[VulnWatch] [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability

From: bkbll (bkbll@private)
Date: Thu Feb 26 2004 - 07:13:00 PST

Next message: ECHU.ORG: "[VulnWatch] ECHU.ORG Alert # 5 - FreeBB.com"

Previous message: Peter Winter-Smith: "[VulnWatch] Web Crossing 4.x/5.x Denial of Service Vulnerability (FIX)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability


                                
                              www.cnhonker.com
                             Security Advisory

   Advisory Name: Serv-U MDTM Command Buffer Overflow Vulnerability
    Release Date: 02/26/2004
Affected version: Serv-U < 5.0.0.4
          Author: bkbll <bkbll@private>
             URL: http://www.cnhonker.com/advisory/serv-u.mdtm.txt
Overview: 

    The Serv-U is a ftp daemon runs on windows. Serv-U supports a ftp command "MDTM" for user changing 
file time . There is a  buffer overflow when a user logged in and send a malformed time zone as MDTM argument.
This can be remote exploit and gain SYSTEM privilege.

Exploit:

    When a user logged in, he can send this 
    MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt
    You must have a valid user account and password to exploit it, and you are not need WRITE or any other privilege.
And even the test.txt,which is the file you request, can not be there. :) 
    So you can put your shellcode as the filename.

About HUC:

     HUC is still alive.
     
---------------------------------------------------------- 				
[bkbll@private bkbll]#date +"%%F %%T"
[bkbll@private bkbll]#2004-02-26 23:11:36

Next message: ECHU.ORG: "[VulnWatch] ECHU.ORG Alert # 5 - FreeBB.com"
Previous message: Peter Winter-Smith: "[VulnWatch] Web Crossing 4.x/5.x Denial of Service Vulnerability (FIX)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 21:41:23 PST