Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2000-2022 and is owned by Tenable, Inc. or an Affiliate thereof.BFTPD_CHOWN.NASL
HistoryDec 16, 2000 - 12:00 a.m.

bftpd Multiple Command Remote Overflow

2000-12-1600:00:00
This script is Copyright (C) 2000-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
25
JSON

The version of bftpd running on the remote host is vulnerable to a remote buffer overflow attack when issued very long arguments to the SITE CHOWN command. A remote attacker could exploit this issue to crash the FTP server, or possibly execute arbitrary code.

#TRUSTED 5691dca3da701903f0ed7a5b64f3df6ba5692aa6e04eb39fb3eb17a6d0f1cdd947f99a0b62f71e4bc30c4f48024871f057e494c97621b7bed5a2df875f71c73aa3aebee78437ab8105715dee8899044d46654fe551d065ee226e5cc0323de92b117efd75f1489fb051f33329751607c3a1cacaef0f09c990f15cca772f6fe0073f7fd50e12be5f5876ddabce867cccd26c574ed0251b711d27d10ffaad6d233a7eadc4995cea0ce623407b6055d1177e939538e94d70e948d5fb9ba7fd923e03c8034805efc66fd716085ca40f8fa173f71bb5ea2b1ad5e444ae92072b5f71902100b5fbcbdde472b761404054fbdca2ba7505dd1ba74d3ef2d93965b89738d73752bd5aee2d98266baf6054b5d7eff48f2dfbe09f1ed4f4a48e6a5154725f3771969e173ad290da9d53806d615d3e7745ac6d9633f5ff191fe3b51866bd6510e9e1a33141bb4fad8a6409ce69341d4a82b956ce500efc5e4b7d3d56bca06d4df778e387ecb06439f666b2f2b5f516dfa99f90aaa1043b9e59b334697db06b86ae653746a9cb485054a6ec04ae296e7c267d57556d99f9fcbfac09a35c7ca230624247da54357f748904cd3d43906fb588d35531819b9a26049ccd1ac088c501a86372d8a2da250d113a71b02295783b4e4e2b578b08c3ed6976c2acb3fbe9e64df068790467f5b465aea88d5f4a12dcf26058007b5040ca476d44e55acb46db
#
# (C) Tenable Network Security, Inc.
#


include('compat.inc');


if(description)
{
  script_id(10579);
  script_version("1.42");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/11");

  script_cve_id("CVE-2001-0065", "CVE-2000-0943");
  script_bugtraq_id(2120);

  script_name(english:"bftpd Multiple Command Remote Overflow");
  script_summary(english:"Checks if the remote bftpd daemon is vulnerable to a buffer overflow");

  script_set_attribute(attribute:"synopsis", value:
"The remote FTP server has a remote buffer overflow vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of bftpd running on the remote host is vulnerable to a
remote buffer overflow attack when issued very long arguments to the
SITE CHOWN command.  A remote attacker could exploit this issue to
crash the FTP server, or possibly execute arbitrary code." );
  script_set_attribute(attribute:"see_also", value:
"https://seclists.org/bugtraq/2000/Dec/222");
  script_set_attribute(attribute:"solution", value:
"Upgrade to bftpd version 1.0.24 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-0065");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value: "2000/10/27");
  script_set_attribute(attribute:"plugin_publication_date", value: "2000/12/16");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_MIXED_ATTACK); # mixed
  script_family(english:"FTP");

  script_copyright(english:"This script is Copyright (C) 2000-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl", "ftp_writeable_directories.nasl", "ftp_kibuv_worm.nasl");
  script_require_ports("Services/ftp", 21);
  script_require_keys("Settings/ParanoidReport");

 exit(0);
}

include('ftp_func.inc');

if (report_paranoia < 2)
 audit(AUDIT_PARANOID);

#
# The script code starts here :
#

var login = get_kb_item("ftp/login");
var pass  = get_kb_item("ftp/password");

var port = get_ftp_port(default: 21);

# Connect to the FTP server

if(safe_checks())login = 0;


if(login)
{
 var soc = ftp_open_and_authenticate( user:login, pass:pass, port:port );
 if(soc)
 {
  var req = 'SITE CHOWN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A';
  req = req + '\r\n';
  send(socket:soc, data:req);
  var r = ftp_recv_line(socket:soc);
  send(socket:soc, data:'HELP\r\n');
  r = ftp_recv_line(socket:soc, retry: 2);
  if(!r)security_hole(port);
  ftp_close(socket: soc);
  exit(0);
  }
}

var banner = get_ftp_banner(port: port);
if(!banner)exit(1, "No FTP banner on port "+port+".");

if(egrep(pattern:"220.*bftpd 1\.0\.(([0-9][^0-9])|(1[0-3]))",
  	 string:banner)){
	 var data =
	   '\n' +
	   'Note that Nessus detected this issue solely based on the server banner\n';

	 security_report_v4(port:port, extra:data, severity:SECURITY_HOLE);
	 }

Related

cve 2
openvas 1
nessus 1
cve
cve
CVE-2000-0943
2000-12-19 05:00:00
CVE-2001-0065
2001-02-12 05:00:00
openvas
openvas
Bftpd <= 1.0.13 Buffer Overflow Vulnerability - Active Check
2021-08-30 00:00:00
nessus
nessus
Multiple FTP Server Command Handling Overflow
1999-06-22 00:00:00
JSON
Related for BFTPD_CHOWN.NASL
cve2openvas1nessus1