HPE Community
Operating System - HP-UX
1834196 Members
2785 Online
110065 Solutions
New Discussion

Re: FTP 'glob heap corruption' question.

 
someone_4
Honored Contributor

‎03-24-2005 03:00 AM

‎03-24-2005 03:00 AM

FTP 'glob heap corruption' question.

Hi everyone

First of all let me start off by saying that my network admin is paranoid !!

Ok,

He does a nessesWX scan ( without telling me ) on my external servers.And comes back with this report:

You seem to be running an FTP server which is vulnerable to the
'glob heap corruption' flaw.
An attacker may use this problem to execute arbitrary commands on this host.

*** Nessus relied solely on the banner of the server to issue this warning,
*** so this alert might be a false positive
*** NOTE: must have a valid username/password to fully check this vulnerability

Solution : Upgrade your ftp server software to the latest version.
Risk factor : High

CVE : CAN-2001-0249, CVE-2001-0550
BID : 2550, 3581


Then he comes back with the attatched SECURITY BULLETIN.

According to the document the fix is PHNE_23949 for 11.0. That patch is applied but he insists that that the patch was applied wrong. On a test box I upgraded to the latest ftp patch PHNE_30989 and Nessus still reported the issue.

It does report that
*** NOTE: must have a valid username/password to fully check this vulnerability.

I did add a username and password and still the same report.

I will admit maybe I missed something. Any one have any ideas?

Right now I am leaning that this is a false positive.

Richard




0 Kudos
Reply
3 REPLIES 3
Ron Kinner
Honored Contributor

‎03-24-2005 03:51 AM

‎03-24-2005 03:51 AM

Re: FTP 'glob heap corruption' question.

I don't have a login on an HPUX any more but when you ftp to a box you get something like:

Connected to A.B.C.D
220 nameofsvr FTP server (Version 1.1.214.8 Fri Apr 20 07:27:42 GMT 2001) ready.

I presume Nessus is parsing the Version number to decide if you are good or not.

What version number do you see? (Above system is on a secure private network and the admin hates to make changes (if it's working don't touch it or 1.6 million customers might get upset) so probably does not have the patch.

Wonder if you could find the text file that has the version number in it and change it to something like 2.0 if that would make it happy?

Ron
0 Kudos
Reply
Kent Ostby
Honored Contributor

‎03-24-2005 03:55 AM

‎03-24-2005 03:55 AM

Re: FTP 'glob heap corruption' question.

Well. I don't know about Nessus. I know that you need to go by this:

Note: To determine if a system has an affected version,
search the output of "swlist -a revision -l fileset"
for an affected fileset. Then determine if the
recommended patch or update is installed.



HP-UX B.11.00
=============
InternetSrvcs.INETSVCS-RUN
action: install PHNE_23949 or subsequent.

...

--> END AFFECTED VERSIONS

PHNE_30989 is the proper fix for this
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
someone_4
Honored Contributor

‎03-24-2005 04:04 AM

‎03-24-2005 04:04 AM

Re: FTP 'glob heap corruption' question.

Ha ha Ron

Change it to version 2.0 :)
Good one.. had to give you a couple of extra points for that one. I tell you i thought that was so funny it made me feel better.


But ok here is the deal!!! :)

-------------------------------

According to nessus.org

The plug in id 10821 2 that is generating the warning is only for Sun Solaris and some Linux systems.

http://www.nessus.org/plugins/index.php?view=single&id=10821

These links show which servers are vulnerable by the exploit and HPUX is not listed http://securityfocus.com/bid/2550
http://securityfocus.com/bid/3581


And plug-in ID 11372 is for HPUX
http://www.nessus.org/plugins/index.php?view=single&id=11372

These links show which servers are vulnerable by the exploit and HPUX is listed http://securityfocus.com/bid/2552/info


Here are the tests i used.

1. Using only plug in10821 - this test failed with a high warning.
2. Using only plug in 11372 - this test passed.

After looking and testing the data I am assure you that this is a false positive.


Richard
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.