[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability
From:       "bkbll" <bkbll () cnhonker ! net>
Date:       2004-02-26 15:13:00
Message-ID: 20040226144303.22186.qmail () mail ! securityfocus ! com
[Download RAW message or body]

[vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability


                                
                              www.cnhonker.com
                             Security Advisory

   Advisory Name: Serv-U MDTM Command Buffer Overflow Vulnerability
    Release Date: 02/26/2004
Affected version: Serv-U < 5.0.0.4
          Author: bkbll <bkbll@cnhonker.net>
             URL: http://www.cnhonker.com/advisory/serv-u.mdtm.txt
Overview: 

    The Serv-U is a ftp daemon runs on windows. Serv-U supports a ftp command "MDTM" \
for user changing  file time . There is a  buffer overflow when a user logged in and \
send a malformed time zone as MDTM argument. This can be remote exploit and gain \
SYSTEM privilege.

Exploit:

    When a user logged in, he can send this 
    MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt
    You must have a valid user account and password to exploit it, and you are not \
need WRITE or any other privilege. And even the test.txt,which is the file you \
request, can not be there. :)   So you can put your shellcode as the filename.

About HUC:

     HUC is still alive.
     
---------------------------------------------------------- 				
[bkbll@cnhonker.net bkbll]#date +"%%F %%T"
[bkbll@cnhonker.net bkbll]#2004-02-26 23:11:36


[prev in list] [next in list] [prev in thread] [next in thread]