[VulnWatch] Buffer Overflow Vulnerabilities in TurboFTP

From: Peter Winter-Smith (peter4020_at_hotmail.com)
Date: 07/10/03

  • Next message: Brett Moore: "[VulnWatch] Shattering SEH"
    To: vulnwatch@vulnwatch.org, vuln@secunia.com, bugs@securitytracker.com
    Date: Thu, 10 Jul 2003 21:01:12 +0000
    
    

    Buffer Overflow Vulnerabilities in TurboFTP

    Url: http://www.turboftp.com

    From the vendor's website ...

            "TurboFTP is a secure FTP client program for Windows
    9x/ME/NT4/2000/XP. It allows you to transfer files (upload or
    download) at turbo speed between your computer and virtually
    any FTP server with exceptional ease."

            "With an intuitive user interface, a wealth of features
    and secure file transfer capability, TurboFTP is the right
    software tool for tasks like uploading Web site, scheduled file
    synchronization and backup, and mission critical corporate file
    transfers."

    And I certainly can't argue with that, It's certainly in my top
    twenty FTP clients list!

    It is also vulnerable to a buffer overflow attack from a
    malicious ftp server sending an overly long response upon
    at any time during the connection.

    The data being supplied by the server is placed, unicoded, into
    a buffer of length around 1000 bytes long.
    This means that normal buffer overflow attack techniques cannot
    be used to exploit this vulnerability.

    Interesting responses:

    (TurboFTP connected...)
    220 [1061xA]
    (Access violation in user32.dll)

    (TurboFTP connected...)
         PADDING EIP
    220 [1061xA][*][2xX] // Totalling 1063 Bytes
    (Access violation in turboftp.exe when executing 0x00580058)
    // 2xX Unicoded

    * The base pointer register cannot be altered as far as I can see,
    thus the reason I have not included it.

    (TurboFTP connected...)
         PADDING
    220 [8000xA]
    (Access violation in comctl32.dll)

    (TurboFTP connected...)
         PADDING EAX
    220 [8574xA][4xX] // Totalling 8578 Bytes
    (Access violation in turboftp.exe; EAX = 0x58585858)

    I could not find an address which my buffer could write to
    on the stack which was similar to:

    0x00SS00??

    Where SS is an address on the stack, thus I was unable to exploit
    the vulnerability to any extent past that of a simple DoS attack.

    If anyone manages this, I would be most interested to hear how
    it was achieved.

    Never the less I have contacted the vendor, and they may issue
    a patch if this is found to be anything which could lead to a
    remote system compromise or code execution of any type.

    ======================================================================

    Operating system and servicepack level:
    Windows 9x/Me/NT Based

    Software:
    TurboFTP 3.85 Build 304 (Possibly Earlier Versions)

    Under what circumstances the vulnerability was discovered:
    Under a vulnerability search.

    If the vendor has been notified:
    Yes, the vendor had been notified.

    How to contact you for further information:
    I can always be reached at peter4020@hotmail.com

    Please credit this find to:
    Peter Winter-Smith

    Thank you for your time,
    -Peter

    _________________________________________________________________
    Stay in touch with absent friends - get MSN Messenger
    http://www.msn.co.uk/messenger


  • Next message: Brett Moore: "[VulnWatch] Shattering SEH"

    Relevant Pages

    • [NEWS] Multiple Vulnerabilities in Oracle Database Server (40 Issues)
      ... Multiple buffer overflow and denial of service vulnerabilities exist ... DBMS_REPCAT_INSTANTIATE package ... To reproduce the overflow, execute the next PL/SQL: ... Oracle database user can exploit this vulnerability. ...
      (Securiteam)
    • iDEFENSE OSF1/Tru64 3.x vuln clarification
      ... VU#510235 - dtsession vulnerable to buffer overflow via long string of ... characters supplied as "-contextDir" command line argument ... > - the type of vulnerability ...
      (Bugtraq)
    • [Full-Disclosure] iDEFENSE OSF1/Tru64 3.x vuln clarification
      ... VU#510235 - dtsession vulnerable to buffer overflow via long string of ... characters supplied as "-contextDir" command line argument ... > - the type of vulnerability ...
      (Full-Disclosure)
    • [Full-disclosure] CVE-2008-5557 - PHP mbstring buffer overflow vulnerability
      ... CVE-2008-5557 - PHP mbstring buffer overflow vulnerability ... 4.3.0 and later versions including PHP 5 ... A heap buffer overflow was found in mbstring extension that is ... The vulnerability occurs in the part of the encoding conversion facility ...
      (Full-Disclosure)
    • SYMANTEC SECURITY ADVISORIES
      ... Microsoft Windows ASN.1 Library Integer Handling Vulnerability ... Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflow ... Linux Kernel do_mremap Function Boundary Condition Vulnerability ...
      (alt.computer.security)