Re: CuteFTP 5.0 XP, Buffer Overflow

From: Kanatoko (anvilat_private)
Date: Wed Feb 05 2003 - 20:56:06 PST

Next message: Igor U.Miturin: "FW-1 NG FP3 Bug - Data flow problem when transferring large files"

Previous message: Knud Erik Højgaard: "[Full-Disclosure] AbsoluteTelnet 2.00 buffer overflow."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cute FTP 5.0 XP, build 51.1.23.1 was released, but it is still
vulnerable against the same issue.

Sending 780 bytes( in previous build, it was 257 bytes )  as a reply to
LIST command cause a stack overflow.

# BTW, I found another buffer overflow problem. Copy long url like
# "ftp://AAAAAAAAAAA....AAAAAAAAAAA/"
# to clipboard and execute CuteFTP. It will crash immediately.
# Seems like a bug, not a security hole.

-- 
Kanatoko<anvilat_private>
http://www.jumperz.net/
irc.friend.td.nu:6667 #ouroboros



On Sat, 18 Jan 2003 06:25:31 +0000
"Lance Fitz-Herbert" <fitziesat_private> wrote:

> Advisory 07:
> ------------
> Buffer Overflow In CuteFTP 5.0 XP
> 
> 
> Discovered:
> -----------
> By Me, Lance Fitz-Herbert (aka phrizer).
> September 4th, 2002
> 
> 
> Vulnerable Applications:
> ------------------------
> Tested On CuteFTP 5.0 XP, build 50.6.10.2
> Others could be vulnerable...
> 
> 
> Impact:
> -------
> Medium,
> This could allow arbitary code to be executed on the remote victims machine, 
> if the attacker is
> successfull in luring a victim onto his server.
> 
> 
> Details:
> --------
> When a FTP Server is responding to a "LIST" (directory listing) command, the 
> response is sent
> over a data connection. Sending 257 bytes over this connection will cause a 
> buffer to overflow,
> and the EIP register can be overwritten completely by sending 260 bytes of 
> data.
> 
> 
> Vendor Status:
> --------------
> Contacted GlobalSCAPE Jan 14th 2003, After a couple of emails back and forth 
> within a few days, they
> confirmed the problem, and siad they are working on a release for Monday 
> (20th Jan, 03) which will address
> the issue.
> 
> 
> Solution:
> ---------
> Upgrade to new version which should be avalible from Monday (20th Jan, 03).
> 
> 
> Exploit:
> --------
> Not released.
> 
> 
> Contacting Me:
> --------------
>     ICQ: 23549284
>     IRC: irc.dal.net #KORP
> 
> 
> 
> ----
> NOTE: Because of the amount of spam i receive, i require all emails *to me* 
> to contain the word "nospam" in the subject line somewhere. Else i might not 
> get your email. thankyou.
> ----
> 
> 
> 
> 
> 
> 
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* 
> http://join.msn.com/?page=features/virus
> 
>

Next message: Igor U.Miturin: "FW-1 NG FP3 Bug - Data flow problem when transferring large files"
Previous message: Knud Erik Højgaard: "[Full-Disclosure] AbsoluteTelnet 2.00 buffer overflow."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 08:33:14 PST