SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (File Transfer/Sharing)  >  EF Commander Vendors:  EFSoftware
EF Commander Buffer Overflow in Processing FTP Banners May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007310
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 26 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.54
Description:  Peter Winter-Smith reported a buffer overflow vulnerability in EF Commander. A remote FTP server can cause a target user's connected client to crash and possibly execute arbitrary code.

It is reported that a remote FTP server can send a specially crafted FTP banner to a connected EF Commander client to trigger a buffer overflow. A remote user may be able to cause arbitrary code to be executed.

A demonstration exploit transcript is provided:

(EF Commander 3.54 connected...)
PADDING EBP EIP
220 [508xA][4xB][4xX] // Totalling 516+4 Bytes
(Access violation when executing 0x58585858) // 4xX

The vendor has reportedly been notified.
Impact:  A remote FTP server may be able to cause arbitrary code to be executed on the EF Commander client when the client connects to the server. The code would run with the privileges of the user running the EF Commander client.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.efsoftware.com/cw/e.htm (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  Peter Winter-Smith <peter4020@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Sat, 26 Jul 2003 00:32:00 +0000
From:  Peter Winter-Smith <peter4020@hotmail.com>
Subject:  Buffer Overflow in EF Commander 3.54

 


Buffer Overflow in EF Commander 3.54

Url: http://www.efsoftware.com

"EF Commander is a file manager, archiver, viewer, FTP-client for
the Windows 95/98/Me, Windows NT 4.0, Windows 2000 and Windows XP
desktop. If you've ever used and liked Norton Commander, you'll like
this dual-windowed program, which comes complete with bubble and
online help. You can search directory trees and directories and
perform actions, including Run, on files. You can also check file
attributes and edit files with search-and-replace and drag-and-drop.
Use the internal editor or associate one of your choosing to edit files,
easily view files and configure the buttons to suit your needs, and get
system and disk information with a click of the mouse."
- EFSoftware Website

Indeed it is quite remarkable, sporting a huge number of extra features
which make the $25.00 registration fee (when using paypal) a definite
bargin!

See: http://www.efsoftware.com/order/e.htm for order information.

I have noticed that EF Commander 3.54 (and possibly earlier versions)
are vulnerable to a buffer overflow in the FTP banner and other areas.
These can be replicated as follows:

FTP Banner:
===========
(EF Commander 3.54 connected...)
     PADDING EBP EIP
220 [508xA][4xB][4xX] // Totalling 516+4 Bytes
(Access violation when executing 0x58585858) // 4xX

When sending the overly long packet as the FTP banner, the overflow
does not often take an immediate effect, however when sending it as
part of another response, it is immediate.

Potentially an attacker would be able to execute arbitrary code on
the system of an unsuspecting user.

Since I would not have access to a computer for a while, I thought
it best to contact the vendor, and release the advisory together,
as I very much doubt that any trouble will come from the knowledge
of this security hole, especially before a patch can be made known.

Please visit EFSoftware's website:

http://www.efsoftware.com

And check for an updated version, greater than 3.54, which will
doubtless be patched against this bug.


======================================================================


Operating system and servicepack level:
Windows 9x/Me/NT Based


Software:
EF Commander 3.54 (Possibly Earlier Versions)


Under what circumstances the vulnerability was discovered:
Under a vulnerability search.


If the vendor has been notified:
Yes, concurrent with the release of this advisory.


How to contact you for further information:
I can always be reached at peter4020@hotmail.com


Please credit this find to:
Peter Winter-Smith


Thank you for your time,
-Peter

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC