From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 May 2006 14:06:33 +0200
Subject: [NT] Quick 'n Easy FTP Server Logging Unicode Buffer Overflow
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060501123535.6359E57D4@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Quick 'n Easy FTP Server Logging Unicode Buffer Overflow
------------------------------------------------------------------------
SUMMARY
"
<http://www.pablosoftwaresolutions.com/html/quick__n_easy_ftp_server_pro.html>; Quick 'n Easy FTP Server Professional is a multi threaded FTP server for Windows 98/NT/XP that can be easily setup even by inexperienced users."
Improper string length validation allows attackers to execute arbitrary
code using a buffer overflow in Quick 'n Easy FTP Server .
DETAILS
A Unicode overflow with the logging process of Quick 'n Easy FTP Server
exists when long string sent as an argument of a command when a user
arrive to the logging section, an overflow happens and the SEH can execute
arbitrary code.
Due to the fact that the overflow is caused by Unicode, exploitation might
not be stable.
Proof of Concept:
Login to the FTP Server then try :
command aaaaa < about 1100 a (0x61) here > aaaa
Then in the FTP server main window go to Logging section .
The FTP Server will crash . and in the ftptrace.txt there is an entry:
24/07/2006 20:41:53.500 Exception caught by MainExceptionHandler():
Exception : c0000005
Address : 00610061
Access Type : write
Access Address : 00000000
Please note that the FTP server detect the overflow of a long string, and
prevent a pointer overwrite.
Disclosure Timeline:
March 26 , 2006 : vender contacted
March 27 , 2006 : vender replyed
March 27 , 2006 : vender contacted , example provided
March 28 , 2006 : vender replyed
March 28 , 2006 : vender contacted , C code provided to test the vuln.
March 29 , 2006 : vender replyed
April 25 , 2006 : public release
ADDITIONAL INFORMATION
The information has been provided by <mailto:c0d3r@ihsteam.com.> Kaveh
Razavi.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
