Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Orenosv HTTP/FTP Server Multiple Buffer Overflows

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Orenosv HTTP/FTP Server Multiple Buffer Overflows
Date: 10 May 2005 13:12:11 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Orenosv HTTP/FTP Server Multiple Buffer Overflows
------------------------------------------------------------------------


SUMMARY

" <http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html> Orenosv 
is a stable, reliable and efficient HTTP/FTP/FTPS server that can operate 
24H/365D. Orenosp runs on Windows platforms (NT, 2000, XP and 2003) and 
Linux x86."

Mutliple buffer overflows vulnerabilities were found in Orenosv's server.

DETAILS

Vulnerable Systems:
 * Orenosv HTTP/FTP Server version 0.8.1

Immune Systems:
 * Orenosv HTTP/FTP Server version 0.8.1a

Multiple FTP Commands Buffer Overflow Vulnerability:
These buffer overflow is triggered when the server receives a FTP 
file/directory manipulation command with a filename that is 249 or 250 
bytes long.

For 4-character FTP file/directory commands, 249-bytes filenames will 
cause the overflow. Examples of 4-character FTP commands include LIST, 
DELE, RETR etc.

For 3-character FTP commands, 250-bytes  filenames will cause the 
overflow. 3-character FTP commands include MKD, RMD, CWD, etc.

The server restricts the maximum length of each input line, hence using a 
filename that is longer than 250 will not trigger the vulnerable function.

Reverse engineering the orenosv.exe file reveals that the problem lies in 
the unbounded copy that occurs within the ftp_xlate_path(), 
ftp_is_canonial() and os_fn_nativize() functions, as well as due to 
several unsafe use of sprintf().

Exploitation is complicated by the fact that the buffer is limited to 250 
bytes.

Orenosv runs in two separate processes.
(1) The  monitoring process
(2) The server process

The monitoring process will restart the server process if it crashes due 
to the overflow.  On our test system, we were able to cause a DoS on the 
server by sending the overflow buffer in quick successions to the server. 
This causes both the server and monitor process to crash, thus preventing 
any automatic restart.

Long SSI Command Buffer Overflow Vulnerability (cgissi.exe ):
Orenosv supports the use of SSI (.shtml). This supported is provided by 
cgissi.exe. A buffer overflow vulnerability exists in cgissi.exe when 
processing an overly long SSI command name. The overflow occurs in the 
parse_cmd() function. In this function, a loop performs an unsafe copy  of 
the SSI command name to a local stack buffer. This copy loop is terminated 
by the space character.  Exploitation may be limited since the SSI command 
name is limited to less than 128 bytes.

Disclosure Timeline:
 * 26.04.05 - Vulnerability Discovered
 * 28.04.05 - Initial Author Notification
 * 29.04.05 - Initial Author Reply
 * 01.05.05 - Author Provided Fix for Testing
 * 01.05.05 - Informed Author that Overflow will still occur in 
os_fn_nativize()
 * 01.05.05 - Author Provided Another Fix for Testing
 * 01.05.05 - Informed Author that Overflow will still occur due to 
several unsafe sprintf()
 * 05.05.05 - Author Provided Another Fix for Testing
 * 05.05.05 - Informed Author of Potential Problem in STOU command
 * 06.05.05 - Author Provided Auother Fix for Testing
 * 07.05.05 - Author Released Patch
 * 08.05.05 - Public Release


ADDITIONAL INFORMATION

The information has been provided by  <mailto:chewkeong@security.org.sg> 
Chew Keong TAN.
The original article can be found at:  
<http://www.security.org.sg/vuln/orenosv081.html> 
http://www.security.org.sg/vuln/orenosv081.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Orenosv HTTP/FTP Server Multiple Buffer Overflows, SecuriTeam <=
Previous by Date:  [EXPL] Ethereal DistCC Buffer Overflow (Exploit), SecuriTeam
Next by Date:  [NT] Adobe SVG Viewer Local File Detection, SecuriTeam
Previous by Thread:  [EXPL] Ethereal DistCC Buffer Overflow (Exploit), SecuriTeam
Next by Thread:  [NT] Adobe SVG Viewer Local File Detection, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]