Date: Mon, 24 Apr 2006 23:52:38 +0430 (IRDT)
Subject: Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow
From: "Kaveh Razavi" <c0d3r@ihsteam.com.>
To: [email protected]
Cc: [email protected]
User-Agent: SquirrelMail/1.4.6
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server011.virtuosonetsolutions.com
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [32034 536] / [47 12]
X-AntiAbuse: Sender Address Domain - ihsteam.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Virus-Scanned: antivirus-gw at tyumen.ru
********************************************
IHS Iran Homeland Security Public advisory
by : c0d3r "Kaveh Razavi" [email protected]
********************************************
Title : Quick 'n Easy FTP Server pro/lite
Logging unicode stack overflow
********************************************
information :
Quick 'n Easy FTP Server is a simple and handy FTP server which is
developed by Pablo van der Meer . there is a unicode overflow in the
logging process ,after enough long string sent as an argument of a
command when you go to the logging section overflow happens and
SEH gets hit .
********************************************
simple exploitation :
it is a unicode overflow so any code execution wont be stable .
here is a sampe way to trigger the vulnerability :
login to the FTP Server then try :
command aaaaa < about 1100 a (0x61) here > aaaa
then in the ftp server main window go to Logging section .
the FTP Server will crash . and in the ftptrace.txt we have :
24/07/2006 20:41:53.500 Exception caught by MainExceptionHandler():
Exception : c0000005
Address : 00610061
Access Type : write
Access Address : 00000000
the amazing part is if your string was large enough the ftp server
detect overflow and prevents from any pointers overwrite .
********************************************
Risk Rate : Medium
1) it is a unicode overflow , and exploitation wont be stable because
of the vulnerability's nature .
2) successful exploitation needs the admin go to the logging section .
3) it needs authentication .
********************************************
workaround :
no patch , all targets are vulnerable.
********************************************
Disclosure timeline :
March 26 , 2006 : vender contacted
March 27 , 2006 : vender replyed *
March 27 , 2006 : vender contacted , example provided
March 28 , 2006 : vender replyed **
March 28 , 2006 : vender contacted , C code provided to test the vuln.
March 29 , 2006 : vender replyed ***
April 25 , 2006 : public release
* vender says I haven't applyed all the microsoft updates while I
have and of course an overflow issue in a software is not related
to microsoft libraries .
vender is insisting that the problem is not the FTP problem and my
box problem .
I sent him a C code to check the vulnerability , he said he will
contact me . well he didn't .
********************************************
Credit :
all go to IHS team
www.ihsteam.com
www.ihsteam.net
www.c0d3r.org
greeting :
LorD and NT of IHS , Jamie of exploitdev.org ,
other friends of mine in www.underground.ir
