SecurityTracker: Serv-U FTP Server Buffer Overflow in MDTM Command Yields SYSTEM Privileges to Remote Authenticated Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (File Transfer/Sharing) > FTP Serv-U

Vendors: RhinoSoft.com

Serv-U FTP Server Buffer Overflow in MDTM Command Yields SYSTEM Privileges to Remote Authenticated Users

SecurityTracker Alert ID: 1009230

SecurityTracker URL: http://securitytracker.com/id/1009230

CVE Reference: CAN-2004-0330 (Links to External Site)

Updated: Mar 23 2004

Original Entry Date: Feb 26 2004

Impact: Execution of arbitrary code via network, Root access via network

Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes

Version(s): prior to 5.0.0.4

Description: A buffer overflow vulnerability was reported in Serv-U FTP Server. A remote authenticated user can execute arbitrary code on the target system.

It is reported that a remote authenticated user can supply a specially crafted MDTM command to trigger the buffer overflow. Arbitrary code can be executed with SYSTEM level privileges, the report said.

A demonstration exploit command is provided:

MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt

The original advisory is available at:

http://www.cnhonker.com/advisory/serv-u.mdtm.txt

Impact: A remote authenticated user can execute arbitrary code with SYSTEM privileges.

Solution: The vendor has released a fixed version (5.0.0.4), available at:

http://www.serv-u.com/customer/record.asp?prod=su

Vendor URL: www.serv-u.com/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (Any)

Message History: None.

Source Message Contents

Date: Thu, 26 Feb 2004 23:13:00 +0800
Subject: [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability


[vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability


                                
                              www.cnhonker.com
                             Security Advisory

   Advisory Name: Serv-U MDTM Command Buffer Overflow Vulnerability
    Release Date: 02/26/2004
Affected version: Serv-U < 5.0.0.4
          Author: bkbll <bkbll@cnhonker.net>
             URL: http://www.cnhonker.com/advisory/serv-u.mdtm.txt
Overview: 

    The Serv-U is a ftp daemon runs on windows. Serv-U supports a ftp command "MDTM" for user changing 
file time . There is a  buffer overflow when a user logged in and send a malformed time zone as MDTM argument.
This can be remote exploit and gain SYSTEM privilege.

Exploit:

    When a user logged in, he can send this 
    MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt
    You must have a valid user account and password to exploit it, and you are not need WRITE or any other privilege.
And even the test.txt,which is the file you request, can not be there. :) 
    So you can put your shellcode as the filename.

About HUC:

     HUC is still alive.
     
---------------------------------------------------------- 				
[bkbll@cnhonker.net bkbll]#date +"%%F %%T"
[bkbll@cnhonker.net bkbll]#2004-02-26 23:11:36

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC