SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Orenosv HTTP/FTP Server Vendors:   Kataoka, Masato
Orenosv HTTP/FTP Server FTP Command Buffer Overflow Lets Remote Users Crash the Server and HTTP SSI Buffer Overflow May Let Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013923
SecurityTracker URL:  http://securitytracker.com/id/1013923
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 9 2005
Impact:   Denial of service via network, Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.8.1
Description:   Tan Chew Keong of SIG^2 Vulnerability Research reported several buffer overflow vulnerabilities in Orenosv HTTP/FTP Server. A remote user can cause the server to crash. A local user may be able to execute arbitrary code.

A remote authenticated user can send a specially crafted FTP command with a filename that is 249 or 250 bytes long to trigger a buffer overflow and cause the service to crash. File/directory related commands are affected. For 4-character commands (e.g., LIST, DELE, RETR), a 249 byte filename will trigger the overflow. For 3-character commands (e.g., MKD, RMD, CWD), a 250 byte filename will trigger the overflow.

The flaw resides in the ftp_xlate_path() function in 'orenosv.exe'.

Multiple, rapid exploitation attempts may cause both the server process and the monitoring process to crash.

A local user can create a specially crafted SSI HTML file ('.shtml') that, when loaded by the web server, will trigger a buffer overflow in 'cgissi.exe'. A long SSI command name will cause the overflow, which resides in the parse_cmd() function.

The vendor was notified on April 28, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/orenosv081.html

Impact:   A remote user can cause the server process to crash.

A local user (or a remote user with privileges to create SSI HTML files on the target web server) may be able to execute arbitrary code with the privileges of the web service.

Solution:   The vendor has released a fixed version (0.8.1a), available at:

http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html

Vendor URL:  hp.vector.co.jp/authors/VA027031/orenosv/index_en.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities


SIG^2 Vulnerability Research Advisory

Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities

by Tan Chew Keong
Release Date: 08 May 2005


ADVISORY URL
http://www.security.org.sg/vuln/orenosv081.html


SUMMARY

Orenosv HTTP/FTP Server
(http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html) is a
stable, reliable and high performance HTTP/FTP/FTPS server that can
operate 24H/365D. Orenosp runs on Windows platforms (NT, 2000, XP and
2003) and Linux x86.

A remote buffer overflow vulnerability was found in Orenosv's FTP
server. This vulnerability may be exploited by a malicious user to crash
the server. A buffer overflow vulnerability also exists in the SSI
module of Orenosv's HTTP server. This overflow may be triggered using a
specially crafted SSI file (.shtml).


TESTED SYSTEM

Orenosv HTTP/FTP Server Version 0.8.1 on English Win2K SP4.


DETAILS

A remote buffer overflow vulnerability was found in Orenosv's FTP
server. This vulnerability may be exploited by a malicious user to crash
the server. A buffer overflow vulnerability also exists in the SSI
module of Orenosv's HTTP server. This overflow may be triggered using a
specially crafted SSI file (.shtml).


1. Multiple FTP Commands Buffer Overflow Vulnerability.

This buffer overflow is triggered when the server receives a FTP
file/directory manipulation command with a filename that is 249 or 250
bytes long. For 4-character FTP file/directory commands, 249-bytes
filenames will cause the overflow. Examples of 4-character FTP commands
include LIST, DELE, RETR etc.  For 3-character FTP commands, 250-bytes
filenames will cause the overflow. 3-character FTP commands include MKD,
RMD, CWD, etc.  The server restricts the maximum length of each input
line, hence using a filename that is longer than 250 will not trigger
the vulnerable function.

Reversing orenosv.exe shows that the problem lies in the unbounded copy
that occurs within the ftp_xlate_path(), ftp_is_canonial() and
os_fn_nativize() functions, as well as due to several unsafe use of
sprintf().

Exploitation is complicated by the fact that the buffer is limited to
250 bytes. Orenosv runs in two separate processes. (1) the monitoring
process, (2) the server process. The monitoring process will restart the
server process if it crashes due to the overflow.  On our test system,
we were able to cause a DoS on the server by sending the overflow buffer
in quick successions to the server. This causes both the server and
monitor process to crash, thus preventing any automatic restarts.


2. cgissi.exe Overly Long SSI Command Buffer Overflow Vulnerability.

Orenosv supports the use of SSI (.shtml). This supported is provided by
cgissi.exe. A buffer overflow vulnerability exists in cgissi.exe when
processing an overly long SSI command name.  The overflow occurs in the
parse_cmd() function. In this function, a loop performs an unsafe copy
of the SSI command name to a local stack buffer.  This copy loop is
terminated by the space character.  Exploitation may be limited since
the SSI command name is limited to less than 128 bytes.


PATCH

Upgrade to version 0.8.1a or later.


DISCLOSURE TIMELINE

26 Apr 05 - Vulnerability Discovered.
28 Apr 05 - Initial Author Notification.
29 Apr 05 - Initial Author Reply.
01 May 05 - Author Provided Fix for Testing.
01 May 05 - Informed Author that Overflow will still occur in
os_fn_nativize().
01 May 05 - Author Provided Another Fix for Testing.
01 May 05 - Informed Author that Overflow will still occur due to
several unsafe sprintf().
05 May 05 - Author Provided Another Fix for Testing.
05 May 05 - Informed Author of Potential Problem in STOU command.
06 May 05 - Author Provided Auother Fix for Testing.
07 May 05 - Author Released Patch.
08 May 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC