Cat Soft Serv-U 2.5/a/b,Windows 2000 Advanced Server/2000 Datacenter Server/2000 Professional/2000 Server/2000 Terminal Services/95/98/NT 4.0/NT Enterprise Server 4.0/NT Server 4.0/NT Terminal Server 4.0/NT Workstation 4.0 Shortcut Vulnerability

vendor:

Serv-U

by:

SecurityFocus

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Serv-U

Affected Version From: 2.5/a/b

Affected Version To: 2.5/a/b

Patch Exists: Yes

Related CWE: N/A

CPE: a:cats_software:serv-u

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

Cat Soft Serv-U 2.5/a/b,Windows 2000 Advanced Server/2000 Datacenter Server/2000 Professional/2000 Server/2000 Terminal Services/95/98/NT 4.0/NT Enterprise Server 4.0/NT Server 4.0/NT Terminal Server 4.0/NT Workstation 4.0 Shortcut Vulnerability

The Windows API that handles shortcut navigation is susceptible to buffer overflow attacks. The API, 'SHGetPathFromIDList' will parse a shortcut file (.lnk) to find the target file, directory or URL. A specifically malformed link will cause any program using the API to follow that shortcut to crash.

Mitigation:

Ensure that all programs using the API are updated to the latest version.

Source

Exploit-DB raw data:

Cat Soft Serv-U 2.5/a/b,Windows 2000 Advanced Server/2000 Datacenter Server/2000 Professional/2000 Server/2000 Terminal Services/95/98/NT 4.0/NT Enterprise Server 4.0/NT Server 4.0/NT Terminal Server 4.0/NT Workstation 4.0 Shortcut Vulnerability

source: https://www.securityfocus.com/bid/970/info

The Windows API that handles shortcut navigation is susceptible to buffer overflow attacks. The API, "SHGetPathFromIDList" will parse a shortcut file (.lnk) to find the target file, directory or URL. A specifically malformed link will cause any program using the API to follow that shortcut to crash.

NOTE: While this vulnerability listing, as well as the exploit and the original USSR advisory only mention Serv-U FTP server, any Windows, Microsoft, or 3rd party program that uses the API could be vulnerable to this.

dserv2.5b.exe:
Executable exploit for Serv-U FTP server

dserv25b.zip:
Source code for above exploit

link.bro:
Example of a malformed shortcut file. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19743-1.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19743-2.exe

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19743-3.bro