FlashFXP version 5.3.0 suffers from a memory corruption vulnerability.
0f230ac8dd2743f9697a7bbf4529866c74c7a0cfb46badab685854f7de08be6a
Document Title:
===============
FlashFXP v5.3.0 (Windows) - Memory Corruption Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1853
Release Date:
=============
2016-06-13
Vulnerability Laboratory ID (VL-ID):
====================================
1853
Common Vulnerability Scoring System:
====================================
5.1
Product & Service Introduction:
===============================
FlashFXP is a FTP, FTPS, SFTP client for Windows. Secure, reliable, and efficient file transfers.
Use FlashFXP to publish and maintain your website. Upload and download files, such as documents,
photos, videos, music and more! Transfer or backup local and remote files, plus (FXP) server to
server ftp transfers. FlashFXP offers unique and complimentary advanced features for client
configuration. Share files with your friends and co-workers (FTP or SFTP server required).
(Copy of the Homepage: https://www.flashfxp.com/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local memory corruption vulnerability in the official FlashFXP v5.3.0 windows software.
Vulnerability Disclosure Timeline:
==================================
2016-06-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-06-02: Vendor Notification (FlashFXP Security Team)
2016-**-**: Vendor Fix/Patch (FlashFXP Security Team)
2016-06-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
OpenSight Software
Product: FlashFXP - Software (Client) [Windows] 5.3.0 (Build 3932)
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local memory corruption vulnerability has been discovered in the official FlashFXP v5.3.0 windows software.
The vulnerability allows local attackers to compromise the software process by exploitation of a memory issue.
The vulnerability is located in the `Move file in queue` input function of the `Tools - Schedule - Plan` module.
The input of the `Move file in queue` function is able to compromise the `Tools - Schedule - Plan` module after
successful exploitation. The `Move file in queue` function has no memory limitation on request only the regular
exception-handling. Thus results in a unexpected out of memory exception were the attacker can continue to
process the input. The error is saved into the new generated bug report because of the uncaught unknown exception.
The issue can be trigged automatically by a stable included scheduled plan to compromise or crash the process.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.1.
Exploitation of the vulnerability requires a low privileged or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in unknown exceptions, software process crashs and process compromise.
Vulnerable Module(s):
[+] Tools - Schedule - Plans
Vulnerable Input(s):
[+] Move file in queue
Proof of Concept (PoC):
=======================
The memory corruption issue can be exploited by local attackers with low privileged system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the newst flashfpx software version to your windows computer
2. Open the software process with the interface
3. Click on top to tools menu on top of the bar
4. Open the schedule a plan option
5. Add a new plan to the schedule list module
6. Include to the in the `Move file in queue` input field a large unicode string as payload to exploit
7. Save the entry and start the plan (right mouse click or push enter in the mask)
Note: Now the plan is processing the move file in queue input
8. An exception occurs that shows the error message "Out of Memory" (Memory Corruption)
Note: The exception returns all the time and the software is crashed by a memory corruption
9. Close the software and start the process again to approve the application-side attack vector
10. Open the tools and switch to the schedule option
11. The software crashs permanently with the save plan by an error exception
Note: The input has been saved since the corruption occurs and is stored!
12. Successful reproduce of the vulnerability!
--- Exception Handling Bug Report Records ---
date/time : 2016-05-31, 19:16:47
computer name : X01 Session 2016
user name : Benjamin Kunz Mejri
operating system : Windows 10 x64 build 10586
processors : 4x Intel(R) Core(TM) i5-4210M CPU @ 2.60GHz
process id : $354
allocated memory : 2,92 GB
largest free block : 222,84 MB
executable : FlashFXP.exe
exec. date/time : 2016-05-06 18:23
executable hash : 08CFB10FC665C75047FE895D7517973D
version : 5.3.0.3932
SSE2 : 1
WinOSCompatMode : 0
ID : b07af5b3110aa75f4bd313454fd40c49
Install Mode : Per User - User data folder
AppFolder : C:Program Files (x86)FlashFXP 5
DataFolder : C:UsersAdminAppDataRoamingFlashFXP5
TempFolder : C:UsersAdminAppDataLocalTemp
Themes Available : 1
Themes Active : 1
App Instance Count : 1
ANSI code page : 1252
Thread locale : 1031
User Default Locale : 1031
PixelsPerInch : 96
ScreenReader : 0
PrevBuild : 0
MouseOverCtrl : TQueueStorage.Queue
Active Form : TFrmTskSchd (FrmTskSchd)
Forms : TFrmTskSchd, TFrmMain, TTntForm
Active Ctrl : TPTListView (LV)
APPE : 0
WideChar Test : 0
callstack crc : $8fd89c21, $956cbda8, $15fea25c
exception number : 1
exception class : EOutOfMemory
exception message : Out of memory.
Note: The report is generated by the process via software exception-handling
--- Vulnerable Process Log ---
00920000 FlashFXP.exe - 5.3.0.3932 - C:Program Files (x86)FlashFXP 5
--- CPU Registers Log ---
eax = 02fb1b50
ebx = 009ad6dd
ecx = cc5bedf0
edx = 009ad6dd
esi = 009ad6dd
edi = 005fdc34
eip = 009ad6dd
esp = 005fdbc8
ebp = 005fdc4c
--- Stack Dump Log ---
005fdbc8 dd d6 9a 00 de fa ed 0e - 01 00 00 00 07 00 00 00 ................
005fdbd8 dc db 5f 00 dd d6 9a 00 - 50 1b fb 02 dd d6 9a 00 .._.....P.......
005fdbe8 dd d6 9a 00 34 dc 5f 00 - 4c dc 5f 00 f8 db 5f 00 ....4._.L._..._.
005fdbf8 01 00 00 00 dc 17 92 00 - 04 00 00 00 30 b6 eb 02 ............0...
005fdc08 dd d6 9a 00 05 00 00 00 - 2c e4 5f 00 f8 3e c4 00 ........,._..>..
005fdc18 fa 55 c4 00 74 dc 5f 00 - f8 32 92 00 4c dc 5f 00 .U..t._..2..L._.
005fdc28 6c de 5f 00 6c de 5f 00 - 40 3e 8a 05 00 00 00 00 l._.l._.@>......
005fdc38 00 00 00 00 00 00 00 00 - 00 00 00 00 6c de 5f 00 ............l._.
005fdc48 40 3e 8a 05 a4 dd 5f 00 - 70 b6 c5 00 7c dc 5f 00 @>...._.p...|._.
005fdc58 00 00 00 00 6c de 5f 00 - 40 3e 8a 05 4e bc 00 00 ....l._.@>..N...
005fdc68 6c de 5f 00 40 3e 8a 05 - 29 da b6 00 e4 dd 5f 00 l._.@>..)....._.
005fdc78 37 34 92 00 a4 dd 5f 00 - 4e bc 00 00 6c de 5f 00 74...._.N...l._.
005fdc88 40 3e 8a 05 00 00 00 00 - c0 b6 33 01 00 00 00 00 @>........3.....
005fdc98 ac 47 78 75 fd 0b 01 c5 - da 01 00 00 1a 00 00 00 .Gxu............
005fdca8 01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
005fdcb8 00 00 00 00 e8 03 00 00 - 00 00 00 00 ff ff ff ff ................
005fdcc8 00 00 00 00 00 00 00 00 - c0 fa 2d 01 20 dd 5f 00 ..........-. ._.
005fdcd8 05 00 00 00 ff ff ff ff - c0 b6 33 01 00 00 00 00 ..........3.....
005fdce8 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
005fdcf8 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
--- Disassembler Log ---
[...]
00c5b648 jmp loc_c5b6a9
00c5b648
00c5b648 ; ---------------------------------------------------------
00c5b648
00c5b64a loc_c5b64a:
00c5b64a 1396 cmp word ptr [ebx+$3ca], 0
00c5b652 jz loc_c5b667
00c5b652
00c5b654 1397 lea ecx, [edx+$c]
00c5b657 mov edx, ebx
00c5b659 mov eax, [ebx+$3cc]
00c5b65f call dword ptr [ebx+$3c8]
00c5b65f
00c5b665 jmp loc_c5b6b2
00c5b665
00c5b665 ; ---------------------------------------------------------
00c5b665
00c5b667 loc_c5b667:
00c5b667 1400 mov edx, edi
00c5b669 mov eax, ebx
00c5b66b > call -$1628c ($c453e4) ; TntComCtrls.TTntCustomListView.CNNotify
00c5b66b
00c5b670 jmp loc_c5b6b2
00c5b670
00c5b670 ; ---------------------------------------------------------
00c5b670
00c5b672 loc_c5b672:
00c5b672 1411 cmp word ptr [ebx+$482], 0
00c5b67a jz loc_c5b69e
00c5b67a
00c5b67c 1413 push esp
00c5b67d call -$333d1e ($927964) ; Windows.GetCursorPos
00c5b67d
00c5b682 1414 lea ecx, [esp+8]
00c5b686 mov edx, esp
00c5b688 mov eax, ebx
00c5b68a call -$ef6eb ($b6bfa4) ; Controls.TControl.ScreenToClient
00c5b68a
00c5b68f lea edx, [esp+8]
00c5b693 mov eax, ebx
00c5b695 mov si, $ffaa
[...]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by an allocate of the memory or limitation and restriction of the vulnerable input fields.
Disallow to continue the process input via debugger to prevent exploitation of the memory corruption issue.
Security Risk:
==============
The security risk of the local memory corruption vulnerability in the schedule plan module of the software is estimated as medium. (CVSS 5.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com