Vulnerabilities > CVE-2005-1815 - Stack Overflow vulnerability in Hummingbird Connectivity 10.0/7.1/9.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
hummingbird
nessus
exploit available
metasploit

Summary

Multiple buffer overflows in Hummingbird Connectivity inetD 10.0.0.1 and 9.0.0.4 allows attackers to cause a denial of service and possibly execute arbitrary code via (1) an FTP command with a long argument to FTPD (ftpdw.exe) or (2) a large amount of data to LPD (Lpdw.exe).

Vulnerable Configurations

Part Description Count
Application
Hummingbird
3

Exploit-Db

descriptionHummingbird Connectivity 10 SP5 LPD Buffer Overflow. CVE-2005-1815. Remote exploit for windows platform
idEDB-ID:16337
last seen2016-02-01
modified2010-09-20
published2010-09-20
reportermetasploit
sourcehttps://www.exploit-db.com/download/16337/
titleHummingbird Connectivity 10 SP5 LPD Buffer Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in Hummingbird Connectivity 10 LPD Daemon. This module has only been tested against Hummingbird Exceed v10 with SP5.
idMSF:EXPLOIT/WINDOWS/LPD/HUMMINGBIRD_EXCEED
last seen2020-03-11
modified2017-07-24
published2006-09-12
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1815
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/lpd/hummingbird_exceed.rb
titleHummingbird Connectivity 10 SP5 LPD Buffer Overflow

Nessus

  • NASL familyGain a shell remotely
    NASL idHUMMINGBIRD_LPD_OVERFLOW.NASL
    descriptionThe lpd daemon installed on the remote host appears to be from the Hummingbird Connectivity suite and suffers from a buffer overflow vulnerability. An attacker can crash the daemon by sending commands with overly-long queue names. Additionally, with a specially crafted packet, the attacker can also execute code remotely within the context of the affected service.
    last seen2020-06-01
    modified2020-06-02
    plugin id18403
    published2005-05-30
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18403
    titleHummingbird InetD LPD Component (Lpdw.exe) Data Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    
    include("compat.inc");
    
    if (description) {
      script_id(18403);
      script_version("1.14");
    
      script_cve_id("CVE-2005-1815");
      script_bugtraq_id(13788);
    
      script_name(english:"Hummingbird InetD LPD Component (Lpdw.exe) Data Overflow");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host contains an application that is affected by a buffer
    overflow vulnerability." );
     script_set_attribute(attribute:"description", value:
    "The lpd daemon installed on the remote host appears to be from the
    Hummingbird Connectivity suite and suffers from a buffer overflow
    vulnerability.  An attacker can crash the daemon by sending commands
    with overly-long queue names. Additionally, with a specially crafted packet,
    the attacker can also execute code remotely within the context of the affected service.");
    
     script_set_attribute(attribute:"see_also", value:
     "http://www.nessus.org/u?bbff422b" );
     script_set_attribute(attribute:"solution", value:
    "There is no known solution at this time." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'Hummingbird Connectivity 10 SP5 LPD Buffer Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/30");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/18");
     script_cvs_date("Date: 2018/07/12 19:01:15");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
     
      script_summary(english:"Checks for buffer overflow vulnerability in Hummingbird lpd");
      script_category(ACT_DENIAL);
      script_family(english:"Gain a shell remotely");
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
      script_dependencie("find_service1.nasl");
      script_require_ports("Services/lpd", 515);
      script_require_keys("Settings/ParanoidReport");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    
    if ( report_paranoia < 2 ) 
      exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'.");
    
    port = get_kb_item("Services/lpd");
    if (!port) port = 515;
    if (!get_tcp_port_state(port)) exit(1, "Port "+port+" is not open.");
    
    
    # Try to crash the remote lpd. (A working buffer overflow exploit
    # is left as an exercise for the reader. :-)
    exploit = raw_string(1)+ crap(1500) + raw_string(0x0A);
    # nb: 'max' must be > 3 + maximum number of servers configured 
    #     on the remote (default is 4).
    max = 15;
    for (i=1; i<=max; ++i) {
      soc[i] = open_priv_sock_tcp(dport:port);
    
      if (soc[i]) {
        send(socket:soc[i], data:exploit);
      }
      else {
        # If the first 2 connection attempts failed, just exit.
        if (i == 2 && !soc[1] && !soc[2]) {
          exit(0);
        }
        # Otherwise, there's a problem if the previous 2 attempts failed as well.
        else if (i >= 2 && !soc[i-1] && !soc[i-2]) {
          security_warning(port);
          break;
        }
        # Maybe the daemon is just busy.
        sleep(1);
      }
    }
    
    
    # Close any open sockets.
    for (i=1; i<=max; i++) {
      if (soc[i]) close(soc[i]);
    }
    
  • NASL familyFTP
    NASL idHUMMINGBIRD_FTPD_OVERFLOW.NASL
    descriptionAccording to its banner, the ftpd daemon installed on the remote host is from the Hummingbird Connectivity suite and suffers from a buffer overflow vulnerability. An attacker can crash the daemon and possibly execute arbitrary code remotely within the context of the affected service.
    last seen2020-06-01
    modified2020-06-02
    plugin id18402
    published2005-05-30
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18402
    titleHummingbird InetD FTP Component (ftpdw.exe) Command Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    
    include("compat.inc");
    
    if (description) {
      script_id(18402);
      script_version("1.16");
    
      script_cve_id("CVE-2005-1815");
      script_bugtraq_id(13790);
    
      script_name(english:"Hummingbird InetD FTP Component (ftpdw.exe) Command Overflow");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote FTP server is affected by a buffer overflow vulnerability." );
     script_set_attribute(attribute:"description", value:
    "According to its banner, the ftpd daemon installed on the remote host
    is from the Hummingbird Connectivity suite and suffers from a buffer
    overflow vulnerability. An attacker can crash the daemon and possibly
    execute arbitrary code remotely within the context of the affected
    service." );
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?83df6392" );
     script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch referenced in the vendor advisory above." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'Hummingbird Connectivity 10 SP5 LPD Buffer Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/30");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/18");
     script_cvs_date("Date: 2018/07/12 19:01:15");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
     
      script_summary(english:"Checks for buffer overflow vulnerability in Hummingbird ftpd");
      script_category(ACT_GATHER_INFO);
      script_family(english:"FTP");
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
      script_dependencie("ftpserver_detect_type_nd_version.nasl");
      script_require_ports("Services/ftp", 21);
    
      exit(0);
    }
    
    
    include("ftp_func.inc");
    
    
    port = get_ftp_port(default: 21);
    
    
    # Use a banner check; it's not configurable.
    banner = get_ftp_banner(port:port);
    if (
      banner && 
      egrep(string:banner, pattern:"^220[- ] .+HCLFTPD\) Version ([0-9]\.|10\.0\.0\.0)\)")
    ) security_hole(port);
    
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83128/hummingbird_exceed.rb.txt
idPACKETSTORM:83128
last seen2016-12-05
published2009-11-26
reporterMC
sourcehttps://packetstormsecurity.com/files/83128/Hummingbird-Connectivity-10-SP5-LPD-Buffer-Overflow.html
titleHummingbird Connectivity 10 SP5 LPD Buffer Overflow

Saint

bid13788
descriptionHummingbird InetD LPD buffer overflow
idftp_hcl
osvdb16957
titlehummingbird_lpd_bo
typeremote