[Full-Disclosure] [VulnWatch] [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability
bkbll
bkbll at cnhonker.net
Thu Feb 26 15:13:00 GMT 2004
[vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability
www.cnhonker.com
Security Advisory
Advisory Name: Serv-U MDTM Command Buffer Overflow Vulnerability
Release Date: 02/26/2004
Affected version: Serv-U < 5.0.0.4
Author: bkbll <bkbll at cnhonker.net>
URL: http://www.cnhonker.com/advisory/serv-u.mdtm.txt
Overview:
The Serv-U is a ftp daemon runs on windows. Serv-U supports a ftp command "MDTM" for user changing
file time . There is a buffer overflow when a user logged in and send a malformed time zone as MDTM argument.
This can be remote exploit and gain SYSTEM privilege.
Exploit:
When a user logged in, he can send this
MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt
You must have a valid user account and password to exploit it, and you are not need WRITE or any other privilege.
And even the test.txt,which is the file you request, can not be there. :)
So you can put your shellcode as the filename.
About HUC:
HUC is still alive.
----------------------------------------------------------
[bkbll at cnhonker.net bkbll]#date +"%%F %%T"
[bkbll at cnhonker.net bkbll]#2004-02-26 23:11:36
Full-Disclosure is hosted and sponsored by Secunia.