Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 G-TEC Software Vulnerability Research Project

Introduction

The objectives of the G-TEC Software Vulnerability Research Project is to discover new vulnerabilities and weakness in software products, and to develop proof-of-concept (POC) exploits to demonstrate these vulnerabilities. The aim of this project is to create awareness of common software limitations and modes-of-failure, and to encourage the development of more robust and secure software. We adopt vulnerability research best-practices and will inform the vendor of any critical vulnerabilities before making any public disclosures.

Releases

  1. SPA-PRO Mail @Solomon IMAP Server Directory Traversal and Buffer Overflow Vulnerabilities

    A directory traversal vulnerability was found in SPA-PRO Mail @Soloman's IMAP service. This vulnerability may be exploited by a malicious user to view other user's email, create arbitrary directories on the server, delete empty directories on the server, and/or rename directories on the server. A buffer overflow vulnerability also exists. This vulnerability is triggered when the IMAP service receives an overly long folder name in the create command. This vulnerability may be exploited to crash the IMAP service or to execute arbitrary code.

  2. FutureSoft TFTP Server 2000 Buffer Overflow and Directory Traversal Vulnerabilities

    A buffer overflow vulnerability was found in FutureSoft TFTP Server 2000. This vulnerability may be exploited by a malicious user to crash the server or to execute arbitrary code with LOCAL SYSTEM privilege. A directory traversal vulnerability also exists. This vulnerability may be exploited to retrieve files outside the TFTP root directory.

  3. Fastream NETFile FTP/Web Server DoS Vulnerability

    The default installation of NETFile FTP does not validate the IP address supplied in a PORT command. This may be exploited to perform a FTP Bounce attack from the server. It may also be exploited by a user with upload privilege to cause a Denial-of-Service (DoS) on server.

  4. Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities

    Orenosv HTTP/FTP Server is a stable, reliable and high performance HTTP/FTP/FTPS server that can operate 24H/365D. Orenosp runs on Windows platforms (NT, 2000, XP and 2003) and Linux x86. A remote buffer overflow vulnerability was found in Orenosv's FTP server. This vulnerability may be exploited by a malicious user to crash the server. A buffer overflow vulnerability also exists in the SSI module of Orenosv's HTTP server. This overflow may be triggered using a specially crafted SSI file (.shtml).

  5. NetWin DMail Server Two Vulnerabilities

    An authentication bypass vulnerability was found in DMail's mailing list server (dlist.exe). This vulnerability may be remotely exploited to view logs generated by the mailing list server (dlist.exe) or to shut it down. The second is a format string vulnerability that exists in the admin commands of dsmtp.exe.

  6. Fastream NETFile FTP/Web Server Directory Traversal Vulnerability

    Fastream NETFile FTP/Web Server is a secure FTP server and Web server combined together in one program. It claims to be the "easiest to setup and administer server" on the Internet. A directory traversal vulnerability was found in NETFile FTP's web interface. This vulnerability may be exploited by a user with file upload/delete privileges to upload/delete files outside the FTP root, or by a user with directory create/remove privileges to create/remove directories outside the FTP root.

  7. AN HTTPD Server cmdIS.DLL Buffer Overflow and LogFile Arbitrary Character Injection Vulnerabilities

    AN HTTPD Server is a web server software for Windows 95/98/Me/NT/2000/XP platforms. It is easy to use and install, and supports SSI and CGI. It is suitable for anyone who wants to setup a personal homepage using one's home PC, and it works even over dial-up connections.

    A buffer overflow vulnerability was found in the cmdIS.DLL plugin supplied with AN HTTPD. This vulnerability may be exploited to crash the server or to execute arbitrary code. In addition, AN HTTPD does not perform filtering of the received URI before writing it out to the logfile. Hence, it is possible to inject arbitrary characters into its logfile. This may be exploited to corrupt the logfile or to inject fake entries. In particular, it is may be possible to inject commands into the logfile that can be executed by the cmdIS.DLL plugin.

  8. SurgeFTP LEAK Command Denial-Of-Service Vulnerability

    SurgeFTP is an FTP server with SSL/TLS security, easy management and cross platform support. It is available for Windows, Solaris and Linux. A denial-of-service vulnerability was found in SurgeFTP, which may be exploited to crash the server or to prevent it from correctly serving files.

  9. SurgeMail Webmail Attachment Upload and XSS Vulnerabilities

    A vulnerability was found in SurgeMail's Webmail file attachment upload feature. This vulnerability may be exploited by a malicious Webmail user to upload files to certain locations on the server, obtain file listings of certain directories, and/or send certain files on the server to him/herself. Two XSS vulnerabilities were also found.

