Categories

Sysax Multi Server 6.90: CVE-2020-23574

An authenticated user can cause a denial of service in the *Sysax Multi Server v6.90* application by crafting an abnormally long filename in the *uploadfilename1.htm* form. The form allows for the filename="" parameter to have a length of 367 bytes, a filename longer than this length will cause the application to crash. The 4 bytes after the 367 byte buffer will overwrite the first 4 bytes of EBX.

CPU State before crash:

before_state.JPG

uploadfile_name1.htm form:

post_form.JPG

CPU state at crash:

crash_state.JPG

edi_esi.JPG

registers_crash.JPG

PoC: Github