Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow

2006.04.27
Credit: Kaveh Razavi (c0d3r ihsteam com)
Risk: Medium
Local: Yes
Remote: Yes
CVE: CVE-2006-2027
CWE: CWE-Other


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

******************************************** IHS Iran Homeland Security Public advisory by : c0d3r "Kaveh Razavi" c0d3r (at) ihsteam (dot) com [email concealed] ******************************************** Title : Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow ******************************************** information : Quick 'n Easy FTP Server is a simple and handy FTP server which is developed by Pablo van der Meer . there is a unicode overflow in the logging process ,after enough long string sent as an argument of a command when you go to the logging section overflow happens and SEH gets hit . ******************************************** simple exploitation : it is a unicode overflow so any code execution wont be stable . here is a sampe way to trigger the vulnerability : login to the FTP Server then try : command aaaaa < about 1100 a (0x61) here > aaaa then in the ftp server main window go to Logging section . the FTP Server will crash . and in the ftptrace.txt we have : 24/07/2006 20:41:53.500 Exception caught by MainExceptionHandler(): Exception : c0000005 Address : 00610061 Access Type : write Access Address : 00000000 the amazing part is if your string was large enough the ftp server detect overflow and prevents from any pointers overwrite . ******************************************** Risk Rate : Medium 1) it is a unicode overflow , and exploitation wont be stable because of the vulnerability's nature . 2) successful exploitation needs the admin go to the logging section . 3) it needs authentication . ******************************************** workaround : no patch , all targets are vulnerable. ******************************************** Disclosure timeline : March 26 , 2006 : vender contacted March 27 , 2006 : vender replyed * March 27 , 2006 : vender contacted , example provided March 28 , 2006 : vender replyed ** March 28 , 2006 : vender contacted , C code provided to test the vuln. March 29 , 2006 : vender replyed *** April 25 , 2006 : public release * vender says I haven't applyed all the microsoft updates while I have and of course an overflow issue in a software is not related to microsoft libraries . ** vender is insisting that the problem is not the FTP problem and my box problem . *** I sent him a C code to check the vulnerability , he said he will contact me . well he didn't . ******************************************** Credit : all go to IHS team www.ihsteam.com www.ihsteam.net www.c0d3r.org greeting : LorD and NT of IHS , Jamie of exploitdev.org , other friends of mine in www.underground.ir


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top