Buffer Overflow Vulnerabilities in TurboFTP Url: http://www.turboftp.com >From the vendor's website ... "TurboFTP is a secure FTP client program for Windows 9x/ME/NT4/2000/XP. It allows you to transfer files (upload or download) at turbo speed between your computer and virtually any FTP server with exceptional ease." "With an intuitive user interface, a wealth of features and secure file transfer capability, TurboFTP is the right software tool for tasks like uploading Web site, scheduled file synchronization and backup, and mission critical corporate file transfers." And I certainly can't argue with that, It's certainly in my top twenty FTP clients list! It is also vulnerable to a buffer overflow attack from a malicious ftp server sending an overly long response upon at any time during the connection. The data being supplied by the server is placed, unicoded, into a buffer of length around 1000 bytes long. This means that normal buffer overflow attack techniques cannot be used to exploit this vulnerability. Interesting responses: (TurboFTP connected...) 220 [1061xA] (Access violation in user32.dll) (TurboFTP connected...) PADDING EIP 220 [1061xA][*][2xX] // Totalling 1063 Bytes (Access violation in turboftp.exe when executing 0x00580058) // 2xX Unicoded * The base pointer register cannot be altered as far as I can see, thus the reason I have not included it. (TurboFTP connected...) PADDING 220 [8000xA] (Access violation in comctl32.dll) (TurboFTP connected...) PADDING EAX 220 [8574xA][4xX] // Totalling 8578 Bytes (Access violation in turboftp.exe; EAX = 0x58585858) I could not find an address which my buffer could write to on the stack which was similar to: 0x00SS00?? Where SS is an address on the stack, thus I was unable to exploit the vulnerability to any extent past that of a simple DoS attack. If anyone manages this, I would be most interested to hear how it was achieved. Never the less I have contacted the vendor, and they may issue a patch if this is found to be anything which could lead to a remote system compromise or code execution of any type. ====================================================================== Operating system and servicepack level: Windows 9x/Me/NT Based Software: TurboFTP 3.85 Build 304 (Possibly Earlier Versions) Under what circumstances the vulnerability was discovered: Under a vulnerability search. If the vendor has been notified: Yes, the vendor had been notified. How to contact you for further information: I can always be reached at peter4020@hotmail.com Please credit this find to: Peter Winter-Smith Thank you for your time, -Peter _________________________________________________________________ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger