-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability USSR Advisory Code: USSR-2000032 Release Date: February 04, 2000 Systems Affected: Serv-U FTP-Server v2.5b and maybe other versions. Windows 95 Windows 98 Windows Nt 4.0 WorkStation Windows Nt 4.0 Server THE PROBLEM UssrLabs found a buffer overflow, in one Windows Api "SHGetPathFromIDList" This function converts an item identifier list to a file system path, just one Api who manage Links files under windows. If you have one malformed link file you can crash anything who try to Translate from .lnk file like EXPLORER.EXE. all common dialogs and so on (copy one malformed link file to the desktop,and you cant login intro the machine). To made Serv-u crash just upload one malformed link file in any serv-u directory and type the ftp command LIST, and Server Crashh. Note: this overflow no work under win2k Example Malformed link in: http://www.ussrback.com/god.lnk Binary or source for this Exploit: http://www.ussrback.com/ Vendor Status: Contacted. Vendor Url: http://ftpserv-u.deerfield.com/ Program Url: http://ftpserv-u.deerfield.com/download.cfm Credit: USSRLABS SOLUTION Next version, personal code for handle links files. Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and Wiretrip. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOJplPdybEYfHhkiVEQLY+gCfdMrTXXWhG77MAou3zkh4t9DCa/8AoOjD N60pKz0Plb4BalLEyZ7CWp2y =yaYK -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:36 PDT