|
|
|
|
| |
Serv-U is a "powerful, easy-to-use, award-winning FTP server" created by Rob Beckers.
An internal memory buffer may be overrun while handling "site chmod" command with a filename containg excessive data. This condition could lead to a server compromise and ultimately to execute instructions with the server's priviledges. |
| |
Credit:
The information has been provided by All members of SST
|
| |
Vulnerable Systems:
* Serv-U FTP server versions prior to 4.2 including 4.1.0.11
Immune Systems:
* Serv-U FTP server version 5.0
While exectuing chmod on a nonexistent file, Serv-U will call sprintf to construct the response string. The code resembles the following:
sprintf(dst, "%s: No such file or directory.", filename);
The length of the dst buffer is only 256 bytes. If a long filename was received, Serv-U will crash. A writable directory is needed in order to exploit this vulnerablity. By overwriting the SEH (Structured Exception Handler), we can create a proof-of-concept exploit on Win2K/XP.
Patch Availability:
The bug has been fixed in Serv-U version 5.0.
|
|
|
|
|
|
|
