SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   FTPServer/X Vendors:   Mabry Software
FTPServer/X Format String Flaw and Buffer Overflow May Permit Remote Code Execution
SecurityTracker Alert ID:  1008667
SecurityTracker URL:  http://securitytracker.com/id/1008667
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 12 2004
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 1.00.050
Description:   securma massine reported two vulnerabilities in FTPServer/X. A remote authenticated user can execute arbitrary code on the target system.

It is reported that there is a format string vulnerability. A remote user can supply a specially crafted username (such as '%s%s%s%s' or '%999d') to trigger the flaw. It may be possible to cause arbitrary code to be executed.

It is also reported that a remote authenticated user can supply a specially crafted 'mkdir' command to trigger a buffer overflow and cause arbitrary code to be executed on the target system.

The report indicated that the FTPServer/X component is used in other FTP server products such as Simple FTPServer Example, Mollensoft FTP Server, Hyperion FTP Server, and Enceladus server.

The vendor has reportedly been notified.
Impact:   A remote user or a remote authenticated user may be able to execute arbitrary code on the target system. The code will run with the privileges of the FTP service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mabry.com/ftpserv/index.htm (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sun, 11 Jan 2004 22:51:03 +0100
Subject:  FTPServer/X multiples vulnerability


hi

Ftpserver/x and a product of:http://www.marby.com It is a control OCX/COM object which 
makes it
possible to manage the users, upload, downloader, delete and and other commands ftp This 
product is used
per many commercial server  ftp on the Net, in particular:
Simple FTPServer Example
Mollensoft FTP Server
Hyperion FTP Server
enceladus server

Vulnerable ActiveX Controls:
  * FTPServer/X - FTP Server Control and COM Object version 1.00.050
marby  claims to have fixed more the share of the vulnerabilities affecting this activx 
"Response Buffer
Overflow Vulnerability"bat it appears that other vulnerabilities serieuse
  attacks of the type DOS and/or arbitrary execution of orders on the server using this 
control activX
1 - format string :
two attacks are possible:
a- traditional format string:
Connecté à 127.0.0.1.
220 Mollensoft FTP Server 3.5.3 Ready.
Utilisateur (127.0.0.1:(none)) : %s%s%s%s
Connexion fermée par l'hôte distant.

(ed0.bc0): Access violation - code c0000005 (!!! second chance !!!)
eax=20313333 ebx=0000000a ecx=20313333 edx=00000000 esi=20313334 edi=0012c924
eip=77d1ca84 esp=0012c8ac ebp=0012c8e4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\WINDOWS\system32
\USER32.dll -
USER32!wsprintfA+0x11a:
77d1ca84 8a10             mov     dl,[eax]                ds:0023:20313333=??


b-Mecanisme de synchronisation de variable:
  Connecté à 127.0.0.1.
220 Mollensoft FTP Server 3.5.3 Ready.
Utilisateur (127.0.0.1:(none)) : %999d
Connexion fermée par l'hôte distant.

914.8fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=770e14e8 ecx=719923a2 edx=50e24f90 esi=0012fce4 edi=000000cd
eip=77e578ce esp=0012cd04 ebp=0012fd00 iopl=0         nv up ei pl nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\WINDOWS\system32
\kernel32.dll -
kernel32!InterlockedDecrement+0x9: (utilisé pour synchroniser l'utilisation de variable 
par plusieurs
threads)
77e578ce f00fc101         lock    xadd [ecx],eax    ds:0023:719923a2=0000ae85

2 -buffer overflow:
a buffer overflow affects the order to mkdir  (and other command) the eip point directly 
towards the
41,42,43,44 byte of the buffer this BOF is in two times
  one has initially a exeption a:50e14331 mov [ edi], edx (edx=41414141 eax=41414141)
and
mov [edi],edx
mov ebx,[esp]
push ecx
push ebx
call ntdll!ultoa+0x1f
  ..
  ..
ntdll!RtlConvertUlongToLargeInteger+0x68:
77f7339e ffd1             call    ecx {41414141}

jusqu'a arriver a un buffer overflow classique:
eax=00000000 ebx=00000000 ecx=41414141 edx=77f733b4 esi=00000000 edi=00000000
eip=41414141 esp=0012bb50 ebp=0012bb70 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
41414141 ??               ???

mabry is contacted without answer

securma massine

greetz:anasoft simo abder marocit and crack.fr

Pour gagner une Playstation 2, envoyez un SMS avec le code PS au 61321 (0,35 euro hors 
coût du SMS).


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC