Information Assurance |
john-michael bastos |
Information Assurance
Bugtraq Analysis Serv-U FTP Server:
|
Application: Serv-U FTP Server An internal memory buffer may be overrun while handling site chmod command with a filename containg excessive data. chmod (change mode) changes the access permissions of files or directories. You can use the command site chmod 777 <filename>. This condition may be exploited by attackers to execute instructions with the privileges of the Serv-U process - which is typically Administrator. When Serv-U tries to execute chmod on a nonexistent file, it calls sprintf to construct the response (error) string. The code for this is something like: sprintf(dst,"%s: No such file or directory.", filename); But the length of the dst buffer is only 256 bytes. If a filename longer than 256 bytes is sent, Serv-U will crash. The exploit code overflows a buffer on the stack, overwriting a few critical variables, which would crash the program if nothing else was done. But if the attacker is smart, he can make a call to jump to the beginning of the exploit code and have some fun. This is where the shell comes into play. An attacker can insert the execution of a shell in some exploit code, which will allow someone to connect with netcat\telnet, to whichever port was bound. In order for this exploit to work, a writable directory is needed in addition to a valid login. This exploit is fairly easy to fix. All you need to do is check to make sure that the input is actually 256 bytes. This can be achieved with something like: char buffer[256]; In order to remediate the problem, just upgrade to version 5 of the server which is immune to the attack. Some interesting reading: Smashing the Stack for Fun and Profit Beej's Guide to Network Programming (sockets) Link to the Exploit Code for this Vulnerability
|