exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

secuniaFTP.txt

secuniaFTP.txt
Posted Jun 29, 2003
Authored by Carsten Eiram | Site secunia.com

Secunia Security Advisory - The FTPServer/X FTP Server Control and COM Object v1.00.045 and v1.00.046 are vulnerable to buffer overflow that results in a denial of service and potentially can enable a remote attacker to gain access to the machine.

tags | exploit, remote, denial of service, overflow
SHA-256 | 0894d97443bbd9d1990dddc0a475b12dff29aa463f6dba9d9b9afdabb6b001cc

secuniaFTP.txt

Change Mirror Download
====================================================================== 

Secunia Research 26/06/2003

- FTPServer/X Response Buffer Overflow Vulnerability -

======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/

======================================================================
Table of Contents
1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification

======================================================================
1) Affected Software

FTPServer/X - FTP Server Control and COM Object v1.00.046.
FTPServer/X - FTP Server Control and COM Object v1.00.045.

Prior versions have not been tested, but may also be vulnerable.

Used in the following products:
Simple FTPServer Example (included with FTPServer/X)
Mollensoft FTP Server 3.5.2 (formerly known as Hyperion)
Hyperion FTP Server 3.0.0 (updated version downloaded 10/04/2003)

NOTE: Any FTP server using FTPServer/X may be vulnerable.

======================================================================
2) Severity

Rating: Highly critical
Impact: Denial of Service, System Access
Where: From Remote

======================================================================
3) Vendor's Description of Software

"FTPServer/X makes it easy for you to put up an FTP server.
FTPServer/X comes in both ActiveX Control and COM Object forms to
make it easy for you to integrate it into nearly any Windows
programming environment. When you use FTPServer/X, you have complete
control over user access, directories, file uploads and downloads,
deletion, etc."

Vendor:
Mabry Software
http://www.mabry.com

======================================================================
4) Description of Vulnerability

A vulnerability has been identified in FTPServer/X, which can be
exploited by malicious people to cause a DoS (Denial of Service) on a
vulnerable FTP server or potentially compromise it.

The vulnerability is caused due to a boundary error, when the FTP
Server returns responses, which include user input. The problem is
that the allocated buffer (1024 bytes) may be overflowed due to an
insecure use of the "wsprintf()" function.

When exploiting the vulnerability, the return address as well as a
pointer stored in the register "ecx" can be overwritten with
arbitrary values.

Before returning, the manipulated pointer is used as an argument to
the function "InterlockedDecrement()" in "kernel32.dll", which may
cause a vulnerable FTP server to crash.

The FTP service needs to be restarted manually before functionality
is restored.

Since the return address also is overwritten, the vulnerability can
potentially also be exploited to execute arbitrary code on a
vulnerable system.

The following two examples exploit the vulnerability.

Exploit 1 (Supply between 995 and 1017 bytes to the USER command):
telnet [victim] 21
USER AAAA...[995-1017]...AAAA

The FTP Server will crash when the "331 Password required for %s"
response is returned.

Exploit 2 (Supply a 991 to 1022 bytes long invalid command):
telnet [victim] 21
AAAA...[991-1022]...AAAA

The FTP Server will crash when the response "500 '%s': command not
understood" is returned.

Please note that "Exploit 2" is the same issue as the one reported
by Moran Zavdi at the beginning of April in Hyperion FTP Server
3.0.0. However, this was erroneously thought to be fixed in an
updated version of Hyperion FTP Server 3.0.0.

======================================================================
5) Solution

Mabry Software has fixed the vulnerability in FTPServer/X version
1.00.047.

Mollensoft has issued Mollensoft FTP Server version 3.5.3, which uses
the latest version of FTPServer/X.

If your FTP server uses the FTPServer/X component (look for
"FTPServX.dll" / "FTPServX.ocx"), check to see if an updated version
of the product has been made available.

======================================================================
6) Time Table

10/04/2003 - Vulnerability discovered in Hyperion FTP Server.
11/04/2003 - Vendor notified (support@mollensoft.com).
22/04/2003 - Vendor contacted again requesting acknowledgment.
22/04/2003 - Vendor confirms vulnerability and states that it will
be fixed in version 3.5.2.
26/04/2003 - Vendor releases version 3.5.2.
28/04/2003 - Vulnerability still present in latest version. Vendor
notified (support@mollensoft.com).
29/04/2003 - Mabry Software notified (techsupport@mabry.com) since the
vulnerability may be caused by a boundary error in FTPServer/X used
in Hyperion/Mollensoft FTP Server.
09/05/2003 - Vulnerability conclusively identified in FTPServer/X.
09/05/2003 - Vendor notified again (techsupport@mabry.com).
09/05/2003 - Vendor confirms vulnerability.
03/06/2003 - Vendor releases updated version (1.00.046).
04/06/2003 - Vulnerability still present in latest version. Vendor
informed (techsupport@mabry.com).
12/06/2003 - Vendor provides source code and asks for help in
identifying the problem.
16/06/2003 - Problem identified.
17/06/2003 - Mabry Software releases updated version (1.00.047).
22/06/2003 - Mollensoft releases updated version (3.5.3).
24/06/2003 - Public disclosure.

======================================================================
7) Credits

Discovered by Carsten H. Eiram, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://www.secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2003-3/

======================================================================

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close