Vulnerability in 3Com 3CServer v1.1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerability in 3Com 3CServer v1.1
From: mandragore <mandragore@xxxxxxxxx>
Date: Mon, 7 Feb 2005 18:15:25 +0100
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=mCESKH1Ke9YVJM0Nwkf2O0hVHhROqVWKlgVsd0mbdNqChffLNnfLBl9/1dYU83F7tc8AXhAgQKdDcrHQqwU/WEzPtfY7hwkD+02uRxWdn56VTSs1sE9qC5yTlsjE4NuskRABwX+8m2BJzVbo//n8L0s4hp6HDeYVpKnAv5ZYObs=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: mandragore <mandragore@xxxxxxxxx>

Object:
Vulnerability in 3CServer v1.1, free utility for windows32, from 3Com.

Details:
While old, this free utility is still proposed from the 3Com site, so
it's worth mentionning this.
There are buffer overflows in many of the FTP commands supported,
leading to various heap overflows.
The application has a TFTP server as well, that might be vulnerable
too but I didn't check.
To be able to make use of the vulnerability one needs to be authentificated,
but the anonymous account is sufficient and created by default.

I don't know if any fix will be ever released, 3Com didn't bother answering me.

mandragore

Attachment: 3csploit.c
Description: Binary data

Prev by Date: DMA[2005-0131a] - 'Setuid Perl PERLIO_DEBUG root owned file creation'
Next by Date: DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG buffer overflow'
Previous by thread: DMA[2005-0131a] - 'Setuid Perl PERLIO_DEBUG root owned file creation'
Next by thread: DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG buffer overflow'
Index(es):
- Date
- Thread