BlackMoon FTPd Buffer Overflow Vulnerability

From: Strumpf Noir Society (vuln-devat_private)
Date: Tue Jan 15 2002 - 10:17:02 PST

Next message: Richard M. Smith: "Update on the SuperCookie issue"

Previous message: Dave Ahmad: "FWD: IRIX nsd Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Strumpf Noir Society Advisories
! Public release !
<--#


-= BlackMoon FTPd Buffer Overflow Vulnerability =-

Release date: Tuesday, January 15, 2002


Introduction:

BlackMoon is a native windows2000 and XP FTP server application with 
features such as virtual directories, user accounts, file resuming and 
passive mode transfers, multi-homed & multi-port listening, low memory 
and CPU usage, auto date and time activation, all the basic ftp commands 
and much more. 

BlackMoon is available from the product's website:
http://www.blackmoon.filetap.com


Problem(s):

The BlackMoon FTP server is vulnerable to a buffer overflow condition. 
Due to the nature of these problems, this could lead to arbitrary code 
execution on a target machine.

More specifically, the buffer which handles the received data before
parsing it was incorrectly declared static in below code.


CBuffer::CBuffer(const char * data, int len, int capacity_inc)
{
     bf_head = (char*)&staticBuf; //(char*)malloc(len * sizeof(char));
     if(bf_head != NULL)
     {
         memcpy(bf_head,data,len);
         bf_capacity = sizeof(staticBuf); //len;
         bf_current_size = len;
         bf_capacity_inc = capacity_inc;


Due to this error, it is possible to overflow this buffer through several 
of the standard ftp commands available to the user (specifically 'USER', 
'PASS' and 'CWD') followed by a string of data sized more than 4096 bytes.

This will kill the BlackMoon FTP service (which runs under the local SYSTEM
account) and allows for overwriting of EIP.


(..)


Solution:

Vendor has been notified and was swift to respond in releasing BlackMoon
FTP v1.5, Release #2, Build 1550, which is available from the product's web
site. This version of the product fixes above problem and adds several
safeguards against similar abuses.

This was tested against BlackMoon FTP v1.5 (Release #1 Build 1547)
on Win2k. The vulnerability described below was traced back to version 1.0,
Release #1, Build 1115. Users are encouraged to upgrade.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!

Next message: Richard M. Smith: "Update on the SuperCookie issue"
Previous message: Dave Ahmad: "FWD: IRIX nsd Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 17:46:36 PST