CVE-2004-0695
published 2004-07-27CVE-2004-0695: Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command.
PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
38.19%
98.4th percentile
Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 4d | webstar | — | — |
| 4d | webstar | — | — |
| 4d | webstar | — | — |
| 4d | webstar | — | — |
| 4d | webstar | — | — |
| 4d | webstar | — | — |
| 4d | webstar | — | — |
| 4d | webstar | — | — |
| 4d | webstar | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
ROP gadget address 0x9008dce0 (call $r28, jump r1+120) - PPC Mac OS X 10.3.4-10.3.6 System library
bytes↗
Bad chars in payload: 0x00 0x20 0x0a 0x0d
- →Detect oversized FTP USER command sent to WebSTAR FTP service; the exploit sends a USER argument of 285+ bytes (offset dependent on attacker hostname length) followed by ROP chain and shellcode. ↗
- →The exploit sends a HELP command immediately after the malicious USER command as part of the attack sequence; alert on USER overflow followed by HELP on the same FTP session. ↗
- →The overflow occurs in the FTP logging routine of WebSTAR FTP server 5.3.2 and earlier; monitor FTP USER commands exceeding normal length bounds on Mac OS X hosts running WebSTAR. ↗
- →ROP chain uses four specific PPC addresses from the System library (0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590); presence of these big-endian 4-byte sequences within an FTP USER payload is a strong indicator of exploitation. ↗
- ·The ROP gadget addresses (0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590) are specific to Mac OS X 10.3.4–10.3.6 PPC System library; they will not apply to other OS versions or architectures. ↗
- ·Payload space is limited to 300 bytes and must avoid null bytes, spaces, newlines, and carriage returns; custom shellcode must respect these constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WebSTAR FTP Server - USER Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0695 WebSTAR FTP Server - USER Overflow (Metasploit)
WebSTAR FTP Server - USER Overflow (Metasploit)
---
##
# $Id: webstar_ftp_user.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WebSTAR FTP Server USER Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the logging routine
of the WebSTAR FTP server. Reliable code execution is
obtained by a series of hops through the System library.
},
'Author' => [ 'ddz', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2004-0695'],
[ 'OSVDB',
Exploit-DB
WebSTAR FTP Server 5.3.2 (OSX) - USER Overflow (Metasploit)
exploitdb·2004-07-13
CVE-2004-0695 WebSTAR FTP Server 5.3.2 (OSX) - USER Overflow (Metasploit)
WebSTAR FTP Server 5.3.2 (OSX) - USER Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WebSTAR FTP Server USER Overflow',
'Description' => %q{
This module exploits a stack overflow in the logging routine
of the WebSTAR FTP server. Reliable code execution is
obtained by a series of hops through the System library.
},
'Author' => [ 'ddz', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0695'],
[ 'OSVDB', '7794'],
[ 'BID', '10720'],
],
'Privileged' => true,
'
Metasploit
WebSTAR FTP Server USER Overflow
metasploit
WebSTAR FTP Server USER Overflow
WebSTAR FTP Server USER Overflow
This module exploits a stack buffer overflow in the logging routine of the WebSTAR FTP server. Reliable code execution is obtained by a series of hops through the System library.
No writeups or analysis indexed.
ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txthttp://www.atstake.com/research/advisories/2004/a071304-1.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/16686ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txthttp://www.atstake.com/research/advisories/2004/a071304-1.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/16686
2004-07-27
Published