I have discovered a bug in the Sysax Multi-Server application. More specifically, it’s in the HTTP File Server service, which is not enabled by default. It has to be turned on by the admin for this exploit to properly function. The user in question also needs permission to create a directory.

In the Sysax service, the configuration would look like this:

To trigger this vulnerability is pretty simple. Log into the HTTP File Server:

After logging in, click the “Create Folder” link:

In the “Folder Name” textbox, enter 1000 “A”s:

The service will then crash, and have the EIP address overwritten:

I reported this vulnerability to CodeOrigin, the creators of the Sysax Multi-Server on July 26 17:24 PM EDT. Surprisingly, they got back to me at July 27 04:28 AM PDT with a new version available (5.65). Unfortunately this version had the same vulnerability, although the EIP offset was different. After reporting this, they got back to me again at July 28 06:59 AM PDT, stating that a new version was available (5.66). This new version appears to have the vulnerability fixed.

If you’re using Sysax Multi-Server, please upgrade, to prevent attackers from infiltrating your systems.

The exploit can now be found on exploit-db, here, where you can also download the vulnerable version of the software.

Thanks a bunch to @cd1zz and @iMulitia for pointing me to this app!

UPDATE (2012-08-19): The original exploit had an issue with a variable EIP offset, due to the fact that the root folder for the user was part of the stack. I was able to discover a second vulnerability to get the server to disclose the path. This has been incorporated into the new exploit, and works much better. Sysax has released an updated version that is no longer vulnerable to this.