lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon Jun  6 10:59:44 2005
From: ljuranic at lss.hr (Leon Juranic)
Subject: Crob FTP Server remote buffer overflows

				LSS Security Advisory #LSS-2005-06-06
 					http://security.lss.hr



 
Title: Crob FTP Server remote buffer overflows
Advisory ID: LSS-2005-06-06
Date: 2005-06-01
Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2005-06-06
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote
Vendors Status: 7th March, 2005


 
==[ Overview
 
Crob FTP Server is a powerful and flexible FTP Server with full user management 
and network control for Windows 95/98/ME/2000/XP/2003. Crob FTP Server is using
the standard FTP (File Transfer Protocol) protocol an can be downloaded from
http://www.crob.net/en/.
 


==[ Vulnerability

There are various buffer overflows in Crob FTP server when processing client input.
First vulnerability is the stack overflow that can be triggered with a very long 
parameter supplied to arbitrary FTP command (i.e. STOR) and calling RMD command
with long parameter afterwards. As a result, EIP is overflowed with user input.
Second vulnerability is the heap overflow vulnerability, probably in globbing
code, which can be triggered with characters like '?' or '*' followed by a long
string. This vulnerability can be triggered with commands like LIST or NLST. 
Sucessful exploitation of these vulnerabilities will lead to remote code execution.


 
==[ Affected Version

Vulnerabilities were discovered in the latest Crob FTP server 3.6.1, but the
older versions might be also vulnerable.


 
==[ Fix

No fix available yet.


 
==[ PoC Exploit
 
Proof of concept code can be downloaded at http://security.lss.hr/PoC


 
==[ Credits
 
Credits for this vulnerability goes to Leon Juranic <ljuranic@....hr>.


 
==[ LSS Security Contact
 
LSS Security Team, 

WWW : http://security.lss.hr
E-mail : security@....hr
Tel : +385 1 6129 775

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