[NT] Quick 'n Easy FTP Server Logging Unicode Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 1 May 2006 14:06:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Quick 'n Easy FTP Server Logging Unicode Buffer Overflow
<http://www.pablosoftwaresolutions.com/html/quick__n_easy_ftp_server_pro.html> Quick 'n Easy FTP Server Professional is a multi threaded FTP server for Windows 98/NT/XP that can be easily setup even by inexperienced users."
Improper string length validation allows attackers to execute arbitrary
code using a buffer overflow in Quick 'n Easy FTP Server .
A Unicode overflow with the logging process of Quick 'n Easy FTP Server
exists when long string sent as an argument of a command when a user
arrive to the logging section, an overflow happens and the SEH can execute
Due to the fact that the overflow is caused by Unicode, exploitation might
not be stable.
Proof of Concept:
Login to the FTP Server then try :
command aaaaa < about 1100 a (0x61) here > aaaa
Then in the FTP server main window go to Logging section .
The FTP Server will crash . and in the ftptrace.txt there is an entry:
24/07/2006 20:41:53.500 Exception caught by MainExceptionHandler():
Exception : c0000005
Address : 00610061
Access Type : write
Access Address : 00000000
Please note that the FTP server detect the overflow of a long string, and
prevent a pointer overwrite.
March 26 , 2006 : vender contacted
March 27 , 2006 : vender replyed
March 27 , 2006 : vender contacted , example provided
March 28 , 2006 : vender replyed
March 28 , 2006 : vender contacted , C code provided to test the vuln.
March 29 , 2006 : vender replyed
April 25 , 2006 : public release
The information has been provided by <mailto:c0d3r@xxxxxxxxxxx> Kaveh
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] RFIDIOt - RFID IO Tools
- Next by Date: [NT] Servant Salamander unacev2.dll Buffer Overflow
- Previous by thread: [TOOL] RFIDIOt - RFID IO Tools
- Next by thread: [NT] Servant Salamander unacev2.dll Buffer Overflow