#11 by unl0ck team

2005-02-12T00:00:00
ID SECURITYVULNS:DOC:7811
Type securityvulns
Reporter Securityvulns
Modified 2005-02-12T00:00:00

Description

      -= Unl0ck Team Security Advisory =-

    ____ ___       __  _______           __      ___________
   |    |   \____ |  | \   _  \    ____ |  | __  \__    ___/___ _____    _____
   |    |   /    \|  | /  /_\  \_ / ___\|  |/ /    |    |_/ __ \\__  \  /     \
   |    |  /   |  \  |_\  \_/   \  \___ |    <     |    |\  ___/ / __ \|  Y Y  \
   |______/|___|  /____/\_____  /\_____ >__|_ \    |____| \___  >____  /__|_|  /
                \/            \/       \/    \/               \/     \/      \/
                     ... the best way of protection is attack

                              http://unl0ck.void.ru

Advisory : #11 by unl0ck team Product : Win Ftp Server (latest version) Vendor : http://www.wftpserver.com/ Date : 11.02.2005 Impact : unicode buffer overflow Advisory URL : http://unl0ck.void.ru/papers/adv/wftpd.txt

-=[ Overview

WinFTP Server is a multithreaded FTP server for Windows 98/NT/XP. It comes with an easy to use interface and can be accessed from the system tray. The server handles all basic FTP commands and offers easy account management and support for virtual directories. It tries to bring all the user's requested features together. It is the most simple and powerful FTP server to install and manage.

]=-

-=[ Vulnerability

Unicode Buffer Overflow Vulnerability exist in many commands of this win32 server. For example in USER, PASS, CWD, MKD etc... By sending very long command, server will crash. If server run in debugger (i.e. OllyDbg) you will see that EIP register will overwrite to 0x00610061, this picture say to us, that this is unicode buffer overflow. Some commands using SEH technique. PoC exploit you can find in our site. In releases section.

]=-

-=[ Credits

The bug was founded by Dark Eagle Unl0ck Team [http://unl0ck.void.ru]

]=-

-=[ Greetz

All greetz go out to: nekd0, antiq, choix, coki, tal0n, crash-x, setnf, 0xdeadbabe, gst etc...

]=-