Re: [NSE] Check for CVE-2010-4221 - ProFTPD Server stack overflow

[Djalal Harouni <tixxdz () opendz org>]

On Thu, Jun 30, 2011 at 07:44:19PM +0100, Djalal Harouni wrote:
> On Thu, Jun 30, 2011 at 08:21:42PM +0200, Henri Doreau wrote:
> > 2011/6/30 Djalal Harouni <tixxdz () opendz org>:
> > > After more tests I'll commit it tomorrow, thanks.
> > Thanks Djalal,
> >
> > I have successfully tested the script against the following systems
> >   - ProFTPD 1.3.2rc4 on Linux x86_64 (vulnerable)
> >   - ProFTPD 1.3.3b on FreeBSD x86_64 (vulnerable)
> >
> > As well as this one:
> >   - ProFTPD 1.3.4rc2 (devel) on Linux x86_64 (not vulnerable)
> Ok, that evil packet gives us good result :)
>
> > For this last case the script doesn't generate a false positive but I
> > get: "ftp-vuln-cve2010-4221: this is not ProFTPD server." despite -sV
> > correctly detected ProFTPD.
> >
> > Maybe this script could offer an option to force the more intrusive
> > checks and/or use port.version.product if available.
> I'll use that info if available otherwise we'll just force the check by
> default (even if we miss the version match).
Henri I've committed the script as r24522, now if the script detect the
correct version it will use it to detect if it's vulnerable or not otherwise
it will force the stack corruption check, and I didn't use the
port.version.product since it was already used in the portrule, let me
know if you have more comments.

Fyodor I don't know if you will include this script in the 5.59BETA1, but
after a quick random scan, I can tell you that I found a lot of vulnerable
ProFTPD servers running. If you do please update the nmap-trunk
CHANGELOG, thanks.

-- 
tixxdz
http://opendz.org
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/