Bugtraq mailing list archives
Buffer overflow in Serve-U
From: ryans () IH2000 NET (Ryan Sweat)
Date: Thu, 11 Feb 1999 21:36:13 -0600
This is a multi-part message in MIME format. ------=_NextPart_000_000A_01BE5606.8C4E8060 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have successfully reprocuded this overflow in the newest Version = of Serve-U. It totally crashes the ftp program, and also causes stack fault module = in tcp/ip stack rendering the network connectivity useless. About 10 = seconds later, the machine will become unresponsive and has to be hard = rebooted. This affects every Win98 machine i have tested on, however, = an NT box with SP4 hung the program until the exploit was killed, but = not crashing the serve-u itself. The exploit is very simple. Send a file about 1 meg in size to serve-u's ftp port (21). This can be = done with cat filename | nc hostname 21 Ryan Sweat ryans () ih2000 net ------=_NextPart_000_000A_01BE5606.8C4E8060 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000 size=3D2> I have = successfully=20 reprocuded this overflow in the newest Version of Serve-U.</FONT></DIV> <DIV><FONT size=3D2>It totally crashes the ftp program, and also causes = stack=20 fault module in tcp/ip stack rendering the network connectivity = useless. =20 About 10 seconds later, the machine will become unresponsive and has to = be hard=20 rebooted. This affects every Win98 machine i have tested on, = however, an=20 NT box with SP4 hung the program until the exploit was killed, but not = crashing=20 the serve-u itself.</FONT></DIV> <DIV><FONT size=3D2> The exploit is very=20 simple.</FONT></DIV> <DIV><FONT size=3D2>Send a file about 1 meg in size to serve-u's ftp = port=20 (21). This can be done with</FONT></DIV> <DIV><FONT size=3D2> cat filename | nc hostname=20 21</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>Ryan Sweat</FONT></DIV> <DIV><FONT size=3D2><A=20 href=3D"mailto:ryans () ih2000 net">ryans () ih2000 net</A></FONT></DIV></BODY>= </HTML> ------=_NextPart_000_000A_01BE5606.8C4E8060--
Current thread:
- More Comments: Security Scanners., (continued)
- More Comments: Security Scanners. Craig H. Rowland (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Adam Shostack (Feb 10)
- remote fakebo shell exploit Groovy Pants Gus (Feb 11)
- AW: Security Bug in Bintec Router Firmware (CLID) Thomas Schmidt (Feb 11)
- Re: Security Bug in Bintec Router Firmware (CLID) Pascal Gienger (Feb 11)
- Seeking Policy Data Loftin C. Woodiel (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive der Mouse (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Ulf Munkedal (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Brian Koref (Feb 11)
- Buffer overflow in Serve-U Ryan Sweat (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Phil Waterbury (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Francis Favorini (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Steven M. Christey (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Daniele Orlandi (Feb 13)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Shaun Lowry (Feb 15)