BugTraq
Back to list
|
Post reply
[SST]ServU MDTM command remote buffero verflow adv
Jan 24 2004 07:49AM
icbm (icbm 0x557 net)
Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity
Application: Serv-U
Affected Versions: All versions prior 4.2 (include 4.1.0.11)
Vendor: RhinoSoft (http://www.rhinosoft.com
http://www.serv-u.com)
URL: http://www.0x557.org/release/servu.txt
Vunlnerablity:
An internal memory buffer may be overrun while handling "site chmod" command
with a filename containg excessive data. This condition may be exploited by
attackers to ultimately execute instructions with the priviledges of the serv-u
process, typically administator or system.
Details:
While exectuing chmod on a nonexistent file, serv-u will call sprintf to
construct response string. And the code is like
sprintf(dst, "%s: No such file or directory.", filename);
The length of dst buffer is only 256 bytes.If a long filename was sent,
serv-u will crash.
A writable directory is needed to exploit this vulerablity.By overwriting SEH,
we have created proof-of-concept exploit successfully on win2k/xp.
Solution:
Upgrade to servu 5.0.
Credits:
kkqq <kkqq (at) 0x557 (dot) org [email concealed]> has indenpendently discovered this vulerablity.
All members of SST (http://www.0x557.org).
lgx and eyas.
Rob Beckers for indentifing and fixing this vulerablity.
About SST:
Do we really exist?
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡icbm
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡icbm (at) 0x557 (dot) net [email concealed]
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2004-01-24
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Application: Serv-U
Affected Versions: All versions prior 4.2 (include 4.1.0.11)
Vendor: RhinoSoft (http://www.rhinosoft.com
http://www.serv-u.com)
URL: http://www.0x557.org/release/servu.txt
Vunlnerablity:
An internal memory buffer may be overrun while handling "site chmod" command
with a filename containg excessive data. This condition may be exploited by
attackers to ultimately execute instructions with the priviledges of the serv-u
process, typically administator or system.
Details:
While exectuing chmod on a nonexistent file, serv-u will call sprintf to
construct response string. And the code is like
sprintf(dst, "%s: No such file or directory.", filename);
The length of dst buffer is only 256 bytes.If a long filename was sent,
serv-u will crash.
A writable directory is needed to exploit this vulerablity.By overwriting SEH,
we have created proof-of-concept exploit successfully on win2k/xp.
Solution:
Upgrade to servu 5.0.
Credits:
kkqq <kkqq (at) 0x557 (dot) org [email concealed]> has indenpendently discovered this vulerablity.
All members of SST (http://www.0x557.org).
lgx and eyas.
Rob Beckers for indentifing and fixing this vulerablity.
About SST:
Do we really exist?
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡icbm
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡icbm (at) 0x557 (dot) net [email concealed]
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2004-01-24
[ reply ]