[NT] Quick 'n Easy FTP Server Logging Unicode Buffer Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Quick 'n Easy FTP Server Logging Unicode Buffer Overflow
------------------------------------------------------------------------


SUMMARY

"
<http://www.pablosoftwaresolutions.com/html/quick__n_easy_ftp_server_pro.html> Quick 'n Easy FTP Server Professional is a multi threaded FTP server for Windows 98/NT/XP that can be easily setup even by inexperienced users."

Improper string length validation allows attackers to execute arbitrary
code using a buffer overflow in Quick 'n Easy FTP Server .

DETAILS

A Unicode overflow with the logging process of Quick 'n Easy FTP Server
exists when long string sent as an argument of a command when a user
arrive to the logging section, an overflow happens and the SEH can execute
arbitrary code.

Due to the fact that the overflow is caused by Unicode, exploitation might
not be stable.

Proof of Concept:
Login to the FTP Server then try :
command aaaaa < about 1100 a (0x61) here > aaaa
Then in the FTP server main window go to Logging section .
The FTP Server will crash . and in the ftptrace.txt there is an entry:

24/07/2006 20:41:53.500 Exception caught by MainExceptionHandler():
Exception : c0000005
Address : 00610061
Access Type : write
Access Address : 00000000

Please note that the FTP server detect the overflow of a long string, and
prevent a pointer overwrite.

Disclosure Timeline:
March 26 , 2006 : vender contacted
March 27 , 2006 : vender replyed
March 27 , 2006 : vender contacted , example provided
March 28 , 2006 : vender replyed
March 28 , 2006 : vender contacted , C code provided to test the vuln.
March 29 , 2006 : vender replyed
April 25 , 2006 : public release


ADDITIONAL INFORMATION

The information has been provided by <mailto:c0d3r@xxxxxxxxxxx> Kaveh
Razavi.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Quick n Easy FTP Server pro/lite Logging unicode stack overflow
    ... Logging unicode stack overflow ... Quick 'n Easy FTP Server is a simple and handy FTP server which is ...
    (Bugtraq)
  • [NT] Xlight FTP Server PASS Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Xlight FTP server is "a powerful ftp server ... A buffer overflow vulnerability in the ...
    (Securiteam)
  • [NT] HP Radia Notify Daemon Multiple Buffer Overflows
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... RADEXECD process with parameters of a greater length than the buffer used ... structures, executes the target process, and waits for it to terminate. ... text:0040619E call _strcpy; overflow here ...
    (Securiteam)
  • [NT] Winamp ID3v2 Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Winamp is vulnerable to a buffer overflow vulnerability when processing ... control the EAX register, ...
    (Securiteam)
  • [EXPL] Golden FTP Server Pro Buffer Overflow (USER, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " Golden FTP Server is a free Windows FTP server ... unsigned char *recvbuf; ...
    (Securiteam)