[SmartFTP] Two Buffer Overflow Vulnerabilities

2003-06-09T00:00:00
ID SECURITYVULNS:DOC:4679
Type securityvulns
Reporter Securityvulns
Modified 2003-06-09T00:00:00

Description


SUMMARY : [SmartFTP] Two Buffer Overflow Vulnerabilities PRODUCT : SmartFTP VERSIONS : 1.0.973 VENDOR : SmartFTP (http://www.smartftp.com/) SEVERITY : Critical. Code Execution. DISCOVERED BY : nesumin AUTHOR : :: Operash :: REPORTED DATE : 2003-05-07 RELEASED DATE : 2003-06-09


0. PRODUCTS

SmartFTP is a GUI base FTP Client for Windows. SmartFTP.com (http://www.smartftp.com/)

1. DESCRIPTION

SmartFTP has following two buffer overflow vulnerabilities;

  1. The buffer overflow vulnerability in the reply for PWD command.

    If the reply that contains a long address is returned from a server for "PWD" command request, the buffer overflow occurs on the stack area. By exploiting this vulnerability, an attacker can execute an arbitrary code on the user's system if the user connects to the malicious server.

  2. The heap buffer overrun vulnerability in the File List.

    If the File List that contains a line of long string is returned from a server, the buffer overrun occurs on the heap area. By exploiting this vulnerability, an attacker possibly could execute an arbitrary code on the user's system if the user connects to the malicious server.

With these vulnerabilities, there could be following risks;

  • Infection with Virus or Trojan, etc.
  • Destruction of the system.
  • Leak or alteration of the local data.

2. SYSTEMS AFFECTED

SmartFTP 1.0.973 And previous versions may also have this vulnerability.

3. SYSTEMS NOT AFFECTED

SmartFTP 1.0.976

4. EXAMINES

Tested versions : SmartFTP 1.0.973 SmartFTP 1.0.976

Tested platforms : Windows 98SE Japanese Windows 2000 Professional SP3 Japanese

5. VENDOR STATUS

2003-05-07 Vendor released fixed-version (1.0.976) and described the fix in the change log.

          Reference: http://www.smartftp.com/changelog.php

6. SOLUTION

Upgrade to version 1.0.976 or later version.

7. TECHNICAL DETAILS

  1. The buffer overflow vulnerability in the reply for PWD command.

    SmartFTP requests a current directory using "PWD" command when it's connected to a FTP server. And then the buffer overflow occurs on the stack area if the server's reply for "PWD" request has a long directory name such as following.

    Example:

    ---> PWD <--- 257 "AAAAAAAAAA ..... (over 0x208 bytes) ....." is current directory.

    If a saved RET address is overwritten with the address of buffer that has an arbitrary code or the address of instruction data that redirects to there, the processing path moves to that buffer.

    Therefore, it is able to execute an arbitrary code as the privilege of SmartFTP process.

  2. The heap buffer overrun vulnerability in the File List.

    SmartFTP requests a File List to the FTP server using "LIST" command or etc when it connected to the server. And the buffer overrun occurs on the heap area if the returned File List has a line of long string like following.

    Example:

    dr-xr-xr-x 1 owner group 123 Feb 1 00:00 . AAAAAAAAAAA ..... (over 0x5000 bytes) ..... -r-xr-xr-x 1 owner group 123 Feb 1 00:00 filename.ext

    This buffer overrun can overwrite an arbitrary memory area with arbitrary values if it overwrites a Win32 Heap Manager records with a manipulated data. And overwriting the data related with a Structured Exception Handling, it is possible to make the processing path move to a specified address.

    Therefore an attacker possibly could execute as the privilege of SmartFTP process an arbitrary code. (However it can be difficult actually)

The overflowed data is converted to UNICODE, that conversions are different in each system locales.

8. SAMPLE CODE

None release.

9. TIME TABLE

2003-04-20 Discovered these vulnerabilities. 2003-05-07 Reported to vendor. 2003-05-07 Received a reply and a fixed-version(1) from vendor. 2003-05-07 Found a problem still left, and reported it to vendor. 2003-05-07 Received a fixed-version(2) from vendor. 2003-05-07 Discovered a new bug, and reported it to vendor. 2003-05-07 Received a fixed-version(3) from vendor. 2003-05-07 Conveyed to vendor that the fix has been done. 2003-05-07 Vendor released fixed-version. 2003-06-09 Released this advisory.

10. DISCLAIMER

A. We cannot guarantee the accuracy of all statements in this information. B. We do not anticipate issuing updated versions of this information unless there is some material change in the facts. C. And we will take no responsibility for any kinds of disadvantages by using this information. D. You can quote this advisory without our permission if you keep the following; a. Do not distort this advisory's content. b. A quoted place should be a medium on the Internet. E. If you have any questions, please contact to us.

  • Exception

    We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or redistribute our advisory.

11. CONTACT, ETC

:: Operash ::

imagine (Operash Webmaster) nesumin <nesumin@softhome.net>

Thanks to :

melorin
piso&#40;sexy&#41;

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by TruSecure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Free 14-day trial of New Threat & Vulnerability Notification Service

TruSecure's new IntelliShield(tm) web-based threat and vulnerability service isn't your typical alert service. Supported by TruSecure's vast intelligence resources - including the ICSA Labs - IntelliShield's early warning, analysis, decision support, and threat management tools provide organizations with unmatched intelligence to better protect critical information assets. Experience it for yourself - just click below to begin your free, no obligation 14-day trial today!

http://www.trusecure.com/offer/s0074/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo