what you don't know can hurt you

FlashFXP 4.1.8.1701 Buffer Overflow

FlashFXP 4.1.8.1701 Buffer Overflow
Posted Mar 2, 2012
Authored by Benjamin Kunz Mejri | Site vulnerability-lab.com

FlashFXP version 4.1.8.1701 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | 4204668d890c2ac1d194891c9ede418c

FlashFXP 4.1.8.1701 Buffer Overflow

Change Mirror Download
Title:
======
FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability


Date:
=====
2012-03-01


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=462


VL-ID:
=====
462


Introduction:
=============
FlashFXP is a FTP (File Transfer Protocol) client for Windows, it offers you easy and fast ways to transfer any file between other local
computers (LAN - Local Area Network) running a FTP server or via the Internet (WAN - Wide Area Network) and even directly between two
servers using Site to Site transfers (FXP - File eXchange Protocol). Use FlashFXP to publish and maintain your website, Upload and download
documents, photos, videos, music and more! Share your files with your friends and co-workers using the powerful site manager. There are many
features and advanced options available within FlashFXP which are being added with the release of each new version stable or beta*. The software
is available in over 20 languages and under active development. FlashFXP offers high security, performance, and reliability that you can always
depend on to get your job done swiftly and efficiently.

(Copy of the Vendor Homepage: http://www.flashfxp.com)


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a Buffer Overflow Vulnerability on FlashFXP v4.1.8.1701.


Report-Timeline:
================
2012-02-27: Vendor Notification
2012-02-28: Vendor Response/Feedback
2012-03-01: Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
OpenSight Software
Product: FlashFXP Software Client v4.1.8.1701


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
A Buffer Overflow Vulnerability is detected on FlashFXPs Software Client v4.1.8.1701. The vulnerability is
located when processing to force a ListIndex Out of Bound(s) exception which allows to overwrite ecx & eip
of the affected software process. Successful exploitation can result in process compromise, execution of
arbitrary code, system compromise or escaltions with privileges of affected vulnerable software process.

The flaw is a direct result of a fixed length buffer being used in the TListBox control and the
lack of range checking. The code assumes that the string returned by the listbox control will be
less than 4097 characters. It uses a fixed size buffer of 4096 bytes and any text longer than this
will overflow and overwrite the memory beyond it. The TComboBox control also suffers a similar flaw.

Vulnerable Module(s):
[+] List Index & Exception Handling [TListBox]

Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png


Proof of Concept:
=================
The vulnerability can be exploited by local & remote attackers. For demonstration or reproduce ...

Manually reproduce ...

1. Download & open the software client
2. Connect to a random server for inter action
3. Enable the Option Settings => Filters => Skip-List
3. Open the Option => Filter Settings
4. Add a new (Skip-List)one by Including a large unicode string & wait for the exception-handling
5. The exception-handling out of bounds comes up
6. You pass it 2 times by clicking continue ...
7. The software is now crashing with a stable bex exception & displays input as offset[6]
8. Now you can overwrite the ecx & eip of the affected vulnerable software process to exploit the client system

Note: To exploit the bug (remote) an attacker needs to know the included filters of the connected client to send large strings.


--- Exception Error #1 ---
date/time : 2012-02-28, 16:38:58, 531ms
computer name : HOSTBUSTER
user name : Rem0ve
operating system : Windows 7 Tablet PC x64 Service Pack 1 build 7601
system language : German
system up time : 5 days 13 hours
program up time : 7 minutes 2 seconds
processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz
physical memory : 2243/4091 MB (free/total)
free disk space : (C:) 207,54 GB
display mode : 1366x768, 32 bit
process id : $16fc
allocated memory : 50,75 MB
executable : FlashFXP.exe
exec. date/time : 2012-01-15 22:45
executable hash : 34A53BD60479975EA6DAAB55B8D878B4
version : 4.1.8.1701
ANSI code page : 1252
callstack crc : $1083d124, $c40af1d7, $90cfaf70
exception number : 1
exception class : EStringListError
exception message : List index out of bounds (0).


--- Exception Error #2 ---
date/time : 2012-02-28, 16:39:57, 530ms
computer name : HOSTBUSTER
user name : Rem0ve
operating system : Windows 7 Tablet PC x64 Service Pack 1 build 7601
system language : German
system up time : 5 days 13 hours
program up time : 8 minutes
processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz
physical memory : 2220/4091 MB (free/total)
free disk space : (C:) 207,54 GB
display mode : 1366x768, 32 bit
process id : $16fc
allocated memory : 66,67 MB
executable : FlashFXP.exe
exec. date/time : 2012-01-15 22:45
executable hash : 34A53BD60479975EA6DAAB55B8D878B4
version : 4.1.8.1701
ANSI code page : 1252
callstack crc : $b94d6925, $57f8c46d, $8f2c6734
exception number : 2
exception class : EStringListError
exception message : List index out of bounds (0).


--- Exception BEX #3 (Overwrite) ---
Version=1
EventType=BEX
EventTime=129749175156198070
ReportType=2
Consent=1
ReportIdentifier=34b76897-6223-11e1-afbd-c4a714168486
IntegratorReportIdentifier=34b76896-6223-11e1-afbd-c4a714168486
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=FlashFXP.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=4.1.8.1701
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=2a425e19
Sig[3].Name=Fehlermodulname
Sig[3].Value=StackHash_e98d
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=00000000
Sig[6].Name=Ausnahmeoffset
Sig[6].Value=41414141 <= ECX | EIP
Sig[7].Name=Ausnahmecode
Sig[7].Value=c0000005
Sig[8].Name=Ausnahmedaten
Sig[8].Value=00000008
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=e98d
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=e98dfca8bcf81bc1740adb135579ad53
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=6eab
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=6eabdd9e0dc94904be3b39a1c0583635
UI[2]=C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
UI[3]=FlashFXP funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
...
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=BEX
AppName=FlashFXP
AppPath=C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe


Reference(s):
../AppCrash_FlashFXP.exe_cb63a668207dbeae0f33144dffb1e66eae843_0a310ac0
../AppCrash_FlashFXP.exe_cb63a668207dbeae0f33144dffb1e66eae843_07c4b531
../bugreport1.txt
../bugreport2.txt
../video-poc-demo.wmv


Risk:
=====
The security risk of the buffer overflow vulnerability is estimated as high(-).


Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

Copyright © 2012|Vulnerability-Lab

--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    8 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close