----------------------------------------------------------------------- SUMMARY : [FlashFXP] Two Buffer Overflow Vulnerabilities PRODUCT : FlashFXP VERSIONS : 2.0 build 905 VENDOR : CEDsoft (http://www.flashfxp.com/) SEVERITY : Critical. Code Execution. DISCOVERED BY : nesumin AUTHOR : :: Operash :: REPORTED DATE : 2003-05-07 RELEASED DATE : 2003-06-09 ----------------------------------------------------------------------- 0. PRODUCTS ============= FlashFXP is a GUI base FTP Client for Windows. CEDsoft (http://www.flashfxp.com/) 1. DESCRIPTION ================ FlashFXP has following two buffer overflow vulnerabilities; 1. The buffer overflow vulnerability in "PASV" command. The buffer overflow occurs on the stack area if a reply that contains a long string is returned from a server for "PASV" command request. By exploiting this vulnerability, an attacker can execute an arbitrary code on a user's system if the user connects to a malicious server. 2. The buffer overflow vulnerability in the long host name. The buffer overflow occurs on the stack area if a long host name is specified as destination server. By exploiting this vulnerability, an attacker can execute an arbitrary code on a user's system when the user copies a malicious manipulated URL with "Clipboard Monitor" function enabled. With these vulnerabilities, there could be following risks; * Infection with Virus or Trojan, etc. * Destruction of systems. * Leak or alteration of a local data. 2. SYSTEMS AFFECTED ===================== Flash FXP 2.0 build 905 And previous versions may have same vulnerabilities. 3. SYSTEMS NOT AFFECTED ========================= FlashFXP 2.1 build 923 FlashFXP 2.1 build 924 4. EXAMINES ============= Tested versions : FlashFXP 2.0 build 905 FlashFXP 2.1 build 923 FlashFXP 2.1 build 924 Tested platforms : Windows 98SE Japanese Windows 2000 Professional SP3 Japanese 5. VENDOR STATUS ================== 2003-05-14 Vendor released fixed-version (v2.1 build 923). 6. SOLUTION ============= Upgrade to version 2.1 build 923 or later version. 7. TECHNICAL DETAILS ====================== 1. The buffer overflow vulnerability in the reply for PASV command. FlashFXP tries to create a connection of data transfer to get a Directory List or etc when it connected to a FTP server. And if PASV-MODE is enabled, it requests IP address and port number for a connection of data transfer by using "PASV" command. Then, a buffer overflow occurs on the stack area if the IP address that is returned from the server contains a long string of over 0x90 bytes. Example: ---> PASV <--- 227 (AAAAAAAAAA ... (over 0x90 bytes) ... ,1,1,1,1,1) 2. The buffer overflow vulnerability in the long host name. FlashFXP writes a host name on the buffer before trying to resolve a host name, but it does not check the boundary of the buffer at that time. Therefore, if the host name contains a long string of over 0x90 bytes, the buffer overflow on the stack area would occur. Example: ftp://AAAAAAAAAA ... (over 0x90 bytes) ... / These buffer overflows can overwrite a Structured Exception Handler on the stack with an arbitrary value. If a Structured Exception Handler is overwritten with the address of buffer that has an arbitrary code or the address of instruction data that redirects to there, the processing path moves to that buffer. Therefore, it is able to execute an arbitrary code as the privilege of FlashFXP's process. 8. SAMPLE CODE ================ None release. 9. TIME TABLE =============== 2003-04-20 Discovered these vulnerabilities. 2003-05-07 Reported to vendor. 2003-05-07 Received a reply and a fixed-version(1) from vendor. 2003-05-07 Discovered a new bug, reported it to vendor. 2003-05-07 Received a fixed-version(2) from vendor. 2003-05-07 Conveyed to vendor that the fix has been done. 2003-05-14 Vendor released fixed-version. 2003-06-09 Released this advisory. 10. DISCLAIMER =============== A. We cannot guarantee the accuracy of all statements in this information. B. We do not anticipate issuing updated versions of this information unless there is some material change in the facts. C. And we will take no responsibility for any kinds of disadvantages by using this information. D. You can quote this advisory without our permission if you keep the following; a. Do not distort this advisory's content. b. A quoted place should be a medium on the Internet. E. If you have any questions, please contact to us. * Exception We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or redistribute our advisory. 11. CONTACT, ETC ================= :: Operash :: imagine (Operash Webmaster) nesumin <nesuminat_private> Thanks to : melorin piso(sexy)
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 14:18:24 PDT