what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

INFIGO-2006-05-03.txt

INFIGO-2006-05-03.txt
Posted May 9, 2006
Authored by Leon Juranic | Site infigo.hr

INFIGO IS Security Advisory #ADV-2006-05-03 - New vulnerabilities have been discovered in ArgoSoft FTP server version 1.4.3.6, Golden FTP server version 2.70, FileZilla version 2.2.22, and WarFTP Daemon / Guild FTP server version 0.999.13.

tags | advisory, vulnerability
SHA-256 | f7e189f0655ec928de2b27d398b63004754ae6497a019f787feea012621c36f3

INFIGO-2006-05-03.txt

Change Mirror Download

INFIGO IS Security Advisory #ADV-2006-05-03
http://www.infigo.hr/



Title: Multiple FTP Servers vulnerabilities
Advisory ID: INFIGO-2006-05-03
Date: 2006-05-05
Advisory URL: http://www.infigo.hr/hr/in_focus/advisories/INFIGO-2006-05-03
Impact: Remote code execution and DoS
Risk Level: High
Vulnerability Type: Remote
Vendors Status: Multiple vendors contacted.




==[ Overview

Infigo IS released a simple GUI FTP fuzzer which can be downloaded from
http://www.infigo.hr/hr/in_focus/tools. The announcement which was posted to
multiple security groups included an overview of several vulnerabilities
discovered with the Fuzzer. This advisory is published due to some
misinterpretations
in further reposts discussing discovered vulnerabilities.
Vulnerabilities described in this advisory were found in the following FTP
server software products:
- ArgoSoft FTP Server
- Golden FTP Server
- Filezilla
- War FTP Daemon
- Guild FTP Server



==[ Vulnerabilities

Fuzzing various FTP servers discovered numerous security flaws in the FTP
server
software. Several of them are described below.


-[ ArgoSoft FTP Server buffer overflow

Multiple vulnerabilities were discovered in ArgoSoft FTP Server.
In a simple unicode buffer overflow in the 'RNTO' command with an argument
size
of about 3000 with the fuzz string '&A', EIP will be overflowed with
0x00260047
(fuzzer input). This vulnerability allows remote code execution.


-[ Golden FTP Server buffer overflow

Among other vulnerabilities, Golden FTP Server discloses unnecessary
information. When an exception occurs in the server process, Golden FTP
Server
will pass the exception code with detailed info on the exception to the FTP
client which caused it.

Example:
...
[ CMD: [CWD] FUZZ: [//A://A://A://A://A:] SIZE: 150 ]
RECV: 550 Access violation at address 004A291C in module 'GFTPpro.exe'.
Read of address 00000001

[ CMD: [CWD] FUZZ: [//A://A://A://A://A:] SIZE: 330 ]
RECV: 550 Access violation at address 00402CDF in module 'GFTPpro.exe'.
Read of address 2F3A412F
...

It is possible to obtain information on the process memory environment. In
the
second exception, the process can't read from address 0x2F3A412F which
represents the string "/:A/" that was sent to the FTP server by the Fuzzer.
The exception is caused by a stack overflow in the NLST command when a long
argument with a specially constructed value is passed to it.
Exploiting the vulnerability is simple, because it is possible to overflow
the
SEH handler and return to the 'pop-pop-ret' where the buffer is located.
This allows remote code execution, not just DoS as stated in some reposts.


-[ FileZilla vulnerabilities

A few vulnerabilities in FileZilla weren't investigated beyond the crash. At
the moment there is no further information whether those vulnerabilities are
exploitable.
The first vulnerability is triggered by sending a long PORT or PASS command
(30
bytes) and MLSD command after it. This causes FileZilla to crash (DoS).
The second vulnerability found in the FileZilla Server interface also leads
to
the DoS conditions.


-[ War FTP Daemon WDM.exe overflow

Fuzzing the WarFTP Daemon raised multiple exceptions.
Example:
WDM.exe (Wardaemon Manager) will crash on "MOV DWORD PTR [EDX], ESI",
where attacker controls both EDX and ESI registers. This scenario could lead
to
remote code execution.



-[ Guild FTP Server buffer overflow

Fuzzing the Guild FTP Server discovered remote unicode buffer overflow
probably
related to the 'globbing chars'. EIP is overflowed with the Fuzzer's input.
The issue was not further investigated.



==[ Affected Version

Latest ArgoSoft FTP server (1.4.3.6), Golden FTP server (2.70), FileZilla
(2.2.22),
WarFTP Daemon and Guild FTP Server (0.999.13).



==[ Fix

Not available.



==[ PoC Exploit

No PoC available.



==[ Credits

Vulnerabilities discovered by Leon Juranic <leon.juranic@infigo.hr>



==[ INFIGO IS Security Contact

INFIGO IS,

WWW : http://www.infigo.hr
E-mail : infocus@infigo.hr



==[ Revision history

2006-05-04, Original advisory published
Revision 01, 2006-05-05, Guild FTP Server vulnerability added



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close