[VulnWatch] Buffer Overflow Vulnerabilities in TurboFTP
From: Peter Winter-Smith (peter4020_at_hotmail.com)
To: email@example.com, firstname.lastname@example.org, email@example.com Date: Thu, 10 Jul 2003 21:01:12 +0000
Buffer Overflow Vulnerabilities in TurboFTP
From the vendor's website ...
"TurboFTP is a secure FTP client program for Windows
9x/ME/NT4/2000/XP. It allows you to transfer files (upload or
download) at turbo speed between your computer and virtually
any FTP server with exceptional ease."
"With an intuitive user interface, a wealth of features
and secure file transfer capability, TurboFTP is the right
software tool for tasks like uploading Web site, scheduled file
synchronization and backup, and mission critical corporate file
And I certainly can't argue with that, It's certainly in my top
twenty FTP clients list!
It is also vulnerable to a buffer overflow attack from a
malicious ftp server sending an overly long response upon
at any time during the connection.
The data being supplied by the server is placed, unicoded, into
a buffer of length around 1000 bytes long.
This means that normal buffer overflow attack techniques cannot
be used to exploit this vulnerability.
(Access violation in user32.dll)
220 [1061xA][*][2xX] // Totalling 1063 Bytes
(Access violation in turboftp.exe when executing 0x00580058)
// 2xX Unicoded
* The base pointer register cannot be altered as far as I can see,
thus the reason I have not included it.
(Access violation in comctl32.dll)
220 [8574xA][4xX] // Totalling 8578 Bytes
(Access violation in turboftp.exe; EAX = 0x58585858)
I could not find an address which my buffer could write to
on the stack which was similar to:
Where SS is an address on the stack, thus I was unable to exploit
the vulnerability to any extent past that of a simple DoS attack.
If anyone manages this, I would be most interested to hear how
it was achieved.
Never the less I have contacted the vendor, and they may issue
a patch if this is found to be anything which could lead to a
remote system compromise or code execution of any type.
Operating system and servicepack level:
Windows 9x/Me/NT Based
TurboFTP 3.85 Build 304 (Possibly Earlier Versions)
Under what circumstances the vulnerability was discovered:
Under a vulnerability search.
If the vendor has been notified:
Yes, the vendor had been notified.
How to contact you for further information:
I can always be reached at firstname.lastname@example.org
Please credit this find to:
Thank you for your time,
Stay in touch with absent friends - get MSN Messenger