Vulnerabilities > CVE-2014-1441 - Race Condition vulnerability in Coreftp Core FTP 1.2

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
coreftp
CWE-362
nessus
NVD
Published: 2014-05-02
Updated: 2014-05-02

Summary

Core FTP Server 1.2 before build 515 allows remote attackers to cause a denial of service (reachable assertion and crash) via an AUTH SSL command with malformed data, as demonstrated by pressing the enter key twice.

Vulnerable Configurations

Part Description Count
Application
Coreftp
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL familyFTP
NASL idCOREFTP_SERVER_1_2_515.NASL
descriptionThe version of Core FTP running on the remote host is prior to 1.2 build 515. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists that is triggered when handling malformed data after the
last seen2020-06-01
modified2020-06-02
plugin id72662
published2014-02-24
reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/72662
titleCore FTP Server < 1.2 Build 515 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(72662);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/26");

  script_cve_id("CVE-2014-1441", "CVE-2014-1442", "CVE-2014-1443");
  script_bugtraq_id(65428, 65430, 65432);

  script_name(english:"Core FTP Server < 1.2 Build 515 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Core FTP Server.");

  script_set_attribute(attribute:"synopsis", value:
"The FTP server running on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Core FTP running on the remote host is prior to 1.2
build 515. It is, therefore, affected by multiple vulnerabilities :

  - A denial of service vulnerability exists that is
    triggered when handling malformed data after the 'AUTH
    SSL' command. An unauthenticated, remote attacker can
    exploit this to cause an assertion failure, resulting in
    a server crash. (CVE-2014-1441)

  - An information disclosure vulnerability exists due to a
    failure to properly sanitize user-supplied input. An
    authenticated, remote attacker can exploit this, via
    directory traversal using the 'XCRC' command, to gain
    access to arbitrary files. (CVE-2014-1442)

  - An information disclosure vulnerability exists due to
    improper handling of crafted string data by the 'USER'
    command. An authenticated, remote attacker can exploit
    this, via a specially crafted string, to access the
    password for the user that previously logged on.
    (CVE-2014-1443)");
  script_set_attribute(attribute:"see_also", value:"http://coreftp.com/forums/viewtopic.php?t=2985707");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Feb/39");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Core FTP version 1.2 build 515 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1443");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/01/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/24");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:coreftp:coreftp");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"FTP");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("coreftp_server_detect.nbin");
  script_require_keys("installed_sw/Core FTP Server");
  script_require_ports("Services/ftp", 21);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

appname = 'Core FTP Server';
install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);

port = install["path"];
source = install["version_source"];
version_build = install["version_build"];
fullver = install["fullversion"];

fix = "1.2.515";
if (ver_compare(ver:fullver, fix:fix, strict:FALSE) == -1)
{
  report =
    '\n  Version source    : ' + source +
    '\n  Installed version : ' + version_build +
    '\n  Fixed version     : 1.2 Build 515' +
    '\n';
  security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
}
else audit(AUDIT_LISTEN_NOT_VULN, 'Core FTP Server', port, version_build);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/125073/core-traversaldosdisclose.txt
idPACKETSTORM:125073
last seen2016-12-05
published2014-02-05
reporterFara Denise Rustein
sourcehttps://packetstormsecurity.com/files/125073/Core-FTP-Server-1.2-DoS-Traversal-Disclosure.html
titleCore FTP Server 1.2 DoS / Traversal / Disclosure

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 65432 CVE(CAN) ID: CVE-2014-1441 CoreFTP是免费的FTP客户端。 Core FTP 1.2 build 511及其他版本处理AUTH SSL命令时存在错误,这可使攻击者通过特制的SSL证书,造成服务器崩溃。 0 Core FTP Core FTP 1.x 厂商补丁: Core FTP -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.coreftp.com/
idSSV:61538
last seen2017-11-19
modified2014-02-24
published2014-02-24
reporterRoot
titleCore FTP 'AUTH SSL' 命令拒绝服务漏洞

References