Date: Mon, 09 Jun 2003 12:19:40 +0900
From: :: Operash :: <[email protected]>
To: [email protected]Subject: [SmartFTP] Two Buffer Overflow Vulnerabilities
----------------------------------------------------------------------
SUMMARY : [SmartFTP] Two Buffer Overflow Vulnerabilities
PRODUCT : SmartFTP
VERSIONS : 1.0.973
VENDOR : SmartFTP (http://www.smartftp.com/)
SEVERITY : Critical.
Code Execution.
DISCOVERED BY : nesumin
AUTHOR : :: Operash ::
REPORTED DATE : 2003-05-07
RELEASED DATE : 2003-06-09
----------------------------------------------------------------------
0. PRODUCTS
=============
SmartFTP is a GUI base FTP Client for Windows.
SmartFTP.com (http://www.smartftp.com/)
1. DESCRIPTION
================
SmartFTP has following two buffer overflow vulnerabilities;
1. The buffer overflow vulnerability in the reply for PWD command.
If the reply that contains a long address is returned from
a server for "PWD" command request, the buffer overflow occurs
on the stack area.
By exploiting this vulnerability, an attacker can execute
an arbitrary code on the user's system if the user connects
to the malicious server.
2. The heap buffer overrun vulnerability in the File List.
If the File List that contains a line of long string is returned
from a server, the buffer overrun occurs on the heap area.
By exploiting this vulnerability, an attacker possibly could
execute an arbitrary code on the user's system if the user
connects to the malicious server.
With these vulnerabilities, there could be following risks;
* Infection with Virus or Trojan, etc.
* Destruction of the system.
* Leak or alteration of the local data.
2. SYSTEMS AFFECTED
SmartFTP 1.0.973
And previous versions may also have this vulnerability.
3. SYSTEMS NOT AFFECTED
SmartFTP 1.0.976
4. EXAMINES
=============
Tested versions :
SmartFTP 1.0.973
SmartFTP 1.0.976
Tested platforms :
Windows 98SE Japanese
Windows 2000 Professional SP3 Japanese
5. VENDOR STATUS
2003-05-07 Vendor released fixed-version (1.0.976)
and described the fix in the change log.
Reference: http://www.smartftp.com/changelog.php
6. SOLUTION
=============
Upgrade to version 1.0.976 or later version.
7. TECHNICAL DETAILS
1. The buffer overflow vulnerability in the reply for PWD command.
SmartFTP requests a current directory using "PWD" command when it's
connected to a FTP server.
And then the buffer overflow occurs on the stack area if
the server's reply for "PWD" request has a long directory name
such as following.
Example:
---> PWD
<--- 257 "AAAAAAAAAA ..... (over 0x208 bytes) ....." is current directory.
If a saved RET address is overwritten with the address of buffer
that has an arbitrary code or the address of instruction data
that redirects to there, the processing path moves to that buffer.
Therefore, it is able to execute an arbitrary code as
the privilege of SmartFTP process.
2. The heap buffer overrun vulnerability in the File List.
SmartFTP requests a File List to the FTP server using "LIST"
command or etc when it connected to the server.
And the buffer overrun occurs on the heap area if the returned
File List has a line of long string like following.
Example:
dr-xr-xr-x 1 owner group 123 Feb 1 00:00 .
AAAAAAAAAAA ..... (over 0x5000 bytes) .....
-r-xr-xr-x 1 owner group 123 Feb 1 00:00 filename.ext
This buffer overrun can overwrite an arbitrary memory area with
arbitrary values if it overwrites a Win32 Heap Manager records
with a manipulated data.
And overwriting the data related with a Structured Exception
Handling, it is possible to make the processing path move to
a specified address.
Therefore an attacker possibly could execute as the privilege
of SmartFTP process an arbitrary code.
(However it can be difficult actually)
The overflowed data is converted to UNICODE, that conversions are
different in each system locales.
8. SAMPLE CODE
================
None release.
9. TIME TABLE
===============
2003-04-20 Discovered these vulnerabilities.
2003-05-07 Reported to vendor.
2003-05-07 Received a reply and a fixed-version(1) from vendor.
2003-05-07 Found a problem still left, and reported it to vendor.
2003-05-07 Received a fixed-version(2) from vendor.
2003-05-07 Discovered a new bug, and reported it to vendor.
2003-05-07 Received a fixed-version(3) from vendor.
2003-05-07 Conveyed to vendor that the fix has been done.
2003-05-07 Vendor released fixed-version.
2003-06-09 Released this advisory.
10. DISCLAIMER
===============
A. We cannot guarantee the accuracy of all statements in this information.
B. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
C. And we will take no responsibility for any kinds of disadvantages by
using this information.
D. You can quote this advisory without our permission if you keep the following;
a. Do not distort this advisory's content.
b. A quoted place should be a medium on the Internet.
E. If you have any questions, please contact to us.
* Exception
We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
redistribute our advisory.
11. CONTACT, ETC
=================
:: Operash ::
imagine (Operash Webmaster)
nesumin <[email protected]>
Thanks to :
melorin
piso(sexy)
