Vulnerabilities > CVE-2005-2373 - Local Security vulnerability in Slimftpd 3.15/3.16

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
whitsoft-development
nessus
exploit available
metasploit
NVD
Published: 2005-07-26
Updated: 2016-10-18

Summary

Buffer overflow in SlimFTPd 3.15 and 3.16 allows remote authenticated users to execute arbitrary code via a long directory name to (1) LIST, (2) DELE or (3) RNFR commands.

Vulnerable Configurations

Part Description Count
Application
Whitsoft_Development
2

Exploit-Db

descriptionSlimFTPd LIST Concatenation Overflow. CVE-2005-2373. Remote exploit for windows platform
idEDB-ID:16729
last seen2016-02-02
modified2010-10-05
published2010-10-05
reportermetasploit
sourcehttps://www.exploit-db.com/download/16729/
titleSlimFTPd LIST Concatenation Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo.
idMSF:EXPLOIT/WINDOWS/FTP/SLIMFTPD_LIST_CONCAT
last seen2020-01-14
modified2017-07-24
published2005-11-26
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2373
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/slimftpd_list_concat.rb
titleSlimFTPd LIST Concatenation Overflow

Nessus

NASL familyFTP
NASL idSLIMFTPD_OVERFLOW.NASL
descriptionThe remote host appears to be using SlimFTPd, a free, small, standards-compliant FTP server for Windows. According to its banner, the version of SlimFTPd installed on the remote host is prone to one or more buffer overflow attacks that can lead to arbitrary code execution. Note that successful exploitation of either of these flaws requires an attacker first authenticate.
last seen2020-06-01
modified2020-06-02
plugin id15704
published2004-11-13
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15704
titleSlimFTPd Multiple Command Handling Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(15704);
 script_version("1.17");
 script_cvs_date("Date: 2018/11/15 20:50:22");

 script_cve_id("CVE-2004-2418", "CVE-2005-2373");
 script_bugtraq_id(11645, 14339);
 
 script_name(english:"SlimFTPd Multiple Command Handling Overflow");
 script_summary(english:"Checks version in the banner");
 
 script_set_attribute(
  attribute:"synopsis",
  value:"The remote FTP server is prone to multiple buffer overflow attacks."
 );
 script_set_attribute(
  attribute:"description", 
  value: 
"The remote host appears to be using SlimFTPd, a free, small,
standards-compliant FTP server for Windows. 

According to its banner, the version of SlimFTPd installed on the
remote host is prone to one or more buffer overflow attacks that can
lead to arbitrary code execution. 

Note that successful exploitation of either of these flaws requires an
attacker first authenticate."
 );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/fulldisclosure/2004/Nov/333"
 );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/bugtraq/2005/Jul/346"
 );
 script_set_attribute(
  attribute:"solution", 
  value:"Upgrade to SlimFTPd version 3.17 or later."
 );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'SlimFTPd LIST Concatenation Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/13");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/11/10");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"FTP");
 script_dependencie("ftpserver_detect_type_nd_version.nasl");
 script_require_ports("Services/ftp", 21);
 exit(0);
}


include("ftp_func.inc");


port = get_ftp_port(default: 21);

banner = get_ftp_banner(port:port);
if ( ! banner ) exit(1);


# There's a problem if...
if (
  # The version in the banner is <= 3.16 or...
  egrep(string:banner, pattern:"^220-SlimFTPd ([0-2]\.|3\.1[0-6][^0-9])")
) {
  security_hole(port);
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82997/slimftpd_list_concat.rb.txt
idPACKETSTORM:82997
last seen2016-12-05
published2009-11-26
reporterriaf
sourcehttps://packetstormsecurity.com/files/82997/SlimFTPd-LIST-Concatenation-Overflow.html
titleSlimFTPd LIST Concatenation Overflow

References