CVE-2004-0330
published 2004-11-23CVE-2004-0330: Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command.
PriorityP359critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
85.47%
99.7th percentile
Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u_file_server | <= 5.0.0.0 | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\x46\xBF\x52\x52\x31\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3\x90\x90
- →Detect exploit attempts by matching FTP MDTM commands containing a timestamp followed by '+' and a long timezone argument (overflow pattern). The timestamp prefix '200[34]1111111111+' followed by a large buffer is a reliable signature across all known PoC variants. ↗
- →The Metasploit exploit uses bad-char filtering; the payload avoids bytes: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e — FTP traffic containing MDTM with a long timezone and shellcode lacking these bytes is highly suspicious. ↗
- →Banner-based detection: FTP banners matching 'Serv-U FTP Server v4.1', 'Serv-U FTP Server v5.0', or 'Serv-U FTP Server v4.0' indicate potentially vulnerable versions. v5.0.0.4 and later are patched. ↗
- →The exploit requires prior authentication (valid username and password). Monitor for authenticated FTP sessions immediately followed by anomalously long MDTM commands as a lateral-movement or post-auth exploitation indicator. ↗
- →The Metasploit module uses an SEH-based overflow with a default SEHOffset of 47 bytes from the start of the timezone argument. The SEH overwrite return addresses 0x00401877, 0x0040164d, and 0x0040167e in ServUDaemon.exe are specific to exploitable builds. ↗
- →The ex_servu.c exploit (DOC 6) uses a connect-back or rebind shellcode; after exploitation, watch for ServUDaemon.exe spawning outbound TCP connections or binding a new listener port (shellport), which is configurable by the attacker. ↗
- →The exploit service crashes after shellcode execution ('single hit'). A sudden crash of ServUDaemon.exe immediately following an authenticated MDTM command with a long argument is a strong post-exploitation indicator. ↗
- ·The bug affects all Serv-U versions prior to 5.0.0.4. The Metasploit exploit only reliably works against versions 4.0.0.4, 4.1.0.0, 4.1.0.3, and 5.0.0.0; other sub-versions in the vulnerable range may not be exploitable with this specific module. ↗
- ·Version 4.0.0.4 requires \xff byte doubling in the encoded payload. The Metasploit module auto-detects this by sending a 'P@SW' command and checking for a 500 response; manual exploits must account for this transformation. ↗
- ·The vendor changelog for 5.0.0.4 downplayed the fix. The patched FTP server (rhinosoft.com) was itself running ProFTPD at time of disclosure, not Serv-U. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL FTP invalid MDTM command attempt
suricata·2010-09-23
CVE-2001-1021 GPL FTP invalid MDTM command attempt
GPL FTP invalid MDTM command attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MDTM command attempt"; flow:established,to_server; content:"MDTM"; fast_pattern; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:9; metadata:created_at 2010_09_23, cve CVE_2001_1021, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL FTP MDTM overflow attempt
suricata·2010-09-23
CVE-2001-1021 GPL FTP MDTM overflow attempt
GPL FTP MDTM overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MDTM overflow attempt"; flow:established,to_server; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:8; metadata:created_at 2010_09_23, cve CVE_2001_1021, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Exploit-DB
RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0330 RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)
RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)
---
##
# $Id: servu_mdtm.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Serv-U FTPD MDTM Overflow',
'Description' => %q{
This is an exploit for the Serv-U\'s MDTM command timezone
overflow. It has been heavily tested against versions
4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against
nt4/2k/xp/2k3. I have also had success against version 3,
but only tested 1 version/os. The bug is in all versions
prior to 5.0.0.4, but this exploit will not wor
Exploit-DB
RhinoSoft Serv-U FTPd Server 3.x/4.x/5.x - 'MDTM' Remote Overflow
exploitdb·2004-02-27
CVE-2004-0330 RhinoSoft Serv-U FTPd Server 3.x/4.x/5.x - 'MDTM' Remote Overflow
RhinoSoft Serv-U FTPd Server 3.x/4.x/5.x - 'MDTM' Remote Overflow
---
/* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x "MDTM" Command remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* BUG find by bkbll ([email protected]), cool! :ppPPppPPPpp :D
*
* code by Sam and 2004/01/07
*
*
*
*
* Revise History:
* 2004/01/14 add rebind shellcode :> we can bind shellport at ftpd port.
