CVE-2004-0346
CVSS7.2
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:44:19
NMCOS    

[原文]Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command.


[CNNVD]ProFTPD _xlate_ascii_write()远程缓冲区溢出漏洞(CNNVD-200411-153)

        
        ProFTPD是一款高可配置性的FTP服务程序。
        ProFTPD包含的_xlate_ascii_write()函数缺少正确的边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,可以FTP进程权限在系统上执行任意指令。
        _xlate_ascii_write()函数在对session.xfer.buf的缓冲区检查缺少精确的检查,攻击者可以覆盖此缓冲区临近的两个内存字节,因此可能控制指令,以FTP进程权限远程执行任意代码。攻击者可以发布RETR命令来触发此漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:proftpd_project:proftpd:1.2.9_rc1
cpe:/a:proftpd_project:proftpd:1.2.7
cpe:/a:proftpd_project:proftpd:1.2.8
cpe:/a:proftpd_project:proftpd:1.2.9_rc2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0346
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0346
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-153
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107824679817240&w=2
(UNKNOWN)  BUGTRAQ  20040302 The Cult of a Cardinal Number
http://www.securityfocus.com/bid/9782
(VENDOR_ADVISORY)  BID  9782
http://xforce.iss.net/xforce/xfdb/15387
(VENDOR_ADVISORY)  XF  proftpd-offbyone-bo(15387)

- 漏洞信息

ProFTPD _xlate_ascii_write()远程缓冲区溢出漏洞
高危 边界条件错误
2004-11-23 00:00:00 2005-10-20 00:00:00
远程  
        
        ProFTPD是一款高可配置性的FTP服务程序。
        ProFTPD包含的_xlate_ascii_write()函数缺少正确的边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,可以FTP进程权限在系统上执行任意指令。
        _xlate_ascii_write()函数在对session.xfer.buf的缓冲区检查缺少精确的检查,攻击者可以覆盖此缓冲区临近的两个内存字节,因此可能控制指令,以FTP进程权限远程执行任意代码。攻击者可以发布RETR命令来触发此漏洞。
        

- 公告与补丁

        厂商补丁:
        ProFTPD Project
        ---------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ProFTPD Project Upgrade ProFTPD 1.2.9
        
        http://proftpd.linux.co.uk/download.html

- 漏洞信息

4134
ProFTPD in_xlate_ascii_write() Function RETR Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in ProFTPD. It fails to handle off-by-one errors in the _xlate_ascii_write function. With a specially crafted request with RETR command containing 1023 bytes or more that begins with a LF (Line Feed) character an attacker execute arbitrary code on the system with the privileges of ProFTPD resulting in a loss of confidentiality ,integrity and availability.

- 时间线

2004-03-02 Unknow
Unknow Unknow

- 解决方案

Upgrade to latest version of ProFTPD (1.2.9rc3 or later), as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

ProFTPD _xlate_ascii_write() Buffer Overrun Vulnerability
Boundary Condition Error 9782
Yes No
2004-03-02 12:00:00 2007-11-05 03:25:00
Discovery is credited to "Phantasmal Phantasmagoria" <phantasmal@hush.ai>.

- 受影响的程序版本

Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
RedHat Linux 9.0 i386
RedHat Linux 8.0 i686
RedHat Linux 8.0 i386
RedHat Linux 8.0
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Linux 7.2 noarch
RedHat Linux 7.2 ia64
RedHat Linux 7.2 i686
RedHat Linux 7.2 i586
RedHat Linux 7.2 i386
RedHat Linux 7.2 athlon
RedHat Linux 7.2 alpha
RedHat Linux 7.2
RedHat Linux 7.1 k i386
RedHat Linux 7.1 pseries
RedHat Linux 7.1 noarch
RedHat Linux 7.1 iseries
RedHat Linux 7.1 ia64
RedHat Linux 7.1 i686
RedHat Linux 7.1 i586
RedHat Linux 7.1 i386
RedHat Linux 7.1 alphaev6
RedHat Linux 7.1 alpha
RedHat Linux 7.1
RedHat Linux 6.2 sparcv9
RedHat Linux 6.2 E sparc
RedHat Linux 6.2 E i386
RedHat Linux 6.2 E alpha
RedHat Linux 6.2 sparc
RedHat Linux 6.2 i386
RedHat Linux 6.2 alpha
Red Hat Linux 6.2
ProFTPD Project ProFTPD 1.2.9 rc2
ProFTPD Project ProFTPD 1.2.9 rc1
ProFTPD Project ProFTPD 1.2.8
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Slackware Linux -current
ProFTPD Project ProFTPD 1.2.7
+ Sun Cobalt Qube 3
Debian Linux 2.2 powerpc
Debian Linux 2.2 IA-32
Debian Linux 2.2 arm
Debian Linux 2.2 alpha
Debian Linux 2.2 68k
Debian Linux 2.2
ProFTPD Project ProFTPD 1.2.9 rc3
ProFTPD Project ProFTPD 1.2.9
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
+ OpenPKG OpenPKG 1.3
+ OpenPKG OpenPKG Current
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Slackware Linux -current

- 不受影响的程序版本

ProFTPD Project ProFTPD 1.2.9 rc3
ProFTPD Project ProFTPD 1.2.9
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
+ OpenPKG OpenPKG 1.3
+ OpenPKG OpenPKG Current
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Slackware Linux -current

- 漏洞讨论

A remotely exploitable buffer overrun was reported in ProFTPD. This issue is due to insufficient bounds checking of user-supplied data in the '_xlate_ascii_write()' function, permitting an attacker to overwrite two bytes of memory adjacent to the affected buffer. The attacker may be able to exploit this to execute arbitrary code in the context of the server. The attacker may trigger this issue by submitting a RETR command to the server.

- 漏洞利用

The researcher who discovered this issue has reportedly developed working exploit code that is not publicly available or known to be circulating in the wild at the time of writing.

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Please see the referenced advisories for more information.


ProFTPD Project ProFTPD 1.2.7

ProFTPD Project ProFTPD 1.2.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站