[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability

From: :: Operash :: (nesumin_at_SOFTHOME.NET)
Date: 06/09/03

  • Next message: NGSSoftware Insight Security Research: "Etherleak information leak in Windows Server 2003 drivers"
    Date:         Mon, 9 Jun 2003 12:19:44 +0900
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ----------------------------------------------------------------------
    SUMMARY : [LeapFTP] "PASV" Reply Buffer Overflow Vulnerability
    PRODUCT : LeapFTP
    VERSIONS : 2.7.3.600
    VENDOR : LeapWare (http://www.leapware.com/)
    SEVERITY : Critical.
                     Code Execution.
    DISCOVERED BY : nesumin
    AUTHOR : :: Operash ::
    REPORTED DATE : 2003-05-07
    RELEASED DATE : 2003-06-09
    ----------------------------------------------------------------------

    0. PRODUCTS
    =============

      LeapFTP is a GUI base FTP Client for Windows.
      LeapWare (http://www.leapware.com/)

    1. DESCRIPTION
    ================

      The buffer overflow occurs on the stack area if the reply that contains
      a long string is returned from a server for the "PASV" command request.
      By exploiting this vulnerability, an attacker can execute an arbitrary
      code on the user's system if the user connects to the malicious server.

      With this vulnerability, there could be following risks;

      * Infection with Virus or Trojan, etc.
      * Destruction of the system.
      * Leak or alteration of the local data.

    2. SYSTEMS AFFECTED
    =====================

      LeapFTP 2.7.3.600

      And previous versions may have same vulnerability.

    3. SYSTEMS NOT AFFECTED
    =========================

      LeapFTP 2.7.4.602

    4. EXAMINES
    =============

      Tested versions :
        LeapFTP 2.7.3.600
        LeapFTP 2.7.4.602

      Tested platforms :
        Windows 98SE Japanese
        Windows 2000 Professional SP3 Japanese

    5. VENDOR STATUS
    ==================

      2003-05-21 Vendor released fixed-version (2.7.4.602) and the security
                 information.
                 Reference: http://www.leapware.com/security/2003052101.txt

    6. SOLUTION
    =============

      Upgrade to version 2.7.4.602 or later version.

    7. TECHNICAL DETAILS
    ======================

      LeapFTP tries to create a connection of data transfer to get
      the File List or etc when it connected to a FTP server.
      Then, it requests the IP address and port number by using
      "PASV" command if PASV-MODE is enabled.
      It causes the buffer overflow on the stack area if the server's
      reply for this "PASV" request has a long IP address like following.

      Example:

        ---> PASV
        <--- 227 (AAAAAAAAAA ..... (over 0x421 bytes) ..... ,1,1,1,1,1)

      And this buffer overflow can overwrite a Structured Exception Handler
      on the stack area with an arbitrary value by specifying the address
      data over 0x421 bytes.
      If a Structured Exception Handler is overwritten with the address of
      buffer that has an arbitrary code or the address of instruction data
      that redirects to there, the processing path moves to that buffer.

      Therefore, it is able to execute an arbitrary code as the privilege of
      LeapFTP process.

    8. SAMPLE CODE
    ================

      None release.

    9. TIME TABLE
    ===============

      2003-04-20 Discovered this vulnerability.
      2003-05-07 Reported to vendor.
      2003-05-08 Received a reply from vendor.
      2003-05-14 Received a fixed-version from vendor.
      2003-05-15 Conveyed to vendor that the fix has been done.
      2003-05-21 Vendor released fixed-version.
      2003-06-09 Released this advisory.

    10. DISCLAIMER
    ================

      A. We cannot guarantee the accuracy of all statements in this information.
      B. We do not anticipate issuing updated versions of this information
         unless there is some material change in the facts.
      C. And we will take no responsibility for any kinds of disadvantages by
         using this information.
      D. You can quote this advisory without our permission if you keep the following;
         a. Do not distort this advisory's content.
         b. A quoted place should be a medium on the Internet.
      E. If you have any questions, please contact to us.

      * Exception

         We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
         redistribute our advisory.

    11. CONTACT, ETC
    ==================

      :: Operash ::

      imagine (Operash Webmaster)
      nesumin <nesumin@softhome.net>

      Thanks to :

        melorin
        piso(sexy)

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Free 14-day trial of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your free, no obligation 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: NGSSoftware Insight Security Research: "Etherleak information leak in Windows Server 2003 drivers"

    Relevant Pages