* 2004/01/09 connect back shellcode added :)
* 2004/01/08 21:04 upgrade now :), we put shellcode in file parameter
* we can attack pacthed serv-U;PPPp by airsupply
* 2004/01/08 change shellcode working on serv-u 4.0/4.1/4.2 now
* :D thx airsupply
*
* Compile: gcc -o ex_servu ex_servu.c
*
* how works?
* [root@core exp]# ./sv -h 192.168.10.119 -t 3
* Serv-U FTPD 3.x/4.x MDTM Command re
Exploit-DB
RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (3)
exploitdb·2004-02-26
CVE-2004-0330 RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (3)
RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (3)
---
// source: https://www.securityfocus.com/bid/9751/info
Serv-U FTP Server has been reported prone to a remote stack based buffer overflow vulnerability when handling time zone arguments passed to the MDTM FTP command.
The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user.
/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow
PoC DoS exploit.
*
* This program will send an overly large filename
parameter when calling
* the Serv-U FTP MDTM command. Although arbitrary
code execution is
* possible upon successful execution of this
vulnerability, the vendor has
* not yet released a patch, s
Exploit-DB
RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (2)
exploitdb·2004-02-26
CVE-2004-0330 RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (2)
RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/9751/info
Serv-U FTP Server has been reported prone to a remote stack based buffer overflow vulnerability when handling time zone arguments passed to the MDTM FTP command.
The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user.
/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow PoC DoS exploit.
*
* This program will send an overly large filename parameter when calling
* the Serv-U FTP MDTM command. Although arbitrary code execution is
* possible upon successful execution of this vulnerability, the vendor has
* not yet released a patch, s
Exploit-DB
RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (1)
exploitdb·2004-02-26
CVE-2004-0330 RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (1)
RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (1)
---
source: https://www.securityfocus.com/bid/9751/info
Serv-U FTP Server has been reported prone to a remote stack based buffer overflow vulnerability when handling time zone arguments passed to the MDTM FTP command.
The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user.
## Coded by saintjmf
## This exploits Serv-u MDTM buffer overflow - Shutsdown server
## Discovered by bkbll - Info provided by securityfocus
## For exploit to work you need valid username and password
## I do not take responsibility for the use of this code
use IO::Socket qw(:DEFAULT :crlf);
print "Serv-u MDTM Buffer o
Exploit-DB
RhinoSoft Serv-U FTPd Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (4)
exploitdb·2004-02-26
CVE-2004-0330 RhinoSoft Serv-U FTPd Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (4)
RhinoSoft Serv-U FTPd Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (4)
---
// source: https://www.securityfocus.com/bid/9751/info
Serv-U FTP Server has been reported prone to a remote stack based buffer overflow vulnerability when handling time zone arguments passed to the MDTM FTP command.
The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user.
/*
*
* Servu2.c - Serv-U FTPD 2.x/3.x/4.x/5.x "MDTM" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : [email protected]
* : http://www.cnhonker.com
* Date : 2004-01-07
* Update : 2004-02-24 Who report this bug to Rhino??? Released v5.0.0.4 patc
Metasploit
Serv-U FTPD MDTM Overflow
metasploit
Serv-U FTPD MDTM Overflow
Serv-U FTPD MDTM Overflow
This is an exploit for the Serv-U\'s MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, but only tested 1 version/os. The bug is in all versions prior to 5.0.0.4, but this exploit will not work against versions not listed above. You only get one shot, but it should be OS/SP independent. This exploit is a single hit, the service dies after the shellcode finishes execution.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=107781164214399&w=2http://www.cnhonker.com/advisory/serv-u.mdtm.txthttp://www.securityfocus.com/bid/9751https://exchange.xforce.ibmcloud.com/vulnerabilities/15323http://marc.info/?l=bugtraq&m=107781164214399&w=2http://www.cnhonker.com/advisory/serv-u.mdtm.txthttp://www.securityfocus.com/bid/9751https://exchange.xforce.ibmcloud.com/vulnerabilities/15323
2004-11-23
Published