Best Programmer
سه شنبه 07 بهمن 1382, 08:26 صبح
Vulnerable Systems:
* Serv-U FTP server versions prior to 4.2 including 4.1.0.11
Immune Systems:
* Serv-U FTP server version 5.0
While exectuing chmod on a nonexistent file, Serv-U will call sprintf to construct the response string. The code resembles the following:
sprintf(dst, "%s: No such file or directory.", filename);
The length of the dst buffer is only 256 bytes. If a long filename was received, Serv-U will crash. A writable directory is needed in order to exploit this vulnerablity. By overwriting the SEH (Structured Exception Handler), we can create a proof-of-concept exploit on Win2K/XP.
Patch Availability:
The bug has been fixed in Serv-U version 5.0
* Serv-U FTP server versions prior to 4.2 including 4.1.0.11
Immune Systems:
* Serv-U FTP server version 5.0
While exectuing chmod on a nonexistent file, Serv-U will call sprintf to construct the response string. The code resembles the following:
sprintf(dst, "%s: No such file or directory.", filename);
The length of the dst buffer is only 256 bytes. If a long filename was received, Serv-U will crash. A writable directory is needed in order to exploit this vulnerablity. By overwriting the SEH (Structured Exception Handler), we can create a proof-of-concept exploit on Win2K/XP.
Patch Availability:
The bug has been fixed in Serv-U version 5.0