lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: unsecure at altervista.org (Komrade)
Subject: WeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability

AUTHOR
Komrade
unsecure@...ervista.org
http://unsecure.altervista.org

DATE
22/11/2004

PRODUCT
WodFtpDLX is an ActiveX component that supports encrypted and
non-encrypted FTP access to the servers for transferring files.
It can be used in various programs, scripts, web applications to connect
to FTP servers.
The ActiveX is named "WodFtpDLX.ocx" and could be found on the default
"windows\system32" directory (if installed by any application).

AFFECTED VERSION
All verion prior to 2.3.2.97 (version fixed by the vendor)

Versions verified to be vulnerable:
2.2.0.1
2.3.0.0
2.3.2.90
2.3.2.94

DETAILS
I discovered that this ActiveX doesn't correctly handle a very long file
name sent from an FTP server.
This vulnerability occurs when the ActiveX copies the name of the files
stored in an FTP server in the stack, using a strncpy() function that
not correctly sets the maximum length of the string.
It is possible to overwrite a SEH address and cause an exception to the
program, being able to execute arbitrary commands remotely to a target
machine.

POC EXPLOIT
You can find a proof of concept exploit that crashes all the programs
based on the vulnerable ActiveX.
http://unsecure.altervista.org/security/wodftpcrash.c

VENDOR STATUS
I notified this vulnerability to the vendor on 18/11/2004 and they
create a new fixed version of the ActiveX.
See http://weonlydo.com to download the new fixed verion.

VULNERABILITY TIMELINE
16/11/2004 Vulnerbility found.
18/11/2004 Vendor contacted for the first time.
18/11/2004 Vendor reply.
19/11/2004 Vulnerability fixed. A new version is now avaible.
22/11/2004 Public disclosure.


-- 
- Unsecure Programs -
- http://unsecure.altervista.org -

- Vulnerabilities and exploits -
- http://unsecure.altervista.org/security.htm -

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