Sysax SSH Username Remote Code Execution

2012-03-06T00:00:00
ID SAINT:9E8AAD4D1B8D568BFC973D7FAE96E397
Type saint
Reporter SAINT Corporation
Modified 2012-03-06T00:00:00

Description

Added: 03/06/2012
BID: 52190
OSVDB: 79689

Background

Sysax Multi Server is a Secure FTP Server and SSH2 Secure Shell Server combined into a single product. It simultaneously supports remote access and file transfer using FTP, FTPS, SFTP, Telnet, and Secure Shell. It also supports web based file transfer using HTTP and HTTPS.

Problem

The flaw is caused due to a boundary error in SSH component while processing authentication requests. This can be exploited to cause a stack-based buffer overflow via long username sent to TCP port 22.

Resolution

Upgrade Sysax Multi Server to version 5.55

References

<http://secunia.com/advisories/48188>
<http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html>

Limitations

This exploit has been tested against Sysax Multi Server version 5.53 with Sysax local User Account/Windows User Account on Windows XP OEM and SP3 English (DEP OptIn) and Windows 2003 SP2 English (DEP OptIn).

The OpenSSH client must be installed on the SAINTexploit host.

Platforms

Windows XP
Windows Server 2003