secuniaFTP.txt

2003-06-29T00:00:00
ID PACKETSTORM:31289
Type packetstorm
Reporter Carsten Eiram
Modified 2003-06-29T00:00:00

Description

                                        
                                            `======================================================================   
  
Secunia Research 26/06/2003   
  
- FTPServer/X Response Buffer Overflow Vulnerability -   
  
======================================================================   
Receive Secunia Security Advisories for free:   
http://www.secunia.com/secunia_security_advisories/   
  
======================================================================   
Table of Contents   
1....................................................Affected Software   
2.............................................................Severity   
3.....................................Vendor's Description of Software   
4.........................................Description of Vulnerability   
5.............................................................Solution   
6...........................................................Time Table   
7..............................................................Credits   
8........................................................About Secunia   
9.........................................................Verification   
  
======================================================================   
1) Affected Software   
  
FTPServer/X - FTP Server Control and COM Object v1.00.046.   
FTPServer/X - FTP Server Control and COM Object v1.00.045.   
  
Prior versions have not been tested, but may also be vulnerable.   
  
Used in the following products:   
Simple FTPServer Example (included with FTPServer/X)   
Mollensoft FTP Server 3.5.2 (formerly known as Hyperion)   
Hyperion FTP Server 3.0.0 (updated version downloaded 10/04/2003)   
  
NOTE: Any FTP server using FTPServer/X may be vulnerable.   
  
======================================================================   
2) Severity   
  
Rating: Highly critical   
Impact: Denial of Service, System Access   
Where: From Remote   
  
======================================================================   
3) Vendor's Description of Software   
  
"FTPServer/X makes it easy for you to put up an FTP server.   
FTPServer/X comes in both ActiveX Control and COM Object forms to   
make it easy for you to integrate it into nearly any Windows   
programming environment. When you use FTPServer/X, you have complete  
control over user access, directories, file uploads and downloads,  
deletion, etc."   
  
Vendor:   
Mabry Software   
http://www.mabry.com  
  
======================================================================   
4) Description of Vulnerability   
  
A vulnerability has been identified in FTPServer/X, which can be  
exploited by malicious people to cause a DoS (Denial of Service) on a  
vulnerable FTP server or potentially compromise it.   
  
The vulnerability is caused due to a boundary error, when the FTP   
Server returns responses, which include user input. The problem is   
that the allocated buffer (1024 bytes) may be overflowed due to an  
insecure use of the "wsprintf()" function.   
  
When exploiting the vulnerability, the return address as well as a  
pointer stored in the register "ecx" can be overwritten with   
arbitrary values.   
  
Before returning, the manipulated pointer is used as an argument to   
the function "InterlockedDecrement()" in "kernel32.dll", which may   
cause a vulnerable FTP server to crash.   
  
The FTP service needs to be restarted manually before functionality   
is restored.   
  
Since the return address also is overwritten, the vulnerability can  
potentially also be exploited to execute arbitrary code on a   
vulnerable system.   
  
The following two examples exploit the vulnerability.   
  
Exploit 1 (Supply between 995 and 1017 bytes to the USER command):   
telnet [victim] 21   
USER AAAA...[995-1017]...AAAA   
  
The FTP Server will crash when the "331 Password required for %s"  
response is returned.   
  
Exploit 2 (Supply a 991 to 1022 bytes long invalid command):   
telnet [victim] 21   
AAAA...[991-1022]...AAAA   
  
The FTP Server will crash when the response "500 '%s': command not  
understood" is returned.   
  
Please note that "Exploit 2" is the same issue as the one reported   
by Moran Zavdi at the beginning of April in Hyperion FTP Server   
3.0.0. However, this was erroneously thought to be fixed in an   
updated version of Hyperion FTP Server 3.0.0.   
  
======================================================================   
5) Solution   
  
Mabry Software has fixed the vulnerability in FTPServer/X version  
1.00.047.   
  
Mollensoft has issued Mollensoft FTP Server version 3.5.3, which uses   
the latest version of FTPServer/X.  
  
If your FTP server uses the FTPServer/X component (look for  
"FTPServX.dll" / "FTPServX.ocx"), check to see if an updated version   
of the product has been made available.   
  
======================================================================   
6) Time Table   
  
10/04/2003 - Vulnerability discovered in Hyperion FTP Server.   
11/04/2003 - Vendor notified (support@mollensoft.com).   
22/04/2003 - Vendor contacted again requesting acknowledgment.   
22/04/2003 - Vendor confirms vulnerability and states that it will   
be fixed in version 3.5.2.   
26/04/2003 - Vendor releases version 3.5.2.   
28/04/2003 - Vulnerability still present in latest version. Vendor  
notified (support@mollensoft.com).   
29/04/2003 - Mabry Software notified (techsupport@mabry.com) since the  
vulnerability may be caused by a boundary error in FTPServer/X used   
in Hyperion/Mollensoft FTP Server.   
09/05/2003 - Vulnerability conclusively identified in FTPServer/X.   
09/05/2003 - Vendor notified again (techsupport@mabry.com).   
09/05/2003 - Vendor confirms vulnerability.   
03/06/2003 - Vendor releases updated version (1.00.046).   
04/06/2003 - Vulnerability still present in latest version. Vendor  
informed (techsupport@mabry.com).   
12/06/2003 - Vendor provides source code and asks for help in  
identifying the problem.   
16/06/2003 - Problem identified.   
17/06/2003 - Mabry Software releases updated version (1.00.047).   
22/06/2003 - Mollensoft releases updated version (3.5.3).   
24/06/2003 - Public disclosure.   
  
======================================================================   
7) Credits   
  
Discovered by Carsten H. Eiram, Secunia Research.   
  
======================================================================   
8) About Secunia   
  
Secunia collects, validates, assesses and writes advisories regarding   
all the latest software vulnerabilities disclosed to the public. These   
advisories are gathered in a publicly available database at the   
Secunia website:   
  
http://www.secunia.com/  
  
Secunia offers services to our customers enabling them to receive all   
relevant vulnerability information to their specific system   
configuration.   
  
Secunia offers a FREE mailing list called Secunia Security Advisories:   
  
http://www.secunia.com/secunia_security_advisories/  
  
======================================================================   
9) Verification   
  
Please verify this advisory by visiting the Secunia website:   
http://www.secunia.com/secunia_research/2003-3/   
  
======================================================================  
  
`