SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (File Transfer/Sharing)  >  FTPServer/X Vendors:  Mabry Software
Mabry's FTPServer/X Buffer Overflow in Returning Responses May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007068
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 26 2003
Impact:  Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  Secunia Research
Version(s): 1.00.045, 1.00.046
Description:  Secunia Research reported a buffer overflow vulnerability in FTPServer/X from Mabry Software. A remote user can cause the FTP server to crash or execute arbitrary code.

It is reported that this server component is used in other FTP server products, including the Mollensoft FTP Server and Hyperion FTP Server.

The report indicates that when the FTP server attempts to return a response containing user-supplied input, a buffer overflow can be triggered due to a flawed wsprintf() function call.

The FTP service must be restarted manually to return to normal operations.

A demonstration exploit transcript is provided:

telnet [victim] 21
USER AAAA...[995-1017]...AAAA

This demonstration will trigger a crash when the FTP server attempts to return the "331 Password required for %s" error message. The total length of the response will overflow a 1024 byte buffer, according to the report.

A similar exploit can be achieved by triggering the "500" response (command not understood). Secunia notes that this behavior was reported in April 2003 by Moran Zavdi as affecting Hyperion FTP Server 3.0.0.

To determine if your FTP server is potentially affected, you can reportedly search for the "FTPServX.dll" or "FTPServX.ocx" files on your system.

The following extensive notification timeline is provided:

10/04/2003 - Vulnerability discovered in Hyperion FTP Server.
11/04/2003 - Vendor notified (support@mollensoft.com).
22/04/2003 - Vendor contacted again requesting acknowledgment.
22/04/2003 - Vendor confirms vulnerability and states that it will be fixed in version 3.5.2.
26/04/2003 - Vendor releases version 3.5.2.
28/04/2003 - Vulnerability still present in latest version. Vendor notified (support@mollensoft.com).
29/04/2003 - Mabry Software notified (techsupport@mabry.com) since the vulnerability may be caused by a boundary error in FTPServer/X used in Hyperion/Mollensoft FTP Server.
09/05/2003 - Vulnerability conclusively identified in FTPServer/X.
09/05/2003 - Vendor notified again (techsupport@mabry.com).
09/05/2003 - Vendor confirms vulnerability.
03/06/2003 - Vendor releases updated version (1.00.046).
04/06/2003 - Vulnerability still present in latest version. Vendor informed (techsupport@mabry.com).
12/06/2003 - Vendor provides source code and asks for help in identifying the problem.
16/06/2003 - Problem identified.
17/06/2003 - Mabry Software releases updated version (1.00.047).
22/06/2003 - Mollensoft releases updated version (3.5.3).
24/06/2003 - Public disclosure.
Impact:  A remote user can cause the FTP server to crash or execute arbitrary code. The code will run with the privileges of the FTP server.
Solution:  The vendor has released a fixed version (1.00.047), available at:

http://www.mabry.com/proddown.htm
Vendor URL:  www.mabry.com/ftpserv/index.htm (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  Carsten H. Eiram <che@secunia.com>
Message History:   None.

 Source Message Contents
Date:  26 Jun 2003 17:02:17 +0200
From:  Carsten H. Eiram <che@secunia.com>
Subject:  Secunia Research: FTPServer/X Response Buffer Overflow Vulnerability

 


======================================================================

                       Secunia Research 26/06/2003

         - FTPServer/X Response Buffer Overflow Vulnerability -

======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/

======================================================================
Table of Contents
1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification

======================================================================
1) Affected Software

FTPServer/X - FTP Server Control and COM Object v1.00.046.
FTPServer/X - FTP Server Control and COM Object v1.00.045.

Prior versions have not been tested, but may also be vulnerable.

Used in the following products:
Simple FTPServer Example (included with FTPServer/X)
Mollensoft FTP Server 3.5.2 (formerly known as Hyperion)
Hyperion FTP Server 3.0.0 (updated version downloaded 10/04/2003)

NOTE: Any FTP server using FTPServer/X may be vulnerable.

