Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: LeapFTP .lsq Buffer Overflow Vulnerability

from [Damien Palmer] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: LeapFTP .lsq Buffer Overflow Vulnerability
Date: Wed, 24 Aug 2005 21:33:46 -0500 
Seeing as how, given a large enough buffer, it is relatively easy to
write arbitrary shell code using just ASCII characters, the larger
unicode space would make this even easier.  Unless there are some
pretty severe unlisted restrictions on either the length or content of
the overflow string, making an exploit is practically trivial.

If you want a quick'n'dirty overview of shell code using a very
limited subset of ASCII you can refer to the lecture notes from a unix
security class I took in Fall 2004 (starting on page 5 of this
document):  http://cr.yp.to/2004-494/0910.pdf

-D


On 8/24/05, Kaveh Razavi <c0d3rz_team@yahoo.com> wrote:

it is not a high risk vulnerability .
chance of making an stable exploit in a unicode
overflow is low .
Regards

c0d3r of IHS
Network Security Reseacher


LeapFTP .lsq Buffer Overflow Vulnerability

by Sowhat

Last Update:2005.08.24

http://secway.org/advisory/AD20050824.txt

Vendor:

LeapWare Inc.

Product Affected:

LeapFTP < 2.7.6.612

Overview:

LeapFTP is the award-winning shareware FTP client
that combines an
intuitive interface with one of the most powerful
client bases around.


Details:

.LSQ is the LeapFTP Site Queue file, And it is
registered with Windows
by LeapFTP. You can save a transfer Queue to .lsq
files and transfer it
later by opening the .lsq files.

However, LeapFTP does not properly check the length
of the "Host" fields,
when a overly long string is supplied, there will be
a buffer overflow
and probably arbitrary code execution.

This vulnerability can be exploited by sending the
malformed .lsq file
to the victim, after the victim open the .lsq file,
arbitray code may
executed.


//bof.lsq

[HOSTINFO]
HOST=AAAAA...[ long string ]...AAAAA
USER=username
PASS=password

[FILES]
"1","/winis/ApiList.zip","477,839","E:\ApiList.zip"

SOLUTION:

All users are encouraged to upgrade to 2.7.6
immediately
Vendor also released an advisory:
http://www.leapware.com/security/2005082301.txt

Vendor Response:

2005.08.22 Vendor notified via online WebForm
2005.08.23 Vendor responsed and bug fixed
2005.08.24 Vendor released the new version 2.7.6.612
2005.08.24 Advisory Released





';" type="text/css">


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [ GLSA 200508-16 ] Tor: Information disclosure, Sune Kloppenborg Jeppesen
Next by Date:  [Full-disclosure] Advisory: iTAN not as secure as claimed, release
Previous by Thread:  [Full-disclosure] Re: LeapFTP .lsq Buffer Overflow Vulnerability, Kaveh Razavi
Next by Thread:  Re: LeapFTP .lsq Buffer Overflow Vulnerability, Kaveh Razavi
Indexes:  [Date] [Thread] [Top] [All Lists]