SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Orenosv HTTP/FTP Server Vendors:  Kataoka, Masato
Orenosv HTTP/FTP Server FTP Command Buffer Overflow Lets Remote Users Crash the Server and HTTP SSI Buffer Overflow May Let Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013923
SecurityTracker URL:  http://securitytracker.com/id?1013923
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 9 2005
Impact:  Denial of service via network, Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  SIG^2
Version(s): 0.8.1
Description:  Tan Chew Keong of SIG^2 Vulnerability Research reported several buffer overflow vulnerabilities in Orenosv HTTP/FTP Server. A remote user can cause the server to crash. A local user may be able to execute arbitrary code.

A remote authenticated user can send a specially crafted FTP command with a filename that is 249 or 250 bytes long to trigger a buffer overflow and cause the service to crash. File/directory related commands are affected. For 4-character commands (e.g., LIST, DELE, RETR), a 249 byte filename will trigger the overflow. For 3-character commands (e.g., MKD, RMD, CWD), a 250 byte filename will trigger the overflow.

The flaw resides in the ftp_xlate_path() function in 'orenosv.exe'.

Multiple, rapid exploitation attempts may cause both the server process and the monitoring process to crash.

A local user can create a specially crafted SSI HTML file ('.shtml') that, when loaded by the web server, will trigger a buffer overflow in 'cgissi.exe'. A long SSI command name will cause the overflow, which resides in the parse_cmd() function.

The vendor was notified on April 28, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/orenosv081.html
Impact:  A remote user can cause the server process to crash.

A local user (or a remote user with privileges to create SSI HTML files on the target web server) may be able to execute arbitrary code with the privileges of the web service.
Solution:  The vendor has released a fixed version (0.8.1a), available at:

http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html
Vendor URL:  hp.vector.co.jp/authors/VA027031/orenosv/index_en.html (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)
Reported By:  Chew Keong TAN <chewkeong@security.org.sg>
Message History:   None.

 Source Message Contents
Date:  Mon, 09 May 2005 18:12:57 +0800
From:  Chew Keong TAN <chewkeong@security.org.sg>
Subject:  [SIG^2 G-TEC] Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities

 
 
SIG^2 Vulnerability Research Advisory
 
Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities
 
by Tan Chew Keong
Release Date: 08 May 2005
 
 
ADVISORY URL
http://www.security.org.sg/vuln/orenosv081.html
 
 
SUMMARY
 
Orenosv HTTP/FTP Server
(http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html) is a
stable, reliable and high performance HTTP/FTP/FTPS server that can
operate 24H/365D. Orenosp runs on Windows platforms (NT, 2000, XP and
2003) and Linux x86.
 
A remote buffer overflow vulnerability was found in Orenosv's FTP
server. This vulnerability may be exploited by a malicious user to crash
the server. A buffer overflow vulnerability also exists in the SSI
module of Orenosv's HTTP server. This overflow may be triggered using a
specially crafted SSI file (.shtml).
 
 
TESTED SYSTEM
 
Orenosv HTTP/FTP Server Version 0.8.1 on English Win2K SP4.
 
 
DETAILS
 
A remote buffer overflow vulnerability was found in Orenosv's FTP
server. This vulnerability may be exploited by a malicious user to crash
the server. A buffer overflow vulnerability also exists in the SSI
module of Orenosv's HTTP server. This overflow may be triggered using a
specially crafted SSI file (.shtml).
 
 
1. Multiple FTP Commands Buffer Overflow Vulnerability.
 
This buffer overflow is triggered when the server receives a FTP
file/directory manipulation command with a filename that is 249 or 250
bytes long. For 4-character FTP file/directory commands, 249-bytes
filenames will cause the overflow. Examples of 4-character FTP commands
include LIST, DELE, RETR etc.  For 3-character FTP commands, 250-bytes
filenames will cause the overflow. 3-character FTP commands include MKD,
RMD, CWD, etc.  The server restricts the maximum length of each input
line, hence using a filename that is longer than 250 will not trigger
the vulnerable function.
 
Reversing orenosv.exe shows that the problem lies in the unbounded copy
that occurs within the ftp_xlate_path(), ftp_is_canonial() and
os_fn_nativize() functions, as well as due to several unsafe use of
sprintf().
 
Exploitation is complicated by the fact that the buffer is limited to
250 bytes. Orenosv runs in two separate processes. (1) the monitoring
process, (2) the server process. The monitoring process will restart the
server process if it crashes due to the overflow.  On our test system,
we were able to cause a DoS on the server by sending the overflow buffer
in quick successions to the server. This causes both the server and
monitor process to crash, thus preventing any automatic restarts.
 
 
2. cgissi.exe Overly Long SSI Command Buffer Overflow Vulnerability.
 
Orenosv supports the use of SSI (.shtml). This supported is provided by
cgissi.exe. A buffer overflow vulnerability exists in cgissi.exe when
processing an overly long SSI command name.  The overflow occurs in the
parse_cmd() function. In this function, a loop performs an unsafe copy
of the SSI command name to a local stack buffer.  This copy loop is
terminated by the space character.  Exploitation may be limited since
the SSI command name is limited to less than 128 bytes.
 
 
PATCH
 
Upgrade to version 0.8.1a or later.
 
 
DISCLOSURE TIMELINE
 
26 Apr 05 - Vulnerability Discovered.
28 Apr 05 - Initial Author Notification.
29 Apr 05 - Initial Author Reply.
01 May 05 - Author Provided Fix for Testing.
01 May 05 - Informed Author that Overflow will still occur in
os_fn_nativize().
01 May 05 - Author Provided Another Fix for Testing.
01 May 05 - Informed Author that Overflow will still occur due to
several unsafe sprintf().
05 May 05 - Author Provided Another Fix for Testing.
05 May 05 - Informed Author of Potential Problem in STOU command.
06 May 05 - Author Provided Auother Fix for Testing.
07 May 05 - Author Released Patch.
08 May 05 - Public Release.
 
 
GREETINGS
 
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
 
"IT Security...the Gathering. By enthusiasts for enthusiasts."


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC