The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
PoC代码[已公开]
id: CVE-2011-0762
info:
name: vsftpd < 2.3.3 - DoS
author: pussycat0x
severity: medium
description: |
The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
reference:
- ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.4/Changelog
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622741
- http://cxib.net/stuff/vspoc232.c
- http://jvn.jp/en/jp/JVN37417423/index.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055881.html
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
cvss-score: 4
cve-id: CVE-2011-0762
cwe-id: CWE-400
epss-score: 0.54153
epss-percentile: 0.97872
cpe: cpe:2.3:a:vsftpd_project:vsftpd:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: vsftpd_project
product: vsftpd
shodan-query:
- vsftpd
- product:"vsftpd"
tags: cve,cve2011,network,ftp,vsftpd,tcp,passive,vuln
tcp:
- inputs:
- data: 00000000
type: hex
host:
- "{{Hostname}}"
port: 21
read-size: 1024
matchers:
- type: dsl
dsl:
- "contains(raw, 'vsFTPd')"
- "compare_versions(version, '< 2.3.3')"
condition: and
extractors:
- type: regex
group: 1
name: version
regex:
- "vsFTPd ([0-9.]+)"
# digest: 4b0a004830460221009b614369de55b50c670b7671acb6c1dedaa46f799ba7d957710072eb6783864d022100f03683b3c461998b8e65b5d230c0a2c445682f0cc51818bf361b8873795a373d:922c64590222798bb761d5b6d8e72950