  10. RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities

    RaidenHTTPD Server is a full featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms. It is easy to use and install, and is designed for anyone who wants to have a website running within minutes. A CGI source code disclosure vulnerability was found in RaidenHTTPD that may be exploited to obtain the source code of any PHP scripts on the server. A buffer overflow vulnerability was also found that may be remotely exploited to cause DoS and allows arbitrary code execution.

  11. ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities

    Multiple directory traversal vulnerabilities were found in ArGoSoft Mail Server's Webmail that may be exploited by a logon mail user to upload files to arbitrary directories on the server, retrieve arbitrary files from the server, access other users' emails, and create/delete arbitrary directories on the server.

  12. 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories

    A directory traversal vulnerability was found in 602LAN SUITE's Web Mail file attachment upload feature that may be exploited to upload files to arbitrary locations on the server. A malicious mail user may upload an EXE file to the /cgi-bin directory of the server, and execute it by requesting the URL of the upload EXE file.

  13. DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities

    A directory traversal vulnerability was found in DeskNow webmail file attachment upload feature that may be exploited to upload files to arbitrary locations on the server. A malicious webmail user may upload a JSP file to the script directory of the server, and executing it by requesting the URL of the upload JSP file. A second directory traversal vulnerability exists in the document repository file delete feature. This vulnerability may be exploited to delete arbitrary files on the server.

  14. Magic Winmail Server v4.0 Multiple Vulnerabilities

    Multiple vulnerabilies were found in Magic Winmail Server's Webmail service, IMAP service and FTP service. Winmail Server's PHP-based Webmail has vulnerabilities that may be exploited to download arbitrary files from the server, to upload files to arbitrary directories, and to conduct Cross-Site Scripting (XSS) attacks. Directory traversal vulnerability in Winmail Server's IMAP service gives the malicious user the ability to read arbitrary user's emails, create/delete arbitrary directories on the server, and/or to retrieve arbitrary files from the server. In addition, Winmail Server's FTP service does not validate the IP address supplied in a PORT command. This may be exploited to perform portscan from the FTP server.

  15. NodeManager Professional V2.00 Buffer Overflow Vulnerability

    NodeManager Professional is a network management and monitoring tool. It receives SNMPv1 traps and displays them on screen and writes them to a log file. NodeManager Professional V2.00 has a stack overflow vulnerability that can be exploited by sending a specially crafted SNMPv1 trap.

  16. singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities

    singapore is yet another open source PHP based image gallery web application. What makes singapore different from the hundreds of other similar scripts is that it is specifically geared towards displaying art in an aesthetically pleasing fashion using a clean, uncluttered interface. Multiple vulnerabilies were found in the image gallery web application including arbitrary file download, directory deletion and Cross-Site Scripting (XSS).

  17. CMailServer WebMail v5.2 Multiple Vulnerabilities

    CMailServer is a small and easy-to-use Mail Server software and Web Mail software. It enables you to send and receive emails across the Internet or within the LAN and has support for client email applications such as Outlook, Eudora etc. CMailServer supports Hotmail-like Web Mail service based on ASP scripts. Multiple vulnerabilies were found in CMailServer's Web Mail service including buffer overflow, SQL Injection and Cross-Site Scripting (XSS).

  18. Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration

    Prevx Home is a state-of-the-art Host Intrusion Prevention Software that is designed to protect the user against the next Zero Day Hacker attacks, Internet Worms and Spyware Installation without expecting the user to perform constant updates to their system.

    Prevx Home's registry and buffer overflow protection features are implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program with Administrator privilege can disable these features by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory.

  19. 04WebServer Three Vulnerabilities

    04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. This advisory documents three vulnerabilities that were found in version 1.42 of 04WebServer. This includes a XSS vulnerability, lack of character filtering when writing to log file, and potential server restart problem after requesting a DOS device in the URL.

  20. Directory Traversal Vulnerability in TwinFTP Server allows overwriting of files outside FTP directory

    TwinFTP Server is a FTP server released by Jigunet Corporation for the Windows platform. A vulnerability exists in TwinFTP server that allows a malicious user access to files outside the FTP directory. This vulnerability may also be exploited to bypass directory restrictions enforced by the FTP server to write arbitrary files into directories that the server process has access to.

  21. Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restoration

    KPF's Application Security feature is implemented by hooking several native APIs in kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program can disable this security feature by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory. This vulnerability affects only the execution protection feature of KPF4, the firewall feature of KPF4 remains intact.

