Re: Multiple Heap Overflows in FTP Desktop

From: Vlad M (v_lion_77_at_mail.ru)
Date: 10/18/03

  • Next message: Astharot: "ZH2003-31SA (security advisory): file inclusion vulnerability in cpCommerce"
    Date: 17 Oct 2003 23:49:35 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20030908202530.24144.qmail@sf-www1-symnsj.securityfocus.com>

    The heap overflow bug has been fixed. The new FTP Desktop version is now available for downloading from http://www.ftpdesktop.net/download.html

    >Received: (qmail 27051 invoked from network); 8 Sep 2003 20:49:01 -0000
    >Received: from outgoing3.securityfocus.com (205.206.231.27)
    > by mail.securityfocus.com with SMTP; 8 Sep 2003 20:49:01 -0000
    >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
    > by outgoing3.securityfocus.com (Postfix) with QMQP
    > id 90883A30EE; Mon, 8 Sep 2003 14:53:45 -0600 (MDT)
    >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <bugtraq.list-id.securityfocus.com>
    >List-Post: <mailto:bugtraq@securityfocus.com>
    >List-Help: <mailto:bugtraq-help@securityfocus.com>
    >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
    >Delivered-To: mailing list bugtraq@securityfocus.com
    >Delivered-To: moderator for bugtraq@securityfocus.com
    >Received: (qmail 8052 invoked from network); 8 Sep 2003 14:26:31 -0000
    >Date: 8 Sep 2003 20:25:30 -0000
    >Message-ID: <20030908202530.24144.qmail@sf-www1-symnsj.securityfocus.com>
    >Content-Type: text/plain
    >Content-Disposition: inline
    >Content-Transfer-Encoding: binary
    >MIME-Version: 1.0
    >X-Mailer: MIME-tools 5.411 (Entity 5.404)
    >From: Bahaa Naamneh <b_naamneh@hotmail.com>
    >To: bugtraq@securityfocus.com
    >Subject: Multiple Heap Overflows in FTP Desktop
    >
    >
    >
    >Multiple Heap Overflows in FTP Desktop
    >
    >
    >Introduction:
    >=============
    >"FTP Desktop lets you access FTP sites as if they were folders on your
    >computer.
    >Now you can move your files between your hard disk and remote FTP sites
    >with greater ease."
    >- Vendors Description
    > [ http://www.ftpdesktop.com ]
    >
    >Note:
    >FTP Desktop is fully integrated into Windows Explorer, so the actual
    >module
    >at fault appears as 'explorer.exe'.
    >
    >
    >Details:
    >========
    >Vulnerable systems: FTP Desktop version 3.5 (and possibly earlier
    >versions).
    >
    >Vulnerability: It is possible to cause a Heap overflow in FTP Desktop,
    >allowing total modification of the EIP pointer - this can be maliciously
    >altered to allow remote arbitrary code execution. The overflow occurs in
    >the FTP banner and others areas as it shown here:
    >
    >FTP Banner:
    >-----------
    >(FTP Desktop connected...)
    > PADDING EBP EIP
    >220 [229xA][4xB][4xX]
    >(Access violation when executing 0x58585858) // 4xX
    >
    >Username:
    >---------
    >(FTP Desktop Sends 'USER username')
    > PADDING EBP EIP
    >331 [229xA][4xB][4xX]
    >(Access violation when executing 0x58585858) // 4xX
    >
    >Password:
    >---------
    >(FTP Desktop Sends 'PASS password')
    > PADDING EBP EIP
    >331 [229xA][4xB][4xX]
    >(Access violation when executing 0x58585858) // 4xX
    >
    >
    >Vendor status:
    >==============
    >The vendor has been informed, and they are fixing this bug.
    >The updated version, when released, can be downloaded from:
    >
    >http://www.ftpdesktop.net/download.html
    >[ http://www.ftpdesktop.net/download/ftpsetup.exe ]
    >
    >
    >Exploit:
    >========
    >http://www.elitehaven.net/ftpdesktop.zip
    >
    >(I would thank Peter Winter-Smith for helping me in the exploitation)
    >
    >
    >Discovered by/Credit:
    >=====================
    >Bahaa Naamneh
    >b_naamneh@hotmail.com
    >


  • Next message: Astharot: "ZH2003-31SA (security advisory): file inclusion vulnerability in cpCommerce"