Re: LeapFTP .lsq Buffer Overflow Vulnerability

From: Kaveh Razavi (c0d3rz_team_at_yahoo.com)
Date: 08/25/05

  • Next message: Boren, Rich (HP SSRT): "[security bulletin] SSRT4702 rev.0 - HP-UX running Veritas 3.3/3.5 unauthorized data access" 
    Date: Thu, 25 Aug 2005 11:50:16 -0700 (PDT)
To: Damien Palmer <alacrity@gmail.com>, bugtraq@securityfocus.com

    I talked on this issue with kf .
    reading unicodeproof shellcode in phrake magazine is
    extremely recommended .
    I add the replys with kf as an attachment .
    might be useful .

    c0d3r of IHS
    Network Security Researcher

    --- Damien Palmer <alacrity@gmail.com> wrote:

    > Seeing as how, given a large enough buffer, it is
    > relatively easy to
    > write arbitrary shell code using just ASCII
    > characters, the larger
    > unicode space would make this even easier. Unless
    > there are some
    > pretty severe unlisted restrictions on either the
    > length or content of
    > the overflow string, making an exploit is
    > practically trivial.
    >
    > If you want a quick'n'dirty overview of shell code
    > using a very
    > limited subset of ASCII you can refer to the lecture
    > notes from a unix
    > security class I took in Fall 2004 (starting on page
    > 5 of this
    > document): http://cr.yp.to/2004-494/0910.pdf
    >
    > -D
    >
    >
    > On 8/24/05, Kaveh Razavi <c0d3rz_team@yahoo.com>
    > wrote:
    > > it is not a high risk vulnerability .
    > > chance of making an stable exploit in a unicode
    > > overflow is low .
    > > Regards
    > >
    > > c0d3r of IHS
    > > Network Security Reseacher
    > >
    > > > LeapFTP .lsq Buffer Overflow Vulnerability
    > > >
    > > > by Sowhat
    > > >
    > > > Last Update:2005.08.24
    > > >
    > > > http://secway.org/advisory/AD20050824.txt
    > > >
    > > > Vendor:
    > > >
    > > > LeapWare Inc.
    > > >
    > > > Product Affected:
    > > >
    > > > LeapFTP < 2.7.6.612
    > > >
    > > > Overview:
    > > >
    > > > LeapFTP is the award-winning shareware FTP
    > client
    > > > that combines an
    > > > intuitive interface with one of the most
    > powerful
    > > > client bases around.
    > > >
    > > >
    > > > Details:
    > > >
    > > > .LSQ is the LeapFTP Site Queue file, And it is
    > > > registered with Windows
    > > > by LeapFTP. You can save a transfer Queue to
    > .lsq
    > > > files and transfer it
    > > > later by opening the .lsq files.
    > > >
    > > > However, LeapFTP does not properly check the
    > length
    > > > of the "Host" fields,
    > > > when a overly long string is supplied, there
    > will be
    > > > a buffer overflow
    > > > and probably arbitrary code execution.
    > > >
    > > > This vulnerability can be exploited by sending
    > the
    > > > malformed .lsq file
    > > > to the victim, after the victim open the .lsq
    > file,
    > > > arbitray code may
    > > > executed.
    > > >
    > > >
    > > > //bof.lsq
    > > >
    > > > [HOSTINFO]
    > > > HOST=AAAAA...[ long string ]...AAAAA
    > > > USER=username
    > > > PASS=password
    > > >
    > > > [FILES]
    > > >
    > "1","/winis/ApiList.zip","477,839","E:\ApiList.zip"
    > > >
    > > > SOLUTION:
    > > >
    > > > All users are encouraged to upgrade to 2.7.6
    > > > immediately
    > > > Vendor also released an advisory:
    > > > http://www.leapware.com/security/2005082301.txt
    > > >
    > > > Vendor Response:
    > > >
    > > > 2005.08.22 Vendor notified via online WebForm
    > > > 2005.08.23 Vendor responsed and bug fixed
    > > > 2005.08.24 Vendor released the new version
    > 2.7.6.612
    > > > 2005.08.24 Advisory Released
    > > >
    > >
    > >
    > >
    > > ';" type="text/css">
    > >
    > >
    > > __________________________________________________
    > > Do You Yahoo!?
    > > Tired of spam? Yahoo! Mail has the best spam
    > protection around
    > > http://mail.yahoo.com
    > >
    >

    ';" type="text/css">

                    
    __________________________________
    Do you Yahoo!?
    Read only the mail you want - Yahoo! Mail SpamGuard.
    http://promotions.yahoo.com/new_mail

  • Next message: Boren, Rich (HP SSRT): "[security bulletin] SSRT4702 rev.0 - HP-UX running Veritas 3.3/3.5 unauthorized data access"

    Relevant Pages

    • Re: CFile::Read problem ???
      ... As far as the C compiler is concerned, ... you can pretty much always assign a char ... as ASCII and wchar_t as Unicode. ...
      (microsoft.public.windowsce.embedded.vc)
    • Re: Opening a text file that may be ASCII *or* Unicode
      ... It could well be ASCII empty -- no bytes.) ... UTF & BOM ... Positively Must Know About Unicode and Character Sets ... > regards, Andy ...
      (microsoft.public.scripting.vbscript)
    • Re: Cross-platform e-mail text size problems
      ... ASCII is mentioned mostly as historical reference. ... It says that "plain text" used to require ASCII (and never one of the 'high ascii' variants we were stuck with before Unicode) and goes on to explain how Unicode is replacing ASCII in plain text. ... If you define "plain text" as "lowest common denomiator", I suppose you could say that it has indeed been upgraded from ASCII to Unicode, thanks to Unicode having become ubiquitous enough to be considered a "low enough common denominator". ...
      (comp.sys.mac.apps)
    • Re: Cross-platform e-mail text size problems
      ... ASCII that I referred to. ... stuck with before Unicode) and goes on to explain how Unicode is ... Since Mac OS X the system has Unicode support under the hood. ...
      (comp.sys.mac.apps)
    • Re: Format of string output of a socket server
      ... ASCII is the same no matter what byte encoding is used. ... By definition any ASCII string is in UTF-8 encoding. ... The client program can then convert to Unicode or whatever they see fit? ... I am writing a socket server to deliver telephony events to clients on ...
      (microsoft.public.win32.programmer.networks)