---------------------------------------------------------------------- SUMMARY : [SmartFTP] Two Buffer Overflow Vulnerabilities PRODUCT : SmartFTP VERSIONS : 1.0.973 VENDOR : SmartFTP (http://www.smartftp.com/) SEVERITY : Critical. Code Execution. DISCOVERED BY : nesumin AUTHOR : :: Operash :: REPORTED DATE : 2003-05-07 RELEASED DATE : 2003-06-09 ---------------------------------------------------------------------- 0. PRODUCTS ============= SmartFTP is a GUI base FTP Client for Windows. SmartFTP.com (http://www.smartftp.com/) 1. DESCRIPTION ================ SmartFTP has following two buffer overflow vulnerabilities; 1. The buffer overflow vulnerability in the reply for PWD command. If the reply that contains a long address is returned from a server for "PWD" command request, the buffer overflow occurs on the stack area. By exploiting this vulnerability, an attacker can execute an arbitrary code on the user's system if the user connects to the malicious server. 2. The heap buffer overrun vulnerability in the File List. If the File List that contains a line of long string is returned from a server, the buffer overrun occurs on the heap area. By exploiting this vulnerability, an attacker possibly could execute an arbitrary code on the user's system if the user connects to the malicious server. With these vulnerabilities, there could be following risks; * Infection with Virus or Trojan, etc. * Destruction of the system. * Leak or alteration of the local data. 2. SYSTEMS AFFECTED ===================== SmartFTP 1.0.973 And previous versions may also have this vulnerability. 3. SYSTEMS NOT AFFECTED ========================= SmartFTP 1.0.976 4. EXAMINES ============= Tested versions : SmartFTP 1.0.973 SmartFTP 1.0.976 Tested platforms : Windows 98SE Japanese Windows 2000 Professional SP3 Japanese 5. VENDOR STATUS ================== 2003-05-07 Vendor released fixed-version (1.0.976) and described the fix in the change log. Reference: http://www.smartftp.com/changelog.php 6. SOLUTION ============= Upgrade to version 1.0.976 or later version. 7. TECHNICAL DETAILS ====================== 1. The buffer overflow vulnerability in the reply for PWD command. SmartFTP requests a current directory using "PWD" command when it's connected to a FTP server. And then the buffer overflow occurs on the stack area if the server's reply for "PWD" request has a long directory name such as following. Example: ---> PWD <--- 257 "AAAAAAAAAA ..... (over 0x208 bytes) ....." is current directory. If a saved RET address is overwritten with the address of buffer that has an arbitrary code or the address of instruction data that redirects to there, the processing path moves to that buffer. Therefore, it is able to execute an arbitrary code as the privilege of SmartFTP process. 2. The heap buffer overrun vulnerability in the File List. SmartFTP requests a File List to the FTP server using "LIST" command or etc when it connected to the server. And the buffer overrun occurs on the heap area if the returned File List has a line of long string like following. Example: dr-xr-xr-x 1 owner group 123 Feb 1 00:00 . AAAAAAAAAAA ..... (over 0x5000 bytes) ..... -r-xr-xr-x 1 owner group 123 Feb 1 00:00 filename.ext This buffer overrun can overwrite an arbitrary memory area with arbitrary values if it overwrites a Win32 Heap Manager records with a manipulated data. And overwriting the data related with a Structured Exception Handling, it is possible to make the processing path move to a specified address. Therefore an attacker possibly could execute as the privilege of SmartFTP process an arbitrary code. (However it can be difficult actually) The overflowed data is converted to UNICODE, that conversions are different in each system locales. 8. SAMPLE CODE ================ None release. 9. TIME TABLE =============== 2003-04-20 Discovered these vulnerabilities. 2003-05-07 Reported to vendor. 2003-05-07 Received a reply and a fixed-version(1) from vendor. 2003-05-07 Found a problem still left, and reported it to vendor. 2003-05-07 Received a fixed-version(2) from vendor. 2003-05-07 Discovered a new bug, and reported it to vendor. 2003-05-07 Received a fixed-version(3) from vendor. 2003-05-07 Conveyed to vendor that the fix has been done. 2003-05-07 Vendor released fixed-version. 2003-06-09 Released this advisory. 10. DISCLAIMER =============== A. We cannot guarantee the accuracy of all statements in this information. B. We do not anticipate issuing updated versions of this information unless there is some material change in the facts. C. And we will take no responsibility for any kinds of disadvantages by using this information. D. You can quote this advisory without our permission if you keep the following; a. Do not distort this advisory's content. b. A quoted place should be a medium on the Internet. E. If you have any questions, please contact to us. * Exception We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or redistribute our advisory. 11. CONTACT, ETC ================= :: Operash :: imagine (Operash Webmaster) nesumin <nesuminat_private> Thanks to : melorin piso(sexy)
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 14:27:57 PDT