Vulnerabilities in EServ 2.97

From: Arne Vidstrom (arne.vidstrom@NTSECURITY.NU)
Date: 01/29/02


Date:         Tue, 29 Jan 2002 22:31:18 +0100
From: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

There are a couple of vulnerabilities in EServ 2.97.

*** Vulnerability #1 ***

The FTP server doesn't close the sockets that are allocated from using the
PASV command. After all ports from 1024 to 5000 are listening (after running
a lot of PASV commands in a row) no users can use passive mode anymore until
the server is restarted.

This vulnerability is made even worse by the fact that the PASV command is
accepted before the user has authenticated.

*** Vulnerability #2 ***

The FTP server is vulnerable to the bounce attack. Not only does it not have
a restriction on the IP address that the data connection is opened to, but
it also does not have a restriction on the target port number at all.

*** Vendor response ***

The lastest beta version fixes these two vulnerabilities and it can be found
at:

ftp://ftp.eserv.ru/pub/beta/2.98/

Download the zip file and unzip the exe file inside so it overwrites the exe
file from version 2.97.

/Arne Vidstrom, http://ntsecurity.nu

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Relevant Pages

  • Vulnerabilities in EServ 2.97
    ... There are a couple of vulnerabilities in EServ 2.97. ... After all ports from 1024 to 5000 are listening (after running ... This vulnerability is made even worse by the fact that the PASV command is ... The FTP server is vulnerable to the bounce attack. ...
    (Bugtraq)
  • INFIGO-2006-05-03: Multiple FTP Servers vulnerabilities
    ... multiple security groups included an overview of several vulnerabilities ... ArgoSoft FTP Server ... In a simple unicode buffer overflow in the 'RNTO' command with an argument ... This vulnerability allows remote code execution. ...
    (Bugtraq)
  • INFIGO-2006-05-03: Multiple FTP Servers vulnerabilities
    ... multiple security groups included an overview of several vulnerabilities ... ArgoSoft FTP Server ... In a simple unicode buffer overflow in the 'RNTO' command with an argument ... This vulnerability allows remote code execution. ...
    (Vuln-Dev)
  • FW: [Full-Disclosure] FreeBSD Security Notice FreeBSD-SN-03:01
    ... Subject: FreeBSD Security Notice FreeBSD-SN-03:01 ... Several ports in the FreeBSD Ports Collection are affected by security ... The listed vulnerabilities are not specific to FreeBSD unless ...
    (Full-Disclosure)
  • [fw-wiz] Cyberguard and filtering of FTP on non-standard ports.
    ... I have a question concerning filtering FTP on non standard ports. ... The point that Peter's making is that chasing vulnerabilities just because ... That means that if you spent time patching say an applicable 70% of those ... It's purely a risk funciton- and if you have good data on which small ...
    (Firewall-Wizards)