Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity Application: Serv-U Affected Versions: All versions prior 4.2 (include 4.1.0.11) Vendor: RhinoSoft (http://www.rhinosoft.com http://www.serv-u.com) URL: http://www.0x557.org/release/servu.txt Vunlnerablity: An internal memory buffer may be overrun while handling "site chmod" command with a filename containg excessive data. This condition may be exploited by attackers to ultimately execute instructions with the priviledges of the serv-u process, typically administator or system. Details: While exectuing chmod on a nonexistent file, serv-u will call sprintf to construct response string. And the code is like sprintf(dst, "%s: No such file or directory.", filename); The length of dst buffer is only 256 bytes.If a long filename was sent, serv-u will crash. A writable directory is needed to exploit this vulerablity.By overwriting SEH, we have created proof-of-concept exploit successfully on win2k/xp. Solution: Upgrade to servu 5.0. Credits: kkqq has indenpendently discovered this vulerablity. All members of SST (http://www.0x557.org). lgx and eyas. Rob Beckers for indentifing and fixing this vulerablity. About SST: Do we really exist?         icbm         icbm@0x557.net           2004-01-24