On Thu, Jun 19, 2003 at 09:34:09AM -0400, Rickard, Matthew wrote:
> I'm scanning a Solaris 9 machine running wu-ftpd 2.6.2 (which Sun has
> rebundled and called SunFTPd 10). On scanning this machine (safe checks
> disabled, nessus 2.0.6a), I'm getting what seem to be false positives for
> vulnerabilities. Nessus is reporting vulnerabilities related to AIX FTPd
> and SunFTP 9. I haven't been able to find any reference of wu-ftpd 2.6.2
> being vulnerable to these exploits. If this report is inaccurate, why is
> Nessus reporting this? If not, where can I find documentation of these
> vulnerabilities? The ftp vulnerabilities are listed below in entirety.
>
> It was possible to make the remote FTP server
> crash by issuing this command :
>
> CEL aaaa[...]aaaa
It means that the remote host abruptly closed the communication when
it received the command above. Either this is because there is a buffer
overflow condition, or because there is some code in it like :
if ( strlen(request) > 255 )
exit(1); /* User is Naughty */
Nessus can not make the distinction remotely, therefore you'll have to
see for yourself (ie: is there a core file somewhere ?)
> Vulnerability found on port ftp (21/tcp)
>
> Buffer overflow in SunFTP build 9(1) allows remote attackers to cause
> a denial of service or possibly execute arbitrary commands by sending
> more than 2100 characters to the server.
>
> Solution : Switching to another FTP server, SunFTP is discontinued.
Same thing as above. The advice is true though - if SunFTP has been
discontinued, maybe you don't want to run this software on a production
host.
> Vulnerability found on port ftp (21/tcp)
>
> The remote FTP server closes
> the connection when one of the commands is given
> a too long argument.
Same thing again.
-- Renaud
