WU-FTPD QUOTE PASV Forced Core Dump Information Disclosure
1999-06-22T00:00:00
ID FTP_PASV_ON_CONNECT.NASL Type nessus Reporter This script is Copyright (C) 1999-2018 Tenable Network Security, Inc. Modified 2021-01-02T00:00:00
Description
The remote FTP server fails to handle QUOTE PASV requests for logged
in users. An attacker can send a specially crafted requests to cause
the service to die and dump core. The core file contains the usernames
and passwords of all users.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(10086);
script_version ("1.37");
script_cve_id("CVE-1999-0075");
script_name(english:"WU-FTPD QUOTE PASV Forced Core Dump Information Disclosure");
script_summary(english:"Issues a PASV command on connecting");
script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is affected by an information disclosure
vulnerability." );
script_set_attribute(attribute:"description", value:
"The remote FTP server fails to handle QUOTE PASV requests for logged
in users. An attacker can send a specially crafted requests to cause
the service to die and dump core. The core file contains the usernames
and passwords of all users." );
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b7814f27" );
script_set_attribute(attribute:"solution", value:
"Upgrade your FTP server to the latest version." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22");
script_set_attribute(attribute:"vuln_publication_date", value: "1996/10/14");
script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
script_family(english:"FTP");
script_dependencie("ftpserver_detect_type_nd_version.nasl");
script_require_ports("Services/ftp", 21);
exit(0);
}
#
# The script code starts here
#
include("ftp_func.inc");
include("global_settings.inc");
port = get_ftp_port(default: 21);
banner = get_ftp_banner(port:port);
if (!banner) exit(1);
# False positive in WinGate and FireWall 1
if("WinGate Engine" >< banner)exit(0);
if("Check Point FireWall-1" >< banner)exit(0);
if("vsftp" >< banner) exit(0);
if ( report_paranoia < 2 && "SunOS" >!< banner ) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(1);
h = ftp_recv_line(socket:soc);
if (!h) exit(1);
if(egrep(pattern:"^220.*", string:h))
{
send(socket:soc, data:'HELP\r\n');
c = ftp_recv_line(socket:soc);
if ( ! c ) exit(0);
send(socket:soc, data: 'PASV\r\n');
c = ftp_recv_line(socket:soc);
if(!c)security_warning(port);
}
close(soc);
{"id": "FTP_PASV_ON_CONNECT.NASL", "bulletinFamily": "scanner", "title": "WU-FTPD QUOTE PASV Forced Core Dump Information Disclosure", "description": "The remote FTP server fails to handle QUOTE PASV requests for logged\nin users. An attacker can send a specially crafted requests to cause\nthe service to die and dump core. The core file contains the usernames\nand passwords of all users.", "published": "1999-06-22T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/10086", "reporter": "This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.", "references": ["http://www.nessus.org/u?b7814f27"], "cvelist": ["CVE-1999-0075"], "type": "nessus", "lastseen": "2021-01-01T02:47:04", "edition": 23, "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0075"]}, {"type": "osvdb", "idList": ["OSVDB:5742"]}], "modified": "2021-01-01T02:47:04", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2021-01-01T02:47:04", "rev": 2}, "vulnersScore": 5.5}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10086);\n script_version (\"1.37\");\n script_cve_id(\"CVE-1999-0075\");\n\n script_name(english:\"WU-FTPD QUOTE PASV Forced Core Dump Information Disclosure\");\n script_summary(english:\"Issues a PASV command on connecting\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by an information disclosure\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote FTP server fails to handle QUOTE PASV requests for logged\nin users. An attacker can send a specially crafted requests to cause\nthe service to die and dump core. The core file contains the usernames\nand passwords of all users.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b7814f27\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade your FTP server to the latest version.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"1999/06/22\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1996/10/14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_category(ACT_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n script_family(english:\"FTP\");\n\t \n script_dependencie(\"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"ftp_func.inc\");\ninclude(\"global_settings.inc\");\n\n\nport = get_ftp_port(default: 21);\n\nbanner = get_ftp_banner(port:port);\nif (!banner) exit(1);\n \n # False positive in WinGate and FireWall 1\n if(\"WinGate Engine\" >< banner)exit(0);\n if(\"Check Point FireWall-1\" >< banner)exit(0);\n if(\"vsftp\" >< banner) exit(0);\n \n if ( report_paranoia < 2 && \"SunOS\" >!< banner ) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (! soc) exit(1);\n\nh = ftp_recv_line(socket:soc);\nif (!h) exit(1);\n\nif(egrep(pattern:\"^220.*\", string:h))\n{\n send(socket:soc, data:'HELP\\r\\n');\n c = ftp_recv_line(socket:soc);\n if ( ! c ) exit(0);\n\n send(socket:soc, data: 'PASV\\r\\n');\n c = ftp_recv_line(socket:soc);\n if(!c)security_warning(port);\n}\nclose(soc);\n", "naslFamily": "FTP", "pluginID": "10086", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:36:55", "description": "PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.", "edition": 3, "cvss3": {}, "published": "1996-10-16T04:00:00", "title": "CVE-1999-0075", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0075"], "modified": "2008-09-09T12:33:00", "cpe": ["cpe:/a:washington_university:wu-ftpd:*"], "id": "CVE-1999-0075", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0075", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:washington_university:wu-ftpd:*:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-1999-0075"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in WU-FTPD. WU-FTP fails to handle QUOTE PASV requests for logged in users, resulting in a memory overflow. With a specially crafted request, an attacker can cause the daemon to dump core and die. The core file will contain the usernames and password of all users on the system. These endstates are a loss of confidentiality, and availability. \n## Solution Description\nUpgrade to version 2.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in WU-FTPD. WU-FTP fails to handle QUOTE PASV requests for logged in users, resulting in a memory overflow. With a specially crafted request, an attacker can cause the daemon to dump core and die. The core file will contain the usernames and password of all users on the system. These endstates are a loss of confidentiality, and availability. \n## References:\nVendor URL: http://www.wu-ftpd.org/\nOther Advisory URL: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=113849+0+archive/1996/freebsd-bugs/19961013.freebsd-bugs\nISS X-Force ID: 201\n[CVE-1999-0075](https://vulners.com/cve/CVE-1999-0075)\n", "modified": "1996-10-14T11:20:02", "published": "1996-10-14T11:20:02", "href": "https://vulners.com/osvdb/OSVDB:5742", "id": "OSVDB:5742", "title": "WU-FTPD QUOTE PASV Core Dump", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
