[VulnWatch] [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability

From: bkbll (bkbll_at_cnhonker.net)
Date: 02/26/04

  • Next message: Andrey Smirnov: "[VulnWatch] Extremail Security Problem"
    Date: Thu, 26 Feb 2004 23:13:00 +0800
    To: "bugtraq" <bugtraq@securityfocus.com>
    
    

    [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability

                                    
                                  www.cnhonker.com
                                 Security Advisory

       Advisory Name: Serv-U MDTM Command Buffer Overflow Vulnerability
        Release Date: 02/26/2004
    Affected version: Serv-U < 5.0.0.4
              Author: bkbll <bkbll@cnhonker.net>
                 URL: http://www.cnhonker.com/advisory/serv-u.mdtm.txt
    Overview:

        The Serv-U is a ftp daemon runs on windows. Serv-U supports a ftp command "MDTM" for user changing
    file time . There is a buffer overflow when a user logged in and send a malformed time zone as MDTM argument.
    This can be remote exploit and gain SYSTEM privilege.

    Exploit:

        When a user logged in, he can send this
        MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt
        You must have a valid user account and password to exploit it, and you are not need WRITE or any other privilege.
    And even the test.txt,which is the file you request, can not be there. :)
        So you can put your shellcode as the filename.

    About HUC:

         HUC is still alive.
         
    ----------------------------------------------------------
    [bkbll@cnhonker.net bkbll]#date +"%%F %%T"
    [bkbll@cnhonker.net bkbll]#2004-02-26 23:11:36


  • Next message: Andrey Smirnov: "[VulnWatch] Extremail Security Problem"

    Relevant Pages