WS_FTP SITE CPWD Buffer Overflow

This server is vulnerable to a buffer overflow in WS_FTP's 'CPWD' command, allowing remote users to execute arbitrary code

Reporter	Title	Published	Views	Family All 8
Tenable Nessus	WS_FTP < 3.1.2 SITE CPWD Buffer Overflow	20 Aug 200400:00	–	nessus
Tenable Nessus	WS_FTP Server SITE CPWD Command Remote Overflow	21 Aug 200200:00	–	nessus
CVE	CVE-2002-0826	2 Apr 200305:00	–	cve
Cvelist	CVE-2002-0826	2 Apr 200305:00	–	cvelist
EUVD	EUVD-2002-0818	2 Apr 200305:00	–	euvd
NVD	CVE-2002-0826	12 Aug 200204:00	–	nvd
OpenVAS	WS_FTP Server < 3.1.2 Buffer Overflow Vulnerability	3 Nov 200500:00	–	openvas
Positive Technologies	PT-2002-1846 · Ipswitch · Ws Ftp Ftp Server	12 Aug 200200:00	–	ptsecurity

# OpenVAS Vulnerability Test
# $Id: DDI_ws_ftp-server-cpwd-bo.nasl 6056 2017-05-02 09:02:50Z teissa $
# Description: WS_FTP SITE CPWD Buffer Overflow
#
# Authors:
# Forrest Rae <[email protected]>
# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
# Erik Anderson <[email protected]>
# Added BugtraqID and CVE
#
# Copyright:
# Copyright (C) 2002 Digital Defense, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "This host is running a version of WS_FTP FTP server prior to 3.1.2.  
Versions earlier than 3.1.2 contain an unchecked buffer in routines that 
handle the 'CPWD' command arguments.  The 'CPWD' command allows remote 
users to change their password.  By issuing a malformed argument to the 
CPWD command, a user could overflow a buffer and execute arbitrary code 
on this host.  Note that a local user account is required.

The vendor has released a patch that fixes this issue.  Please install 
the latest patch available from the vendor's website at 
http://www.ipswitch.com/support/.";

# Reference: www.atstake.com/research/advisories/2002/a080802-1.txt

if(description)
{
	script_id(11098);
	script_version("$Revision: 6056 $");
	script_tag(name:"last_modification", value:"$Date: 2017-05-02 11:02:50 +0200 (Tue, 02 May 2017) $");
	script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
	script_bugtraq_id(5427);
    script_tag(name:"cvss_base", value:"7.5");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
	script_cve_id("CVE-2002-0826");
	name = "WS_FTP SITE CPWD Buffer Overflow";
	script_name(name);
		 
	script_category(ACT_GATHER_INFO);
    script_tag(name:"qod_type", value:"remote_banner"); 
	script_family("FTP");
	script_copyright("This script is Copyright (C) 2002 Digital Defense, Inc.");
	script_dependencies("find_service_3digits.nasl");
	script_require_ports("Services/ftp", 21);
 script_tag(name : "summary" , value : tag_summary);
	exit(0);
}

#
# The script code starts here : 
#

port = get_kb_item("Services/ftp");
if(!port)port = 21;
if(!get_port_state(port))exit(0);

banner = get_kb_item(string("ftp/banner/", port));

if(!banner)
{ 
	soc = open_sock_tcp(port);
	if(!soc)exit(0);
	banner = recv_line(socket:soc, length:4096);
}

if(banner)
{
	if(egrep(pattern:".*WS_FTP Server (((1|2)\..*)|(3\.((0(\..*){0,1})|(1\.1))))", string:banner))
	    		security_message(port:port);		
}

02 May 2017 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.12853