SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (File Transfer/Sharing)  >  FTP Serv-U Vendors:  RhinoSoft.com
Serv-U FTP Server 'site chmod' Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008841
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 17 2004
Original Entry Date:  Jan 25 2004
Impact:  Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 4.2
Description:  A stack overflow vulnerability was reported in the Serv-U FTP server. A remote user can gain privileges on the system.

It is reported that a remote authenticated user with access to a writable directory can invoke the 'site chmod' command with a specially crafted filename to trigger the overflow and execute arbitrary code on the target system. The code will run with the privileges of the Serv-U process (reportedly to be administrator or system privileges in typically cases).
Impact:  A remote authenticated user can execute arbitrary code with the privileges of the Serv-U process.
Solution:  It is reported that version 5.0 is not affected.
Vendor URL:  www.serv-u.com/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  "icbm" <icbm@0x557.net>
Message History:   None.

 Source Message Contents
Date:  Sat, 24 Jan 2004 15:49:24 +0800
From:  "icbm" <icbm@0x557.net>
Subject:  [SST]ServU MDTM command remote buffero verflow adv

 

Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity
 
Application:           Serv-U
 
Affected Versions:     All versions prior 4.2 (include 4.1.0.11) 
 
Vendor:                RhinoSoft (http://www.rhinosoft.com 
                       http://www.serv-u.com)
 
URL:                   http://www.0x557.org/release/servu.txt

Vunlnerablity:
 
  An internal memory buffer may be overrun while handling "site chmod" command 
with a filename containg excessive data. This condition may be exploited by 
attackers to ultimately execute instructions with the priviledges of the serv-u
process, typically administator or system.
 
Details:
  
  While exectuing chmod on a nonexistent file, serv-u will call sprintf to
construct response string. And the code is like
  sprintf(dst, "%s: No such file or directory.", filename);
 
  The length of dst buffer is only 256 bytes.If a long filename was sent,
serv-u will crash.
 
  A writable directory is needed to exploit this vulerablity.By overwriting SEH,
we have created proof-of-concept exploit successfully on win2k/xp.
 
Solution:
 
  Upgrade to servu 5.0.
 
Credits:
 
  kkqq <kkqq@0x557.org> has indenpendently discovered this vulerablity.
  All members of SST (http://www.0x557.org).
  lgx and eyas.
  Rob Beckers for indentifing and fixing this vulerablity.
 
About SST:
 
  Do we really exist? 




        icbm
        icbm@0x557.net
          2004-01-24


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC