LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 753|回复: 4

Serv-U MDTM Command Buffer Overflow Vulnerability

[复制链接]
发表于 2004-2-27 10:16:30 | 显示全部楼层 |阅读模式
www.cnhonker.com
                             Security Advisory

   Advisory Name: Serv-U MDTM Command Buffer Overflow Vulnerability
    Release Date: 02/26/2004
Affected version: Serv-U < 5.0.0.4
          Author: bkbll <bkbll@cnhonker.net>
             URL: http://www.cnhonker.com/advisory/serv-u.mdtm.txt
Overview:

    The Serv-U is a ftp daemon runs on windows. Serv-U supports a ftp command "MDTM" for user changing
file time . There is a  buffer overflow when a user logged in and send a malformed time zone as MDTM argument.
This can be remote exploit and gain SYSTEM privilege.

Exploit:

    When a user logged in, he can send this
    MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt
    You must have a valid user account and password to exploit it, and you are not need WRITE or any other privilege.
And even the test.txt,which is the file you request, can not be there.
    So you can put your shellcode as the filename.

About HUC:

     HUC is still alive.
     
----------------------------------------------------------
[bkbll@cnhonker.net bkbll]#date +"%%F %%T"
[bkbll@cnhonker.net bkbll]#2004-02-26 23:11:36


"Serv-U 5.0.0.4 has been released.  This is a point-release of 5.0 that
fixes a number of bugs.  We highly recommend upgrading to 5.0.0.4, in
particular for the following reasons:

* A bug in SQL statements used by ODBC domains has been fixed.
* Added automatic connection retry in case ODBC connectivity failure.
* A bug causing Secure-FTP transfers to fail has been fixed.
* A bug in the MDTM command that could cause server crashes has been
  fixed.
发表于 2004-3-4 11:21:24 | 显示全部楼层
这次连写权限都不要了。。。。
发表于 2004-3-4 11:39:58 | 显示全部楼层
老兄能不能找点中文资料。
 楼主| 发表于 2004-3-8 10:08:20 | 显示全部楼层
sorry
我找不到
发表于 2004-3-12 01:12:11 | 显示全部楼层
4.1版本,MDTM命令无效.
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表