Date: Tue, 15 Jan 2002 19:17:02 +0100
From: Strumpf Noir Society <[email protected]>
To: [email protected]Subject: BlackMoon FTPd Buffer Overflow Vulnerability
Strumpf Noir Society Advisories
! Public release !
<--#
-= BlackMoon FTPd Buffer Overflow Vulnerability =-
Release date: Tuesday, January 15, 2002
Introduction:
BlackMoon is a native windows2000 and XP FTP server application with
features such as virtual directories, user accounts, file resuming and
passive mode transfers, multi-homed & multi-port listening, low memory
and CPU usage, auto date and time activation, all the basic ftp commands
and much more.
BlackMoon is available from the product's website:
http://www.blackmoon.filetap.com
Problem(s):
The BlackMoon FTP server is vulnerable to a buffer overflow condition.
Due to the nature of these problems, this could lead to arbitrary code
execution on a target machine.
More specifically, the buffer which handles the received data before
parsing it was incorrectly declared static in below code.
CBuffer::CBuffer(const char * data, int len, int capacity_inc)
{
bf_head = (char*)&staticBuf; //(char*)malloc(len * sizeof(char));
if(bf_head != NULL)
{
memcpy(bf_head,data,len);
bf_capacity = sizeof(staticBuf); //len;
bf_current_size = len;
bf_capacity_inc = capacity_inc;
Due to this error, it is possible to overflow this buffer through several
of the standard ftp commands available to the user (specifically 'USER',
'PASS' and 'CWD') followed by a string of data sized more than 4096 bytes.
This will kill the BlackMoon FTP service (which runs under the local SYSTEM
account) and allows for overwriting of EIP.
(..)
Solution:
Vendor has been notified and was swift to respond in releasing BlackMoon
FTP v1.5, Release #2, Build 1550, which is available from the product's web
site. This version of the product fixes above problem and adds several
safeguards against similar abuses.
This was tested against BlackMoon FTP v1.5 (Release #1 Build 1547)
on Win2k. The vulnerability described below was traced back to version 1.0,
Release #1, Build 1115. Users are encouraged to upgrade.
yadayadayada
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
