SecurityvulnsSECURITYVULNS:DOC:7811#11 by unl0ck team
-= Unl0ck Team Security Advisory =-
____ ___ __ _______ __ ___________
| | \____ | | \ _ \ ____ | | __ \__ ___/___ _____ _____
| | / \| | / /_\ \_ / ___\| |/ / | |_/ __ \\__ \ / \
| | / | \ |_\ \_/ \ \___ | < | |\ ___/ / __ \| Y Y \
|______/|___| /____/\_____ /\_____ >__|_ \ |____| \___ >____ /__|_| /
\/ \/ \/ \/ \/ \/ \/
... the best way of protection is attack
http://unl0ck.void.ru
Advisory : #11 by unl0ck team
Product : Win Ftp Server (latest version)
Vendor : http://www.wftpserver.com/
Date : 11.02.2005
Impact : unicode buffer overflow
Advisory URL : http://unl0ck.void.ru/papers/adv/wftpd.txt
-=[ Overview
WinFTP Server is a multithreaded FTP server for Windows 98/NT/XP.
It comes with an easy to use interface and can be accessed from
the system tray. The server handles all basic FTP commands and
offers easy account management and support for virtual directories.
It tries to bring all the user's requested features together. It is
the most simple and powerful FTP server to install and manage.
]=-
-=[ Vulnerability
Unicode Buffer Overflow Vulnerability exist in many commands of this win32 server.
For example in USER, PASS, CWD, MKD etc… By sending very long command, server will crash.
If server run in debugger (i.e. OllyDbg) you will see that EIP register will overwrite to
0x00610061, this picture say to us, that this is unicode buffer overflow.
Some commands using SEH technique.
PoC exploit you can find in our site. In releases section.
]=-
-=[ Credits
The bug was founded by Dark Eagle
Unl0ck Team [http://unl0ck.void.ru]
]=-
-=[ Greetz
All greetz go out to: nekd0, antiq, choix, coki, tal0n, crash-x, setnf, 0xdeadbabe, gst etc…
]=-