_keys("Settings/ParanoidReport"); exit(0); } include("global_settings.inc"); if ( report_paranoia < 2 ) exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'."); port = get_kb_item("Services/lpd"); if (!port) port = 515; if (!get_tcp_port_state(port)) exit(1, "Port "+port+" is not open."); # Try to crash the remote lpd. (A working buffer overflow exploit # is left as an exercise for the reader. :-) exploit = raw_string(1)+ crap(1500) + raw_string(0x0A); # nb: 'max' must be > 3 + maximum number of servers configured # on the remote (default is 4). max = 15; for (i=1; i<=max; ++i) { soc[i] = open_priv_sock_tcp(dport:port); if (soc[i]) { send(socket:soc[i], data:exploit); } else { # If the first 2 connection attempts failed, just exit. if (i == 2 && !soc[1] && !soc[2]) { exit(0); } # Otherwise, there's a problem if the previous 2 attempts failed as well. else if (i >= 2 && !soc[i-1] && !soc[i-2]) { security_warning(port); break; } # Maybe the daemon is just busy. sleep(1); } } # Close any open sockets. for (i=1; i<=max; i++) { if (soc[i]) close(soc[i]); }NASL family FTP NASL id HUMMINGBIRD_FTPD_OVERFLOW.NASL description According to its banner, the ftpd daemon installed on the remote host is from the Hummingbird Connectivity suite and suffers from a buffer overflow vulnerability. An attacker can crash the daemon and possibly execute arbitrary code remotely within the context of the affected service. last seen 2020-06-01 modified 2020-06-02 plugin id 18402 published 2005-05-30 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18402 title Hummingbird InetD FTP Component (ftpdw.exe) Command Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18402); script_version("1.16"); script_cve_id("CVE-2005-1815"); script_bugtraq_id(13790); script_name(english:"Hummingbird InetD FTP Component (ftpdw.exe) Command Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is affected by a buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "According to its banner, the ftpd daemon installed on the remote host is from the Hummingbird Connectivity suite and suffers from a buffer overflow vulnerability. An attacker can crash the daemon and possibly execute arbitrary code remotely within the context of the affected service." ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?83df6392" ); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch referenced in the vendor advisory above." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Hummingbird Connectivity 10 SP5 LPD Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/30"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/18"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for buffer overflow vulnerability in Hummingbird ftpd"); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencie("ftpserver_detect_type_nd_version.nasl"); script_require_ports("Services/ftp", 21); exit(0); } include("ftp_func.inc"); port = get_ftp_port(default: 21); # Use a banner check; it's not configurable. banner = get_ftp_banner(port:port); if ( banner && egrep(string:banner, pattern:"^220[- ] .+HCLFTPD\) Version ([0-9]\.|10\.0\.0\.0)\)") ) security_hole(port);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83128/hummingbird_exceed.rb.txt |
| id | PACKETSTORM:83128 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | MC |
| source | https://packetstormsecurity.com/files/83128/Hummingbird-Connectivity-10-SP5-LPD-Buffer-Overflow.html |
| title | Hummingbird Connectivity 10 SP5 LPD Buffer Overflow |
Saint
| bid | 13788 |
| description | Hummingbird InetD LPD buffer overflow |
| id | ftp_hcl |
| osvdb | 16957 |
| title | hummingbird_lpd_bo |
| type | remote |
References
- http://connectivity.hummingbird.com/support/nc/exceed/ftpd_advisory.html?cks=y
- http://connectivity.hummingbird.com/support/nc/exceed/ftpd_advisory.html?cks=y
- http://connectivity.hummingbird.com/support/nc/exceed/lpdw_advisory.html
- http://connectivity.hummingbird.com/support/nc/exceed/lpdw_advisory.html
- http://secunia.com/advisories/15557
- http://secunia.com/advisories/15557
- http://www.securityfocus.com/bid/13788
- http://www.securityfocus.com/bid/13788
- http://www.securityfocus.com/bid/13790
- http://www.securityfocus.com/bid/13790