======================================================================
2) Severity

Rating:  Highly critical
Impact:  Denial of Service, System Access
Where:   From Remote

======================================================================
3) Vendor's Description of Software

"FTPServer/X makes it easy for you to put up an FTP server.
FTPServer/X comes in both ActiveX Control and COM Object forms to
make it easy for you to integrate it into nearly any Windows
programming environment. When you use FTPServer/X, you have complete
control over user access, directories, file uploads and downloads,
deletion, etc."

Vendor:
Mabry Software
http://www.mabry.com

======================================================================
4) Description of Vulnerability

A vulnerability has been identified in FTPServer/X, which can be
exploited by malicious people to cause a DoS (Denial of Service) on a
vulnerable FTP server or potentially compromise it.

The vulnerability is caused due to a boundary error, when the FTP
Server returns responses, which include user input. The problem is
that the allocated buffer (1024 bytes) may be overflowed due to an
insecure use of the "wsprintf()" function.

When exploiting the vulnerability, the return address as well as a
pointer stored in the register "ecx" can be overwritten with
arbitrary values.

Before returning, the manipulated pointer is used as an argument to
the function "InterlockedDecrement()" in "kernel32.dll", which may
cause a vulnerable FTP server to crash.

The FTP service needs to be restarted manually before functionality
is restored.

Since the return address also is overwritten, the vulnerability can
potentially also be exploited to execute arbitrary code on a
vulnerable system.

The following two examples exploit the vulnerability.

Exploit 1 (Supply between 995 and 1017 bytes to the USER command):
telnet [victim] 21
USER AAAA...[995-1017]...AAAA

The FTP Server will crash when the "331 Password required for %s"
response is returned.

Exploit 2 (Supply a 991 to 1022 bytes long invalid command):
telnet [victim] 21
AAAA...[991-1022]...AAAA

The FTP Server will crash when the response "500 '%s': command not
understood" is returned.

Please note that "Exploit 2" is the same issue as the one reported
by Moran Zavdi at the beginning of April in Hyperion FTP Server
3.0.0. However, this was erroneously thought to be fixed in an
updated version of Hyperion FTP Server 3.0.0.

======================================================================
5) Solution

Mabry Software has fixed the vulnerability in FTPServer/X version
1.00.047.

Mollensoft has issued Mollensoft FTP Server version 3.5.3, which uses
the latest version of FTPServer/X.

If your FTP server uses the FTPServer/X component (look for
"FTPServX.dll" / "FTPServX.ocx"), check to see if an updated version
of the product has been made available.

======================================================================
6) Time Table

10/04/2003 - Vulnerability discovered in Hyperion FTP Server.
11/04/2003 - Vendor notified (support@mollensoft.com).
22/04/2003 - Vendor contacted again requesting acknowledgment.
22/04/2003 - Vendor confirms vulnerability and states that it will
be fixed in version 3.5.2.
26/04/2003 - Vendor releases version 3.5.2.
28/04/2003 - Vulnerability still present in latest version. Vendor
notified (support@mollensoft.com).
29/04/2003 - Mabry Software notified (techsupport@mabry.com) since the
vulnerability may be caused by a boundary error in FTPServer/X used
in Hyperion/Mollensoft FTP Server.
09/05/2003 - Vulnerability conclusively identified in FTPServer/X.
09/05/2003 - Vendor notified again (techsupport@mabry.com).
09/05/2003 - Vendor confirms vulnerability.
03/06/2003 - Vendor releases updated version (1.00.046).
04/06/2003 - Vulnerability still present in latest version. Vendor
informed (techsupport@mabry.com).
12/06/2003 - Vendor provides source code and asks for help in
identifying the problem.
16/06/2003 - Problem identified.
17/06/2003 - Mabry Software releases updated version (1.00.047).
22/06/2003 - Mollensoft releases updated version (3.5.3).
24/06/2003 - Public disclosure.

======================================================================
7) Credits

Discovered by Carsten H. Eiram, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://www.secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2003-3/

======================================================================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC