| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Aug 2005 21:33:46 -0500 From: Damien Palmer <alacrity@...il.com> To: Kaveh Razavi <c0d3rz_team@...oo.com> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re: LeapFTP .lsq Buffer Overflow Vulnerability Seeing as how, given a large enough buffer, it is relatively easy to write arbitrary shell code using just ASCII characters, the larger unicode space would make this even easier. Unless there are some pretty severe unlisted restrictions on either the length or content of the overflow string, making an exploit is practically trivial. If you want a quick'n'dirty overview of shell code using a very limited subset of ASCII you can refer to the lecture notes from a unix security class I took in Fall 2004 (starting on page 5 of this document): http://cr.yp.to/2004-494/0910.pdf -D On 8/24/05, Kaveh Razavi <c0d3rz_team@...oo.com> wrote: > it is not a high risk vulnerability . > chance of making an stable exploit in a unicode > overflow is low . > Regards > > c0d3r of IHS > Network Security Reseacher > > > LeapFTP .lsq Buffer Overflow Vulnerability > > > > by Sowhat > > > > Last Update:2005.08.24 > > > > http://secway.org/advisory/AD20050824.txt > > > > Vendor: > > > > LeapWare Inc. > > > > Product Affected: > > > > LeapFTP < 2.7.6.612 > > > > Overview: > > > > LeapFTP is the award-winning shareware FTP client > > that combines an > > intuitive interface with one of the most powerful > > client bases around. > > > > > > Details: > > > > .LSQ is the LeapFTP Site Queue file, And it is > > registered with Windows > > by LeapFTP. You can save a transfer Queue to .lsq > > files and transfer it > > later by opening the .lsq files. > > > > However, LeapFTP does not properly check the length > > of the "Host" fields, > > when a overly long string is supplied, there will be > > a buffer overflow > > and probably arbitrary code execution. > > > > This vulnerability can be exploited by sending the > > malformed .lsq file > > to the victim, after the victim open the .lsq file, > > arbitray code may > > executed. > > > > > > //bof.lsq > > > > [HOSTINFO] > > HOST=AAAAA...[ long string ]...AAAAA > > USER=username > > PASS=password > > > > [FILES] > > "1","/winis/ApiList.zip","477,839","E:\ApiList.zip" > > > > SOLUTION: > > > > All users are encouraged to upgrade to 2.7.6 > > immediately > > Vendor also released an advisory: > > http://www.leapware.com/security/2005082301.txt > > > > Vendor Response: > > > > 2005.08.22 Vendor notified via online WebForm > > 2005.08.23 Vendor responsed and bug fixed > > 2005.08.24 Vendor released the new version 2.7.6.612 > > 2005.08.24 Advisory Released > > > > > > ';" type="text/css"> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists