Serv-U Vulnerabilities
CVE 1999-0219
CVE 1999-0838
CAN 2000-0176
CVE 2000-0837
CVE 2001-0054
Impact
An authenticated user or an anonymous user could read or
write any file on the same disk partition as
the FTP server.
Background
The File Transfer Protocol (FTP) allows a client to store
or retrieve files on a server. Serv-U
is an FTP server which runs on any Windows platform, allowing
users to set up an FTP server on a PC.
Upon setting up Serv-U FTP server, user accounts can be
created, each with its own home directory and access lists.
The access lists specify which files and directories a user
can access. An anonymous account can also be enabled, allowing
any remote user to connect to the server without requiring
authentication.
The Problems
CVE 2001-0054
A command containing specially crafted hexadecimal encoding can be
used to trick the server into allowing access to any
directory on the FTP server's disk partition with the same privileges as the attacker's
home directory. If the attacker has write access to his or her own
home directory, then important system files could be overwritten,
or system start-up files could be replaced with trojan horse
versions. If the attacker has read access to his or her own home
directory, sensitive files could be read, or the file containing
the encrypted passwords could be retrieved and cracked, allowing
the attacker access to other accounts. If the anonymous account
is enabled, this vulnerability could be exploited without requiring
authentication on the part of the attacker.
Serv-U FTP server versions 2.5h and earlier are affected by
this vulnerability.
There are a number of other vulnerabilities affecting some
versions of Serv-U FTP:
CVE 1999-0219
A buffer overflow in the processing of the CWD command in Serv-U FTP 2.5
and earlier could allow a remote attacker to create a denial of service, or to execute
arbitrary code.
CVE 1999-0838
A buffer overflow in the processing of the SITE command in Serv-U FTP 2.5a
could allow a remote attacker to create a denial of service
CVE 2000-0837
Serv-U FTP 2.5e and earlier crash after receiving a long string of null
bytes. Such an attack could eventually crash the system as well.
CAN 2000-0176
Serv-U FTP 2.5d and earlier reveal the full pathname of the server
after receiving a request for a file or directory which does not exist.
Resolution
Upgrade
to Serv-U FTP version 2.5i or higher.
Where can I read more about this?
This vulnerability was discussed in
Securax Security
Advisory SA-09.
For more information on the other vulnerabilities,
see the following postings to Bugtraq: