EFTP .lnk File Overflow

2001-09-12T00:00:00
ID OSVDB:764
Type osvdb
Reporter ByteRage(byterage@yahoo.com)
Modified 2001-09-12T00:00:00

Description

Vulnerability Description

A remote overflow exists in EFTP. The server fails to sanitize input provided to the 'ls' command resulting in a buffer overflow. With a specially crafted .lnk file uploaded to the server, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Solution Description

Upgrade to version 3.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A remote overflow exists in EFTP. The server fails to sanitize input provided to the 'ls' command resulting in a buffer overflow. With a specially crafted .lnk file uploaded to the server, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Manual Testing Notes

Users with upload permissions can upload a *.lnk file containing:

("A" x 1744) . "CCCC"

Issuing an LS command will then cause the EIP to be changed to 043434343h ("CCCC"), and arbitrary code executed.

References:

Vendor URL: http://www.eftp.org/ Related OSVDB ID: 4094 Related OSVDB ID: 766 Related OSVDB ID: 4093 Nessus Plugin ID:10928 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-09/0100.html Keyword: Buffer Overflow Keyword: Denial of Service ISS X-Force ID: 7115 CVE-2001-1112 Bugtraq ID: 3330