lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040124072206.3460.qmail@mail.securityfocus.com>
Date: Sat, 24 Jan 2004 15:49:24 +0800
From: "icbm" <icbm@...57.net>
To: "bugtraq" <bugtraq@...urityfocus.com>,
	"full-disclosure" <full-disclosure@...ts.netsys.com>
Subject: [SST]ServU MDTM command remote buffero verflow adv

Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity
 
Application:           Serv-U
 
Affected Versions:     All versions prior 4.2 (include 4.1.0.11) 
 
Vendor:                RhinoSoft (http://www.rhinosoft.com 
                       http://www.serv-u.com)
 
URL:                   http://www.0x557.org/release/servu.txt

Vunlnerablity:
 
  An internal memory buffer may be overrun while handling "site chmod" command 
with a filename containg excessive data. This condition may be exploited by 
attackers to ultimately execute instructions with the priviledges of the serv-u
process, typically administator or system.
 
Details:
  
  While exectuing chmod on a nonexistent file, serv-u will call sprintf to
construct response string. And the code is like
  sprintf(dst, "%s: No such file or directory.", filename);
 
  The length of dst buffer is only 256 bytes.If a long filename was sent,
serv-u will crash.
 
  A writable directory is needed to exploit this vulerablity.By overwriting SEH,
we have created proof-of-concept exploit successfully on win2k/xp.
 
Solution:
 
  Upgrade to servu 5.0.
 
Credits:
 
  kkqq <kkqq@...57.org> has indenpendently discovered this vulerablity.
  All members of SST (http://www.0x557.org).
  lgx and eyas.
  Rob Beckers for indentifing and fixing this vulerablity.
 
About SST:
 
  Do we really exist? 




        icbm
        icbm@...57.net
          2004-01-24

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