[FlashFXP] Two Buffer Overflow Vulnerabilities

From: :: Operash :: (nesumin_at_SOFTHOME.NET)
Date: 06/09/03

  • Next message: :: Operash ::: "[FTP Voyager] File List Buffer Overflow Vulnerability"
    Date:         Mon, 9 Jun 2003 12:19:43 +0900
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    -----------------------------------------------------------------------
    SUMMARY : [FlashFXP] Two Buffer Overflow Vulnerabilities
    PRODUCT : FlashFXP
    VERSIONS : 2.0 build 905
    VENDOR : CEDsoft (http://www.flashfxp.com/)
    SEVERITY : Critical.
                     Code Execution.
    DISCOVERED BY : nesumin
    AUTHOR : :: Operash ::
    REPORTED DATE : 2003-05-07
    RELEASED DATE : 2003-06-09
    -----------------------------------------------------------------------

    0. PRODUCTS
    =============

      FlashFXP is a GUI base FTP Client for Windows.
      CEDsoft (http://www.flashfxp.com/)

    1. DESCRIPTION
    ================

      FlashFXP has following two buffer overflow vulnerabilities;

      1. The buffer overflow vulnerability in "PASV" command.

        The buffer overflow occurs on the stack area if a reply that
        contains a long string is returned from a server for "PASV"
        command request.
        By exploiting this vulnerability, an attacker can execute
        an arbitrary code on a user's system if the user connects to
        a malicious server.

      2. The buffer overflow vulnerability in the long host name.

        The buffer overflow occurs on the stack area if a long host name
        is specified as destination server.
        By exploiting this vulnerability, an attacker can execute
        an arbitrary code on a user's system when the user copies
        a malicious manipulated URL with "Clipboard Monitor" function
        enabled.

      With these vulnerabilities, there could be following risks;

      * Infection with Virus or Trojan, etc.
      * Destruction of systems.
      * Leak or alteration of a local data.

    2. SYSTEMS AFFECTED
    =====================

      Flash FXP 2.0 build 905

      And previous versions may have same vulnerabilities.

    3. SYSTEMS NOT AFFECTED
    =========================

      FlashFXP 2.1 build 923
      FlashFXP 2.1 build 924

    4. EXAMINES
    =============

      Tested versions :
        FlashFXP 2.0 build 905
        FlashFXP 2.1 build 923
        FlashFXP 2.1 build 924

      Tested platforms :
        Windows 98SE Japanese
        Windows 2000 Professional SP3 Japanese

    5. VENDOR STATUS
    ==================

      2003-05-14 Vendor released fixed-version (v2.1 build 923).

    6. SOLUTION
    =============

      Upgrade to version 2.1 build 923 or later version.

    7. TECHNICAL DETAILS
    ======================

      1. The buffer overflow vulnerability in the reply for PASV command.

        FlashFXP tries to create a connection of data transfer to get
        a Directory List or etc when it connected to a FTP server.
        And if PASV-MODE is enabled, it requests IP address and port number
        for a connection of data transfer by using "PASV" command.
        Then, a buffer overflow occurs on the stack area if the IP
        address that is returned from the server contains a long string
        of over 0x90 bytes.

        Example:

          ---> PASV
          <--- 227 (AAAAAAAAAA ... (over 0x90 bytes) ... ,1,1,1,1,1)

      2. The buffer overflow vulnerability in the long host name.

        FlashFXP writes a host name on the buffer before trying to resolve
        a host name, but it does not check the boundary of the buffer
        at that time.
        Therefore, if the host name contains a long string of over
        0x90 bytes, the buffer overflow on the stack area would occur.

        Example:

          ftp://AAAAAAAAAA ... (over 0x90 bytes) ... /

      These buffer overflows can overwrite a Structured Exception Handler
      on the stack with an arbitrary value.
      If a Structured Exception Handler is overwritten with the address of
      buffer that has an arbitrary code or the address of instruction data
      that redirects to there, the processing path moves to that buffer.

      Therefore, it is able to execute an arbitrary code as the privilege
      of FlashFXP's process.

    8. SAMPLE CODE
    ================

      None release.

    9. TIME TABLE
    ===============

      2003-04-20 Discovered these vulnerabilities.
      2003-05-07 Reported to vendor.
      2003-05-07 Received a reply and a fixed-version(1) from vendor.
      2003-05-07 Discovered a new bug, reported it to vendor.
      2003-05-07 Received a fixed-version(2) from vendor.
      2003-05-07 Conveyed to vendor that the fix has been done.
      2003-05-14 Vendor released fixed-version.
      2003-06-09 Released this advisory.

    10. DISCLAIMER
    ===============

      A. We cannot guarantee the accuracy of all statements in this information.
      B. We do not anticipate issuing updated versions of this information
         unless there is some material change in the facts.
      C. And we will take no responsibility for any kinds of disadvantages by
         using this information.
      D. You can quote this advisory without our permission if you keep the following;
         a. Do not distort this advisory's content.
         b. A quoted place should be a medium on the Internet.
      E. If you have any questions, please contact to us.

      * Exception

         We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
         redistribute our advisory.

    11. CONTACT, ETC
    =================

      :: Operash ::

      imagine (Operash Webmaster)
      nesumin <nesumin@softhome.net>

      Thanks to :

        melorin
        piso(sexy)

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Free 14-day trial of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your free, no obligation 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: :: Operash ::: "[FTP Voyager] File List Buffer Overflow Vulnerability"

    Relevant Pages

    • [LeapFTP] "PASV" Reply Buffer Overflow Vulnerability
      ... LeapFTP is a GUI base FTP Client for Windows. ... The buffer overflow occurs on the stack area if the reply that contains ... By exploiting this vulnerability, an attacker can execute an arbitrary ... 2003-05-07 Reported to vendor. ...
      (NT-Bugtraq)
    • [Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007
      ... Apply the patch that is provided by the vendor ... This function is given the string and the buffer, ... The buffer overflow vulnerability this function contains is caused by ... This vulnerability differs from the known Security Bulletin 'MS03-007'. ...
      (NT-Bugtraq)
    • [Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007
      ... Apply the patch that is provided by the vendor ... This function is given the string and the buffer, ... The buffer overflow vulnerability this function contains is caused by ... This vulnerability differs from the known Security Bulletin 'MS03-007'. ...
      (Bugtraq)
    • [FlashFXP] Two Buffer Overflow Vulnerabilities
      ... FlashFXP is a GUI base FTP Client for Windows. ... an arbitrary code on a user's system if the user connects to ... The buffer overflow vulnerability in the reply for PASV command. ... 2003-05-07 Reported to vendor. ...
      (Bugtraq)
    • [Full-disclosure] FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability
      ... FlashFXP is a FTP client for Windows, it offers you easy and fast ways to transfer any file between other local ... The Vulnerability Laboratory Research Team discovered a Buffer Overflow Vulnerability on FlashFXP v4.1.8.1701. ... The software is now crashing with a stable bex exception & displays input as offset ...
      (Full-Disclosure)