Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity Application: Serv-U Affected Versions: All versions prior 4.2 (include Vendor: RhinoSoft ( URL: Vunlnerablity: An internal memory buffer may be overrun while handling "site chmod" command with a filename containg excessive data. This condition may be exploited by attackers to ultimately execute instructions with the priviledges of the serv-u process, typically administator or system. Details: While exectuing chmod on a nonexistent file, serv-u will call sprintf to construct response string. And the code is like sprintf(dst, "%s: No such file or directory.", filename); The length of dst buffer is only 256 bytes.If a long filename was sent, serv-u will crash. A writable directory is needed to exploit this vulerablity.By overwriting SEH, we have created proof-of-concept exploit successfully on win2k/xp. Solution: Upgrade to servu 5.0. Credits: kkqq <> has indenpendently discovered this vulerablity. All members of SST ( lgx and eyas. Rob Beckers for indentifing and fixing this vulerablity. About SST: Do we really exist? icbm 2004-01-24