Bugtraq mailing list archives

Buffer overflow in Serve-U

From: ryans () IH2000 NET (Ryan Sweat)
Date: Thu, 11 Feb 1999 21:36:13 -0600


This is a multi-part message in MIME format.

------=_NextPart_000_000A_01BE5606.8C4E8060
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

     I have successfully reprocuded this overflow in the newest Version =
of Serve-U.
It totally crashes the ftp program, and also causes stack fault module =
in tcp/ip stack rendering the network connectivity useless.  About 10 =
seconds later, the machine will become unresponsive and has to be hard =
rebooted.  This affects every Win98 machine i have tested on, however, =
an NT box with SP4 hung the program until the exploit was killed, but =
not crashing the serve-u itself.
     The exploit is very simple.
Send a file about 1 meg in size to serve-u's ftp port (21).  This can be =
done with
     cat filename | nc hostname 21

Ryan Sweat
ryans () ih2000 net

------=_NextPart_000_000A_01BE5606.8C4E8060
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">

<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>     I have =
successfully=20
reprocuded this overflow in the newest Version of Serve-U.</FONT></DIV>
<DIV><FONT size=3D2>It totally crashes the ftp program, and also causes =
stack=20
fault module in tcp/ip stack rendering the network connectivity =
useless. =20
About 10 seconds later, the machine will become unresponsive and has to =
be hard=20
rebooted.  This affects every Win98 machine i have tested on, =
however, an=20
NT box with SP4 hung the program until the exploit was killed, but not =
crashing=20
the serve-u itself.</FONT></DIV>
<DIV><FONT size=3D2>     The exploit is very=20
simple.</FONT></DIV>
<DIV><FONT size=3D2>Send a file about 1 meg in size to serve-u's ftp =
port=20
(21).  This can be done with</FONT></DIV>
<DIV><FONT size=3D2>     cat filename | nc hostname=20
21</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=3D2>Ryan Sweat</FONT></DIV>
<DIV><FONT size=3D2><A=20
href=3D"mailto:ryans () ih2000 net">ryans () ih2000 net</A></FONT></DIV></BODY>=
</HTML>


------=_NextPart_000_000A_01BE5606.8C4E8060--

Current thread:

More Comments: Security Scanners., (continued)
- - - More Comments: Security Scanners. Craig H. Rowland (Feb 12)
  - Re: ISS Internet Scanner Cannot be relied upon for conclusive Adam Shostack (Feb 10)
  - remote fakebo shell exploit Groovy Pants Gus (Feb 11)
  - AW: Security Bug in Bintec Router Firmware (CLID) Thomas Schmidt (Feb 11)
    - Re: Security Bug in Bintec Router Firmware (CLID) Pascal Gienger (Feb 11)
  - Seeking Policy Data Loftin C. Woodiel (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive der Mouse (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Ulf Munkedal (Feb 10)
  - Re: ISS Internet Scanner Cannot be relied upon for conclusive Brian Koref (Feb 11)
  - Buffer overflow in Serve-U Ryan Sweat (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Phil Waterbury (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Francis Favorini (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Steven M. Christey (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Daniele Orlandi (Feb 13)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Shaun Lowry (Feb 15)