BlackJumboDog Has Buffer Overflow in the FTP Service That Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1010807
|
|
SecurityTracker URL: http://securitytracker.com/id?1010807
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 29 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 3.6.1
|
Description: Tan Chew Keong of SIG^2 reported a buffer overflow in the BlackJumboDog FTP Server. A remote user can execute arbitrary code on the target system.
It is reported that a remote user can send a specially crafted FTP command with a long parameter string to trigger the flaw. The
USER, PASS, RETR, CWD, XMKD, XRMD, and other commands are affected. The software reportedly copies the user-supplied parameter
string to a 256 byte buffer.
The vendor was notified on July 27, 2004.
The original advisory is available at:
http://www.security.org.sg/vuln/bjd361.html
|
Impact: A remote user can execute arbitrary code on the target system with the privileges of the FTP service.
|
Solution: The vendor has released a fixed version (3.6.2), available at:
http://homepage2.nifty.com/spw/software/bjd/
|
Vendor URL: homepage2.nifty.com/spw/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: Chew Keong TAN <chewkeong@security.org.sg>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 29 Jul 2004 20:53:55 +0800
From: Chew Keong TAN <chewkeong@security.org.sg>
Subject: Buffer overflow in SapporoWorks BlackJumboDog FTP server
|
SIG^2 Vulnerability Research Advisory
Buffer overflow in SapporoWorks BlackJumboDog FTP server
by Tan Chew Keong
Release Date: 29 July 2004
ADVISORY URL
http://www.security.org.sg/vuln/bjd361.html
SUMMARY
SapporoWorks BlackJumboDog is an integrated open-source proxy server,
web server and FTP server developed by SapporoWorks for Microsoft
Windows platforms. BlackJumboDog version 3.6.1 is vulnerable to a buffer
overflow in its FTP server. By sending a specially crafted FTP request
containing an overly long parameter string in the USER, PASS, RETR, CWD,
XMKD, XRMD or various other commands, a remote attacker could cause a
stack overflow and execute arbitrary code.
VENDOR URL
http://homepage2.nifty.com/spw/software/bjd/index.html
TESTED SYSTEM
BlackJumboDog Version 3.6.1 on English Win2K SP4
DETAILS
This vulnerability is caused by an unsafe strcpy() that copies the
entire parameter of the user's FTP command to a stack buffer of 256
bytes. For example, suppose that the user's FTP client issues the
following command.
USER xxxxxxxxxxxx
The command parameter "xxxxxxxxxxxx" will be copied to a 256 bytes
buffer using strcpy(). Hence, by crafting an FTP command with an overly
long parameter, a remote attacker could trigger a stack overflow and
execute arbitrary code. The attacker do not need to have a valid account
on the FTP server since the overflow can be triggered prior to
authentication using the USER command.
PATCH
Author has fixed the bug in version 3.6.2. Users are advised to upgrade
to the fixed version.
DISCLOSURE TIMELINE
26 Jul 04 - Vulnerability Discovered
27 Jul 04 - Initial Author Notification
28 Jul 04 - Author Replied with Fix (upgrade to version 3.6.2)
29 Jul 04 - Public Release
GREETINGS
All guys at SIG^2 G-TEC
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
--
Chew Keong TAN
Vice-President
SIG2, Singapore
E-mail: chewkeong@security.org.sg
-------------------------------------------------------------
http://www.security.org.sg
"IT Security ...the Gathering. By enthusiasts for enthusiasts"
Come and join in the fun with SIG^2 ITSEC forum discussion @
http://forums.hardwarezone.com/forumdisplay.php?forumid=78
|
|
