SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Ability Server Vendors:   Code-Crafters
Ability Server Buffer Overflow in APPE Command Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012464
SecurityTracker URL:  http://securitytracker.com/id/1012464
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 8 2004
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 2.25 - 2.34
Description:   A buffer overflow vulnerability was reported in Ability Server in the processing of the APPE FTP command. A remote authenticated user can execute arbitrary code on the target system.

It is reported that a remote authenticated user can supply a specially crafted APPE command with a long string to trigger the buffer overflow.

Justin Walpole (PnK::DCN3T) is credited with discovering this flaw.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.code-crafters.com/abilityserver (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [0day] Ability Server 2.25 - 2.34 FTP => 'APPE' Buffer Overflow -


-= 0day - Freedom of Voice - Freedom of Choice =-


##################################################################
                    Ability Server 2.25 - 2.34 FTP => 'APPE'  Buffer
Overflow
##################################################################

APPE b0f - Found by PnK::DCN3T

Date found: 06.12.04

Affected Versions:  Ability Server 2.25
                              Ability Server 2.32
                              Ability Server 2.34

Tested OS:   Windows XP Pro SP2

Severity:   High

Remote Root:  Yes

PoC:    This is not unlike the 'STOR' b0f discovered by
'muts[at]whitehat.co.il' a week
             or 2 ago.The buffer length and RET are the same, this hole
is the _same_ issue
             just an ever-so-slightly different attack vector. Switch
the 'STOR ' for  'APPE '

Issue:  For clarity's sake, by supplying an overly long string to the
'APPE' command on
          Ability server 2.25-34 FTP  we are able to overflow a buffer
and own EIP .
           There is working remote code (tweak muts python code a little
and your there).

Patch:    No Patch for 0day

Vendor Response:   none

Props:    muts [at] whitehat.co.il  , [!nd!ca , memeng,  PhilX]::DCN3T

DCN3T contact:  Dont call us we'll call you.

*****************************************************************
*****************************************************************

                         DCN3T::B|NARY-H0L0CAUST::2005

*****************************************************************
*****************************************************************
Bug Found By Justin Walpole :: DCN3T



_______________________________________________
0day mailing list
0day@nothackers.org
http://nothackers.org/mailman/listinfo/0day

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC