Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability

[labs () USSRBACK COM (Ussr Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for
Win9x/WinNT Vulnerability

USSR Advisory Code:   USSR-2000032

Release Date:
February 04, 2000

Systems Affected:
Serv-U FTP-Server v2.5b and maybe other versions.
Windows 95
Windows 98
Windows Nt 4.0 WorkStation
Windows Nt 4.0 Server

THE PROBLEM
UssrLabs found a buffer overflow, in one Windows Api
"SHGetPathFromIDList" This function
converts an item identifier list to a file system path, just one Api
who manage Links
files under windows.
If you have one malformed link file you can crash anything who try to
Translate from
.lnk file like EXPLORER.EXE. all common dialogs and so on (copy one
malformed link
file to the desktop,and you cant login intro the machine).
To made Serv-u crash just upload one malformed link file in any
serv-u
directory and type the ftp command LIST, and Server Crashh.

Note:
 this overflow no work under win2k

Example Malformed link in: http://www.ussrback.com/god.lnk

Binary or source for this Exploit:

http://www.ussrback.com/

Vendor Status:
Contacted.

Vendor   Url:  http://ftpserv-u.deerfield.com/
Program Url: http://ftpserv-u.deerfield.com/download.cfm

Credit: USSRLABS

SOLUTION
    Next version, personal code for handle links files.

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN,
Technotronic and
Wiretrip.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOJplPdybEYfHhkiVEQLY+gCfdMrTXXWhG77MAou3zkh4t9DCa/8AoOjD
N60pKz0Plb4BalLEyZ7CWp2y
=yaYK
-----END PGP SIGNATURE-----