The objectives of the G-TEC Software Vulnerability Research Project is to discover new vulnerabilities and
weakness in software products, and to develop proof-of-concept (POC) exploits to demonstrate these
vulnerabilities. The aim of this project is to create awareness of common software limitations and
modes-of-failure, and to encourage the development of more robust and secure software. We adopt
vulnerability research best-practices and will inform the vendor of any critical vulnerabilities
before making any public disclosures.
- SPA-PRO Mail @Solomon IMAP Server Directory Traversal and Buffer Overflow Vulnerabilities
A directory traversal vulnerability was found in SPA-PRO Mail @Soloman's IMAP service. This vulnerability may be exploited by a malicious user to view other user's email, create arbitrary directories on the server, delete empty directories on the server, and/or rename directories on the server. A buffer overflow vulnerability also exists. This vulnerability is triggered when the IMAP service receives an overly long folder name in the create command. This vulnerability may be exploited to crash the IMAP service or to execute arbitrary code.
- FutureSoft TFTP Server 2000 Buffer Overflow and Directory Traversal Vulnerabilities
A buffer overflow vulnerability was found in FutureSoft TFTP Server 2000. This vulnerability may be exploited by a malicious user to crash the server or to execute arbitrary code with LOCAL SYSTEM privilege. A directory traversal vulnerability also exists. This vulnerability may be exploited to retrieve files outside the TFTP root directory.
- Fastream NETFile FTP/Web Server DoS Vulnerability
The default installation of NETFile FTP does not validate the IP address supplied in a PORT command. This may be exploited to perform a FTP Bounce attack from the server. It may also be exploited by a user with upload privilege to cause a Denial-of-Service (DoS) on server.
- Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities
Orenosv HTTP/FTP Server is a stable, reliable and high performance HTTP/FTP/FTPS server that can operate 24H/365D. Orenosp runs on Windows platforms (NT, 2000, XP and 2003) and Linux x86.
A remote buffer overflow vulnerability was found in Orenosv's FTP server. This vulnerability may be exploited by a malicious user to crash the server. A buffer overflow vulnerability also exists in the SSI module of Orenosv's HTTP server. This overflow may be triggered using a specially crafted SSI file (.shtml).
- NetWin DMail Server Two Vulnerabilities
An authentication bypass vulnerability was found in DMail's mailing list server (dlist.exe). This vulnerability may be remotely exploited to view logs generated by the mailing list server (dlist.exe) or to shut it down. The second is a format string vulnerability that exists in the admin commands of dsmtp.exe.
- Fastream NETFile FTP/Web Server Directory Traversal Vulnerability
Fastream NETFile FTP/Web Server is a secure FTP server and Web server combined together in one program. It claims to be the "easiest to setup and administer server" on the Internet.
A directory traversal vulnerability was found in NETFile FTP's web interface. This vulnerability may be exploited by a user with file upload/delete privileges to upload/delete files outside the FTP root, or by a user with directory create/remove privileges to create/remove directories outside the FTP root.
- AN HTTPD Server cmdIS.DLL Buffer Overflow and LogFile Arbitrary Character Injection Vulnerabilities
AN HTTPD Server is a web server software for Windows 95/98/Me/NT/2000/XP platforms. It is easy to use and install, and supports SSI and CGI. It is suitable for anyone who wants to setup a personal homepage using one's home PC, and it works even over dial-up connections.
A buffer overflow vulnerability was found in the cmdIS.DLL plugin supplied with AN HTTPD. This vulnerability may be exploited to crash the server or to execute arbitrary code. In addition, AN HTTPD does not perform filtering of the received URI before writing it out to the logfile. Hence, it is possible to inject arbitrary characters into its logfile. This may be exploited to corrupt the logfile or to inject fake entries. In particular, it is may be possible to inject commands into the logfile that can be executed by the cmdIS.DLL plugin.
- SurgeFTP LEAK Command Denial-Of-Service Vulnerability
SurgeFTP is an FTP server with SSL/TLS security, easy management and cross platform support. It is available for Windows, Solaris and Linux. A denial-of-service vulnerability was found in SurgeFTP, which may be exploited to crash the server or to prevent it from correctly serving files.
- SurgeMail Webmail Attachment Upload and XSS Vulnerabilities
A vulnerability was found in SurgeMail's Webmail file attachment upload feature. This vulnerability may be exploited by a malicious Webmail user to upload files to certain locations on the server, obtain file listings of certain directories, and/or send certain files on the server to him/herself. Two XSS vulnerabilities were also found.
- RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities
RaidenHTTPD Server is a full featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms. It is easy to use and install, and is designed for anyone who wants to have a website running within minutes. A CGI source code disclosure vulnerability was found in RaidenHTTPD that may be exploited to obtain the source code of any PHP scripts on the server. A buffer overflow vulnerability was also found that may be remotely exploited to cause DoS and allows arbitrary code execution.
- ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities
Multiple directory traversal vulnerabilities were found in ArGoSoft Mail Server's Webmail that may be exploited by a logon mail user to upload files to arbitrary directories on the server, retrieve arbitrary files from the server, access other users' emails, and create/delete arbitrary directories on the server.
- 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories
A directory traversal vulnerability was found in 602LAN SUITE's Web Mail file attachment upload feature that may be exploited to upload files to arbitrary locations on the server. A malicious mail user may upload an EXE file to the /cgi-bin directory of the server, and execute it by requesting the URL of the upload EXE file.
- DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities
A directory traversal vulnerability was found in DeskNow webmail file attachment upload feature that may be exploited to upload files to arbitrary locations on the server. A malicious webmail user may upload a JSP file to the script directory of the server, and executing it by requesting the URL of the upload JSP file. A second directory traversal vulnerability exists in the document repository file delete feature. This vulnerability may be exploited to delete arbitrary files on the server.
- Magic Winmail Server v4.0 Multiple Vulnerabilities
Multiple vulnerabilies were found in Magic Winmail Server's Webmail service, IMAP service and FTP service. Winmail Server's PHP-based Webmail has vulnerabilities that may be exploited to download arbitrary files from the server, to upload files to arbitrary directories, and to conduct Cross-Site Scripting (XSS) attacks. Directory traversal vulnerability in Winmail Server's IMAP service gives the malicious user the ability to read arbitrary user's emails, create/delete arbitrary directories on the server, and/or to retrieve arbitrary files from the server. In addition, Winmail Server's FTP service does not validate the IP address supplied in a PORT command. This may be exploited to perform portscan from the FTP server.
- NodeManager Professional V2.00 Buffer Overflow Vulnerability
NodeManager Professional is a network management and monitoring tool. It receives SNMPv1 traps and displays
them on screen and writes them to a log file. NodeManager Professional V2.00 has a stack overflow vulnerability
that can be exploited by sending a specially crafted SNMPv1 trap.
- singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities
singapore is yet another open source PHP based image gallery web application. What makes singapore different
from the hundreds of other similar scripts is that it is specifically geared towards displaying art in an
aesthetically pleasing fashion using a clean, uncluttered interface. Multiple vulnerabilies were found in the
image gallery web application including arbitrary file download, directory deletion and Cross-Site Scripting (XSS).
- CMailServer WebMail v5.2 Multiple Vulnerabilities
CMailServer is a small and easy-to-use Mail Server software and Web Mail software. It enables you to send and
receive emails across the Internet or within the LAN and has support for client email applications such as
Outlook, Eudora etc. CMailServer supports Hotmail-like Web Mail service based on ASP scripts. Multiple
vulnerabilies were found in CMailServer's Web Mail service including buffer overflow, SQL Injection and
Cross-Site Scripting (XSS).
- Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration
Prevx Home is a state-of-the-art Host Intrusion Prevention Software that is designed to protect the user against
the next Zero Day Hacker attacks, Internet Worms and Spyware Installation without expecting the user to perform
constant updates to their system.
Prevx Home's registry and buffer overflow protection features are implemented by hooking several native APIs
in kernel-space by modifying entries within the SDT ServiceTable. This means that a malicious program with
Administrator privilege can disable these features by restoring the running kernel's SDT ServiceTable with
direct writes to \device\physicalmemory.
- 04WebServer Three Vulnerabilities
04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an easy-to-configure
personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. This advisory documents three vulnerabilities
that were found in version 1.42 of 04WebServer. This includes a XSS vulnerability, lack of character filtering
when writing to log file, and potential server restart problem after requesting a DOS device in the URL.
- Directory Traversal Vulnerability in TwinFTP Server allows overwriting of files outside FTP directory
TwinFTP Server is a FTP server released by Jigunet Corporation for the Windows platform. A vulnerability exists
in TwinFTP server that allows a malicious user access to files outside the FTP directory. This vulnerability may
also be exploited to bypass directory restrictions enforced by the FTP server to write arbitrary files into
directories that the server process has access to.
- Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restoration
KPF's Application Security feature is implemented by hooking several native APIs in kernel-space by modifying
entries within the SDT ServiceTable. This means that a malicious program can disable this security feature by
restoring the running kernel's SDT ServiceTable with direct writes to \device\physicalmemory. This vulnerability
affects only the execution protection feature of KPF4, the firewall feature of KPF4 remains intact.
- Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving Email Headers with Abnormally Long Content-Type Field
Gaucho is an Email client developed by NakedSoft for Microsoft Windows platforms. Gaucho supports SMTP,
POP3 and other email delivery protocols. Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow
that is triggered if Gaucho receives from the POP3 server, a specially crafted email that has an abnormally
long string in the Content-Type field of the email header.
- Buffer overflow in Ultra Mini Httpd Server
Ultra Mini Httpd is a HTTP server released by Dip.PicoLix for Windows platforms. It is small, easy to configure,
and supports CGI. Ultra Mini Httpd version 1.21 has a buffer overflow vulnerability that may be exploited to
crash the server or to execute arbitrary code.
- Buffer overflow in SapporoWorks BlackJumboDog FTP server
SapporoWorks BlackJumboDog is an integrated open-source proxy server, web server and FTP server developed
by SapporoWorks for Microsoft Windows platforms. BlackJumboDog version 3.6.1 is vulnerable to a buffer
overflow in its FTP server. By sending a specially crafted FTP request containing an overly long parameter
string in the USER, PASS, RETR, CWD, XMKD, XRMD or various other commands, a remote attacker could cause a
stack overflow and execute arbitrary code.
- Disabling Sebek Win32 Client by Direct Service Table Restoration
Sebek is a data capture tool designed to capture the attacker's activities on a honeypot, without the
attacker (hopefully) knowing it. Sebek works by hooking several native APIs in kernel-space to log all
console outputs and to hide itself. This advisory shows that it is possible for a malicious program to
disable Sebek's console logging and hiding ability by restoring the running kernel's SDT ServiceTable
with direct writes to \device\physicalmemory.
- MS04-022 POC Exploit - Microsoft Windows XP Task Scheduler Overflow Exploit
Released : 15 July 2004
Jobs that are scheduled using the Windows Task Scheduler are saved to .job files in the %windir%\tasks folder.
Each .job file contains the filename of the task to be executed by the task schedular. A specially crafted
.job file containing an overly-long task filename will trigger a classic stack overflow. A jmp esp will
land us back into the shellcode. POC exploit demonstrates this by creating a .job file that triggers this
vulnerability and spawns the harmless notepad.exe.
- DiamondCS Process Guard Can Be Disabled by Direct Service Table Restoration
DiamondCS Process Guard is an advanced Win32 security system that protects both system and security processes
(as well as user-defined processes) from attacks by other processes, services, drivers, and other forms of
executing code on your system.
Process Guard protects a running process by hooking several native APIs in kernel-space. However, an
implementation flaw allows a malicious program to disable Process Guard's protection by restoring the
running kernel's SDT ServiceTable with direct writes to \device\physicalmemory.
- Aztech DSL305E ADSL Ethernet Bridge/Router may be crashed by sending a specially crafted HTTP request to its web management port.
Aztech ADSL Ethernet Bridge Modem DSL305E is a standards based ADSL Modem targeted for residential users
either for a single user or for multi-user via connection to Cable/DSL Routers.
DSL305E supports web-based device management using port 80. A flaw in its implementation allows an attacker
to crash the device by sending a specially crafted HTTP request to this port. In addition, it was found that
DSL305E (with firmware 21.6.3) has an undocumented logon account with username "user" and has no password.
DSL305EU may also be affected by this vulnerability.
- Buffer overflow in Compex NetPassage 15's Management Console
Compex NetPassage 15 (NP15) is a 5-Port BroadBand Internet Gateway manufactured by Compex. NP15 allows device
management either through a web interface or using telnet. A buffer overflow condition exists in NP15's telnet
management service that may be exploited by an authenticated user to deny access to the service.
- Detecting Sebek Win32 Client
Sebek is a data capture tool designed to capture the attacker's activities on a honeypot, without the
attacker (hopefully) knowing it. This advisory shows that it is possible for an attacker to detect the
presence of Sebek on a Win32 honeypot using various techniques.
- Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs
SPFP has a fail-close feature that can be enabled to block all traffic when the firewall service is not enabled.
Hence, if a malicious program kills the firewall service (smc.exe), all traffic will be blocked. However, a
flaw in SPFP's driver implementation may be exploited locally to disable this protection.
- Winzip32 MIME parsing overflow exploit
This is a PoC exploit for WinZip32 MIME Parsing Overflow bug reported by iDefense on 27 February 2004.
Released by Snooq and acknowledged under SIG^2, this is the picture of some of the interesting work that we
will be doing in our new lab!
For further enquries, comments, suggestions or bug reports, simply email them to us. If you have discovered
any new vulnerabilites, or have created a new POC exploit, and would like to publish your results here,
you are welcome to send your report to the following email address.
Overall-in-charge: Tan Chew Keong