Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Check for CVE-2010-4221 - ProFTPD Server stack overflow
From: Djalal Harouni <tixxdz () opendz org>
Date: Thu, 30 Jun 2011 23:32:32 +0100

On Thu, Jun 30, 2011 at 07:44:19PM +0100, Djalal Harouni wrote:
On Thu, Jun 30, 2011 at 08:21:42PM +0200, Henri Doreau wrote:
2011/6/30 Djalal Harouni <tixxdz () opendz org>:
After more tests I'll commit it tomorrow, thanks.

Thanks Djalal,

I have successfully tested the script against the following systems
  - ProFTPD 1.3.2rc4 on Linux x86_64 (vulnerable)
  - ProFTPD 1.3.3b on FreeBSD x86_64 (vulnerable)

As well as this one:
  - ProFTPD 1.3.4rc2 (devel) on Linux x86_64 (not vulnerable)
Ok, that evil packet gives us good result :)

For this last case the script doesn't generate a false positive but I
get: "ftp-vuln-cve2010-4221: this is not ProFTPD server." despite -sV
correctly detected ProFTPD.

Maybe this script could offer an option to force the more intrusive
checks and/or use port.version.product if available.
I'll use that info if available otherwise we'll just force the check by
default (even if we miss the version match).
Henri I've committed the script as r24522, now if the script detect the
correct version it will use it to detect if it's vulnerable or not otherwise
it will force the stack corruption check, and I didn't use the
port.version.product since it was already used in the portrule, let me
know if you have more comments.

Fyodor I don't know if you will include this script in the 5.59BETA1, but
after a quick random scan, I can tell you that I found a lot of vulnerable
ProFTPD servers running. If you do please update the nmap-trunk
CHANGELOG, thanks.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]