[SmartFTP] Two Buffer Overflow Vulnerabilities

From: :: Operash :: (nesumin_at_SOFTHOME.NET)
Date: 06/09/03

  • Next message: :: Operash ::: "[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability" 
    Date:         Mon, 9 Jun 2003 12:19:42 +0900
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    ----------------------------------------------------------------------
    SUMMARY : [SmartFTP] Two Buffer Overflow Vulnerabilities
    PRODUCT : SmartFTP
    VERSIONS : 1.0.973
    VENDOR : SmartFTP (http://www.smartftp.com/)
    SEVERITY : Critical.
                     Code Execution.
    DISCOVERED BY : nesumin
    AUTHOR : :: Operash ::
    REPORTED DATE : 2003-05-07
    RELEASED DATE : 2003-06-09
    ----------------------------------------------------------------------

    0. PRODUCTS
    =============

      SmartFTP is a GUI base FTP Client for Windows.
      SmartFTP.com (http://www.smartftp.com/)

    1. DESCRIPTION
    ================

      SmartFTP has following two buffer overflow vulnerabilities;

      1. The buffer overflow vulnerability in the reply for PWD command.

        If the reply that contains a long address is returned from
        a server for "PWD" command request, the buffer overflow occurs
        on the stack area.
        By exploiting this vulnerability, an attacker can execute
        an arbitrary code on the user's system if the user connects
        to the malicious server.

      2. The heap buffer overrun vulnerability in the File List.

        If the File List that contains a line of long string is returned
        from a server, the buffer overrun occurs on the heap area.
        By exploiting this vulnerability, an attacker possibly could
        execute an arbitrary code on the user's system if the user
        connects to the malicious server.

      With these vulnerabilities, there could be following risks;

      * Infection with Virus or Trojan, etc.
      * Destruction of the system.
      * Leak or alteration of the local data.

    2. SYSTEMS AFFECTED
    =====================

      SmartFTP 1.0.973
      And previous versions may also have this vulnerability.

    3. SYSTEMS NOT AFFECTED
    =========================

      SmartFTP 1.0.976

    4. EXAMINES
    =============

      Tested versions :
        SmartFTP 1.0.973
        SmartFTP 1.0.976

      Tested platforms :
        Windows 98SE Japanese
        Windows 2000 Professional SP3 Japanese

    5. VENDOR STATUS
    ==================

      2003-05-07 Vendor released fixed-version (1.0.976)
                  and described the fix in the change log.

                  Reference: http://www.smartftp.com/changelog.php

    6. SOLUTION
    =============

      Upgrade to version 1.0.976 or later version.

    7. TECHNICAL DETAILS
    ======================

      1. The buffer overflow vulnerability in the reply for PWD command.

        SmartFTP requests a current directory using "PWD" command when it's
        connected to a FTP server.
        And then the buffer overflow occurs on the stack area if
        the server's reply for "PWD" request has a long directory name
        such as following.

        Example:

          ---> PWD
          <--- 257 "AAAAAAAAAA ..... (over 0x208 bytes) ....." is current directory.

        If a saved RET address is overwritten with the address of buffer
        that has an arbitrary code or the address of instruction data
        that redirects to there, the processing path moves to that buffer.

        Therefore, it is able to execute an arbitrary code as
        the privilege of SmartFTP process.

      2. The heap buffer overrun vulnerability in the File List.

        SmartFTP requests a File List to the FTP server using "LIST"
        command or etc when it connected to the server.
        And the buffer overrun occurs on the heap area if the returned
        File List has a line of long string like following.

        Example:

          dr-xr-xr-x 1 owner group 123 Feb 1 00:00 .
          AAAAAAAAAAA ..... (over 0x5000 bytes) .....
          -r-xr-xr-x 1 owner group 123 Feb 1 00:00 filename.ext

        This buffer overrun can overwrite an arbitrary memory area with
        arbitrary values if it overwrites a Win32 Heap Manager records
        with a manipulated data.
        And overwriting the data related with a Structured Exception
        Handling, it is possible to make the processing path move to
        a specified address.

        Therefore an attacker possibly could execute as the privilege
        of SmartFTP process an arbitrary code.
        (However it can be difficult actually)

      The overflowed data is converted to UNICODE, that conversions are
      different in each system locales.

    8. SAMPLE CODE
    ================

      None release.

    9. TIME TABLE
    ===============

      2003-04-20 Discovered these vulnerabilities.
      2003-05-07 Reported to vendor.
      2003-05-07 Received a reply and a fixed-version(1) from vendor.
      2003-05-07 Found a problem still left, and reported it to vendor.
      2003-05-07 Received a fixed-version(2) from vendor.
      2003-05-07 Discovered a new bug, and reported it to vendor.
      2003-05-07 Received a fixed-version(3) from vendor.
      2003-05-07 Conveyed to vendor that the fix has been done.
      2003-05-07 Vendor released fixed-version.
      2003-06-09 Released this advisory.

    10. DISCLAIMER
    ===============

      A. We cannot guarantee the accuracy of all statements in this information.
      B. We do not anticipate issuing updated versions of this information
         unless there is some material change in the facts.
      C. And we will take no responsibility for any kinds of disadvantages by
         using this information.
      D. You can quote this advisory without our permission if you keep the following;
         a. Do not distort this advisory's content.
         b. A quoted place should be a medium on the Internet.
      E. If you have any questions, please contact to us.

      * Exception

         We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
         redistribute our advisory.

    11. CONTACT, ETC
    =================

      :: Operash ::

      imagine (Operash Webmaster)
      nesumin <nesumin@softhome.net>

      Thanks to :

        melorin
        piso(sexy)

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Free 14-day trial of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your free, no obligation 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: :: Operash ::: "[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability"