Lucene search

K
saintSAINT CorporationSAINT:1905A7143EDD2CAADEC718B98F6B53D9
HistoryOct 27, 2006 - 12:00 a.m.

Serv-U FTP Server MDTM timezone buffer overflow

2006-10-2700:00:00
SAINT Corporation
download.saintcorporation.com
14

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.5

Confidence

Low

EPSS

0.933

Percentile

99.1%

Added: 10/27/2006
CVE: CVE-2004-0330
BID: 9751
OSVDB: 4073

Background

Serv-U FTP Server supports the MDTM command which allows users to modify the time stamp on files.

Problem

A buffer overflow in Serv-U FTP Server allows remote authenticated attackers to execute arbitrary commands by sending the MDTM command with a specially crafted timezone parameter.

Resolution

Upgrade to Serv-U FTP Server 5.0.0.4 or higher.

References

http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0048.html

Limitations

Exploit works on Serv-U FTP Server 4.1.0.0 and requires a valid FTP user name and password.

Platforms

Windows 2000
Windows XP

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.5

Confidence

Low

EPSS

0.933

Percentile

99.1%