Tutorial - Serv-U Vulnerabilities

Serv-U Vulnerabilities

CVE 1999-0219
CVE 1999-0838
CAN 2000-0176
CVE 2000-0837
CVE 2001-0054

Impact

An authenticated user or an anonymous user could read or write any file on the same disk partition as the FTP server.

Background

The File Transfer Protocol (FTP) allows a client to store or retrieve files on a server. Serv-U is an FTP server which runs on any Windows platform, allowing users to set up an FTP server on a PC.

Upon setting up Serv-U FTP server, user accounts can be created, each with its own home directory and access lists. The access lists specify which files and directories a user can access. An anonymous account can also be enabled, allowing any remote user to connect to the server without requiring authentication.

The Problems

CVE 2001-0054
A command containing specially crafted hexadecimal encoding can be used to trick the server into allowing access to any directory on the FTP server's disk partition with the same privileges as the attacker's home directory. If the attacker has write access to his or her own home directory, then important system files could be overwritten, or system start-up files could be replaced with trojan horse versions. If the attacker has read access to his or her own home directory, sensitive files could be read, or the file containing the encrypted passwords could be retrieved and cracked, allowing the attacker access to other accounts. If the anonymous account is enabled, this vulnerability could be exploited without requiring authentication on the part of the attacker.

Serv-U FTP server versions 2.5h and earlier are affected by this vulnerability.

There are a number of other vulnerabilities affecting some versions of Serv-U FTP:

CVE 1999-0219
A buffer overflow in the processing of the CWD command in Serv-U FTP 2.5 and earlier could allow a remote attacker to create a denial of service, or to execute arbitrary code.
CVE 1999-0838
A buffer overflow in the processing of the SITE command in Serv-U FTP 2.5a could allow a remote attacker to create a denial of service
CVE 2000-0837
Serv-U FTP 2.5e and earlier crash after receiving a long string of null bytes. Such an attack could eventually crash the system as well.
CAN 2000-0176
Serv-U FTP 2.5d and earlier reveal the full pathname of the server after receiving a request for a file or directory which does not exist.

Resolution

Upgrade to Serv-U FTP version 2.5i or higher.

Where can I read more about this?

This vulnerability was discussed in Securax Security Advisory SA-09.

For more information on the other vulnerabilities, see the following postings to Bugtraq: