Vulnerabilities in EServ 2.97

From: Arne Vidstrom (arne.vidstromat_private)
Date: Tue Jan 29 2002 - 13:33:00 PST

Next message: hans.somersat_private: "Long path exploit on NTFS"

Previous message: Wodahs Latigid: "sastcpd Buffer Overflow and Format String Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are a couple of vulnerabilities in EServ 2.97.

*** Vulnerability #1 ***

The FTP server doesn't close the sockets that are allocated from using the
PASV command. After all ports from 1024 to 5000 are listening (after running
a lot of PASV commands in a row) no users can use passive mode anymore until
the server is restarted.

This vulnerability is made even worse by the fact that the PASV command is
accepted before the user has authenticated.

*** Vulnerability #2 ***

The FTP server is vulnerable to the bounce attack. Not only does it not have
a restriction on the IP address that the data connection is opened to, but
it also does not have a restriction on the target port number at all.

*** Vendor response ***

The lastest beta version fixes these two vulnerabilities and it can be found
at:

ftp://ftp.eserv.ru/pub/beta/2.98/

Download the zip file and unzip the exe file inside so it overwrites the exe
file from version 2.97.


/Arne Vidstrom, http://ntsecurity.nu

Next message: hans.somersat_private: "Long path exploit on NTFS"
Previous message: Wodahs Latigid: "sastcpd Buffer Overflow and Format String Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 14:47:32 PST