  22. Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving Email Headers with Abnormally Long Content-Type Field

    Gaucho is an Email client developed by NakedSoft for Microsoft Windows platforms. Gaucho supports SMTP, POP3 and other email delivery protocols. Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow that is triggered if Gaucho receives from the POP3 server, a specially crafted email that has an abnormally long string in the Content-Type field of the email header.

  23. Buffer overflow in Ultra Mini Httpd Server

    Ultra Mini Httpd is a HTTP server released by Dip.PicoLix for Windows platforms. It is small, easy to configure, and supports CGI. Ultra Mini Httpd version 1.21 has a buffer overflow vulnerability that may be exploited to crash the server or to execute arbitrary code.

  24. Buffer overflow in SapporoWorks BlackJumboDog FTP server

    SapporoWorks BlackJumboDog is an integrated open-source proxy server, web server and FTP server developed by SapporoWorks for Microsoft Windows platforms. BlackJumboDog version 3.6.1 is vulnerable to a buffer overflow in its FTP server. By sending a specially crafted FTP request containing an overly long parameter string in the USER, PASS, RETR, CWD, XMKD, XRMD or various other commands, a remote attacker could cause a stack overflow and execute arbitrary code.

  25. Disabling Sebek Win32 Client by Direct Service Table Restoration

    Sebek is a data capture tool designed to capture the attacker's activities on a honeypot, without the attacker (hopefully) knowing it. Sebek works by hooking several native APIs in kernel-space to log all console outputs and to hide itself. This advisory shows that it is possible for a malicious program to disable Sebek's console logging and hiding ability by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory.

  26. MS04-022 POC Exploit - Microsoft Windows XP Task Scheduler Overflow Exploit

    Released : 15 July 2004
    Jobs that are scheduled using the Windows Task Scheduler are saved to .job files in the %windir%\tasks folder. Each .job file contains the filename of the task to be executed by the task schedular. A specially crafted .job file containing an overly-long task filename will trigger a classic stack overflow. A jmp esp will land us back into the shellcode. POC exploit demonstrates this by creating a .job file that triggers this vulnerability and spawns the harmless notepad.exe.

  27. DiamondCS Process Guard Can Be Disabled by Direct Service Table Restoration

    DiamondCS Process Guard is an advanced Win32 security system that protects both system and security processes (as well as user-defined processes) from attacks by other processes, services, drivers, and other forms of executing code on your system. Process Guard protects a running process by hooking several native APIs in kernel-space. However, an implementation flaw allows a malicious program to disable Process Guard's protection by restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory.

  28. Aztech DSL305E ADSL Ethernet Bridge/Router may be crashed by sending a specially crafted HTTP request to its web management port.

    Aztech ADSL Ethernet Bridge Modem DSL305E is a standards based ADSL Modem targeted for residential users either for a single user or for multi-user via connection to Cable/DSL Routers. DSL305E supports web-based device management using port 80. A flaw in its implementation allows an attacker to crash the device by sending a specially crafted HTTP request to this port. In addition, it was found that DSL305E (with firmware 21.6.3) has an undocumented logon account with username "user" and has no password. DSL305EU may also be affected by this vulnerability.

  29. Buffer overflow in Compex NetPassage 15's Management Console

    Compex NetPassage 15 (NP15) is a 5-Port BroadBand Internet Gateway manufactured by Compex. NP15 allows device management either through a web interface or using telnet. A buffer overflow condition exists in NP15's telnet management service that may be exploited by an authenticated user to deny access to the service.

  30. Detecting Sebek Win32 Client

    Sebek is a data capture tool designed to capture the attacker's activities on a honeypot, without the attacker (hopefully) knowing it. This advisory shows that it is possible for an attacker to detect the presence of Sebek on a Win32 honeypot using various techniques.

  31. Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs

    SPFP has a fail-close feature that can be enabled to block all traffic when the firewall service is not enabled. Hence, if a malicious program kills the firewall service (smc.exe), all traffic will be blocked. However, a flaw in SPFP's driver implementation may be exploited locally to disable this protection.

  32. Winzip32 MIME parsing overflow exploit

    This is a PoC exploit for WinZip32 MIME Parsing Overflow bug reported by iDefense on 27 February 2004. Released by Snooq and acknowledged under SIG^2, this is the picture of some of the interesting work that we will be doing in our new lab!

 

Contacts

For further enquries, comments, suggestions or bug reports, simply email them to us. If you have discovered any new vulnerabilites, or have created a new POC exploit, and would like to publish your results here, you are welcome to send your report to the following email address.

Overall-in-charge: Tan Chew Keong


Updated: 02/06/2005
webmaster@security.org.sg