lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030609121433.3425.NESUMIN@softhome.net>
Date: Mon, 09 Jun 2003 12:19:39 +0900
From: ":: Operash ::" <nesumin@...thome.net>
To: bugtraq@...urityfocus.com
Subject: [FlashFXP] Two Buffer Overflow Vulnerabilities



-----------------------------------------------------------------------
SUMMARY        : [FlashFXP] Two Buffer Overflow Vulnerabilities
PRODUCT        : FlashFXP
VERSIONS       : 2.0 build 905
VENDOR         : CEDsoft (http://www.flashfxp.com/)
SEVERITY       : Critical.
                 Code Execution.
DISCOVERED BY  : nesumin
AUTHOR         : :: Operash ::
REPORTED DATE  : 2003-05-07
RELEASED DATE  : 2003-06-09
-----------------------------------------------------------------------

0. PRODUCTS
=============

  FlashFXP is a GUI base FTP Client for Windows.
  CEDsoft (http://www.flashfxp.com/)


1. DESCRIPTION
================

  FlashFXP has following two buffer overflow vulnerabilities;

  1. The buffer overflow vulnerability in "PASV" command.

    The buffer overflow occurs on the stack area if a reply that
    contains a long string is returned from a server for "PASV"
    command request.
    By exploiting this vulnerability, an attacker can execute
    an arbitrary code on a user's system if the user connects to
    a malicious server.


  2. The buffer overflow vulnerability in the long host name.

    The buffer overflow occurs on the stack area if a long host name
    is specified as destination server.
    By exploiting this vulnerability, an attacker can execute
    an arbitrary code on a user's system when the user copies
    a malicious manipulated URL with "Clipboard Monitor" function
    enabled.


  With these vulnerabilities, there could be following risks;

  * Infection with Virus or Trojan, etc.
  * Destruction of systems.
  * Leak or alteration of a local data.


2. SYSTEMS AFFECTED
=====================

  Flash FXP 2.0 build 905

  And previous versions may have same vulnerabilities.


3. SYSTEMS NOT AFFECTED
=========================

  FlashFXP 2.1 build 923
  FlashFXP 2.1 build 924


4. EXAMINES
=============

  Tested versions :
    FlashFXP 2.0 build 905
    FlashFXP 2.1 build 923
    FlashFXP 2.1 build 924

  Tested platforms :
    Windows 98SE Japanese
    Windows 2000 Professional SP3 Japanese


5. VENDOR STATUS
==================

  2003-05-14  Vendor released fixed-version (v2.1 build 923).


6. SOLUTION
=============

  Upgrade to version 2.1 build 923 or later version.


7. TECHNICAL DETAILS
======================

  1. The buffer overflow vulnerability in the reply for PASV command.

    FlashFXP tries to create a connection of data transfer to get
    a Directory List or etc when it connected to a FTP server.
    And if PASV-MODE is enabled, it requests IP address and port number
    for a connection of data transfer by using "PASV" command.
    Then, a buffer overflow occurs on the stack area if the IP
    address that is returned from the server contains a long string
    of over 0x90 bytes.

    Example:

      ---> PASV
      <--- 227 (AAAAAAAAAA ... (over 0x90 bytes) ... ,1,1,1,1,1)


  2. The buffer overflow vulnerability in the long host name.

    FlashFXP writes a host name on the buffer before trying to resolve
    a host name, but it does not check the boundary of the buffer
    at that time.
    Therefore, if the host name contains a long string of over
    0x90 bytes, the buffer overflow on the stack area would occur.

    Example:

      ftp://AAAAAAAAAA ... (over 0x90 bytes) ... /


  These buffer overflows can overwrite a Structured Exception Handler
  on the stack with an arbitrary value.
  If a Structured Exception Handler is overwritten with the address of
  buffer that has an arbitrary code or the address of instruction data
  that redirects to there, the processing path moves to that buffer.

  Therefore, it is able to execute an arbitrary code as the privilege
  of FlashFXP's process.


8. SAMPLE CODE
================

  None release.


9. TIME TABLE
===============

  2003-04-20  Discovered these vulnerabilities.
  2003-05-07  Reported to vendor.
  2003-05-07  Received a reply and a fixed-version(1) from vendor.
  2003-05-07  Discovered a new bug, reported it to vendor.
  2003-05-07  Received a fixed-version(2) from vendor.
  2003-05-07  Conveyed to vendor that the fix has been done.
  2003-05-14  Vendor released fixed-version.
  2003-06-09  Released this advisory.


10. DISCLAIMER
===============

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


  * Exception

     We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
     redistribute our advisory.


11. CONTACT, ETC
=================

  :: Operash ::

  imagine (Operash Webmaster)
  nesumin <nesumin@...thome.net>


  Thanks to :

    melorin
    piso(sexy)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