Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow

from [Kaveh Razavi] Network Security [Permanent Link]
Subject: Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow
Date: Mon, 24 Apr 2006 23:52:38 +0430 (IRDT) 
********************************************
IHS Iran Homeland Security Public advisory
by : c0d3r "Kaveh Razavi"  c0d3r@ihsteam.com
********************************************

Title : Quick 'n Easy FTP Server pro/lite
         Logging unicode stack overflow

********************************************

information :

Quick 'n Easy FTP Server is a simple and handy FTP server which is
developed by Pablo van der Meer . there is a unicode overflow in the
logging process ,after enough long string sent as an argument of a
command when you go to the logging section overflow happens and
SEH gets hit .

********************************************

simple exploitation :

it is a unicode overflow so any code execution wont be stable .
here is a sampe way to trigger the vulnerability :
login to the FTP Server then try :
command aaaaa < about 1100 a (0x61) here > aaaa
then in the ftp server main window go to Logging section .
the FTP Server will crash . and in the ftptrace.txt we have :
24/07/2006 20:41:53.500 Exception caught by MainExceptionHandler():
Exception      : c0000005
Address        : 00610061
Access Type    : write
Access Address : 00000000
the amazing part is if your string was large enough the ftp server
detect overflow and prevents from any pointers overwrite .

********************************************

Risk Rate : Medium

1) it is a unicode overflow , and exploitation wont be stable because
   of the vulnerability's nature .
2) successful exploitation needs the admin go to the logging section .
3) it needs authentication .

********************************************

workaround :

no patch , all targets are vulnerable.

********************************************

Disclosure timeline :


March 26 , 2006  : vender contacted
March 27 , 2006  : vender replyed *
March 27 , 2006  : vender contacted , example provided
March 28 , 2006  : vender replyed **
March 28 , 2006  : vender contacted , C code provided to test the vuln.
March 29 , 2006  : vender replyed ***
April 25 , 2006  : public release

*   vender says I haven't applyed all the microsoft updates while I
    have and of course an overflow issue in a software is not related
    to microsoft libraries .
**  vender is insisting that the problem is not the FTP problem and my
    box problem .
*** I sent him a C code to check the vulnerability , he said he will
    contact me . well he didn't .

********************************************

Credit :

all go to IHS team
www.ihsteam.com
www.ihsteam.net
www.c0d3r.org

greeting :

LorD and NT of IHS , Jamie of exploitdev.org ,
other friends of mine in www.underground.ir
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow, Kaveh Razavi <=
Previous by Date:  RE: [BULK] - Websense Filter Bypass, John E. Fleming
Next by Date:  Re: Apple Mac OS X Safari 2.0.3 Vulnerability, Colin Keigher
Previous by Thread:  ADVISORY FOR IOPUS SECURE EMAIL ATTACHMENTS, ntwak0
Next by Thread:  [ MDKSA-2006:074 ] - Updated php packages address multiple vulnerabilities., security
Indexes:  [Date] [Thread] [Top] [All Lists]